Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect LDAP Prompting for Login Twice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect LDAP Prompting for Login Twice

L0 Member

Currently have GlobalProtect configured as such:

 

Portal:

LDAP Auth Profile (Active Directory)

 

Gateway:

RADIUS Auth Profile (DUO)

 

The desire is for users to login with username/password and when successful, be prompted for DUO approval. If a user disconnects, we don't want username to be cached and we want them to be prompted for credentials everytime (so no cookie configurations).

 

The issue/behavior experienced is the user is prompted for username/password twice (even when entered correctly on first prompt) and then once for DUO. Everything works well, but just need to know why they are being prompted for username password twice, again, with the expected behavior to not store any credentials or username. Any thoughts/ideas (happens for Windows and Mac clients) and thanks in advance?

 

App Version: 6.2.1-132

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @andreking ,

 

That is strange.  I had almost the exact setup as you for a long time with Duo RADIUS on the portal and LDAP on the gateway.  It worked fine.  I have also configured Duo RADIUS for both portal and gateway and eliminated the double Duo prompt by using authentication cookies.  If you set the portal to generate cookie only (and the gateway to accept only), the portal will always prompt for creds.

 

As you mentioned, the portal does send the creds to the gateway (see URL under Cause).  Entering them twice is not expected.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQXCA0

 

I assume that your Duo Authentication Proxy (DAP) is pointed to the same LDAP as your portal, and that the passwords are the same.  So, you should not be running into the problem above.  The logs on the DAP could give you more insight into what is happening.

 

Although Duo says to configure the RADIUS timeout to 30 seconds, 60 seconds has worked best for me.  That was recommended bu Duo TAC.  https://duo.com/docs/paloalto#configure-your-palo-alto-globalprotect-gateway

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 224 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!