VPN access can be made without credentials After GP 5.2.9 version update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN access can be made without credentials After GP 5.2.9 version update

L1 Bithead

Connection problem without credentials in version 5.2.9

 

We switched from GP 5.2.4 version to 5.2.9 version with transparent update. Windows users report that they can connect directly without entering a password when making vpn connections.

 

In the global protect > portal > agent configuration, save user credentials section is selected as no.

 

In the Globalprotect >portal > agent> app configuration, the option to save Windows SSO information is selected as no.

 

However, windows users using version 5.2.9 can connect directly without entering a username and password.

 

Anyone have this problem or have a solution ?

bilal_guclu
1 accepted solution

Accepted Solutions

L1 Bithead

Have you solved this issue? We have same issue. 

View solution in original post

8 REPLIES 8

L2 Linker

Hi Blilal,

 

Ive tested this on 5.2.9 and do not see the same problem. 

 

Kindly can you confirm if you have authentication override setup?

Network> Portal/Gateway > Agent > Relevant Agent Config > Authentication > Authentication Override:

 

Sarc845_1-1641459579587.png

 

 

If you have this setup it could be that the agent has a cookie and is using the cookie to authenticate.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/about-globalp...

 

If you do not have this on the portal and gateway I would recommend opening a case with PANW to investigate.

Stay Safe

 

Hi,

 

yes, I override authentication.

 

Ekran Resmi 2022-01-06 12.41.21.png

 


The strange thing is that this problem is fixed in authentication, only when I register with the username.

 

At the same time, when I uninstall the global protect application and reinstall it, it is temporarily fixed and after a while it happens again.

 

All windows machines that have this problem are in the company domain. I guess somehow it uses global protect by taking the credentials on windows machines from the cache.

 

I created a case for this situation. I haven't received an answer yet

bilal_guclu

L1 Bithead

Do you see SSO login in the agent logs?

L6 Presenter

From the system logs, are the users authenticating against the portal or the gateway when reconnecting (or both)? And also what method was the authentication?

Monitor -> Logs -> System -> filter: ( eventid eq globalprotectportal-auth-succ ) or ( eventid eq globalprotectgateway-auth-succ )

  "GlobalProtect portal user authentication... Auth type: ????"

 

Also, I see you that you do not have Components that Require Dynamic Passwords enabled. Seems like the GP client saves and reuses the user creds after a successful connection, regardless if the save creds option is set. If you forcibly logout a user after a period of time this is troublesome... You don't actually seem to need to have a dual auth setup, as the section would seem to imply, to use the dynamic password option. From the note attached "...to authenticate users as opposed to using saved credentials. As a result, the user will always be prompted to enter new credentials..."

Hi,

 

No, ı dont see, but I have already blocked using sso under agent>app

 

.Ekran Resmi 2022-01-07 10.07.51.png

bilal_guclu

Hi,

 

VPN Authentication is done with ldap. Windows users are included in the domain, they login with ldap.I guess it somehow gets this data from the cache.

Also even though the Auto Restore VPN Connection Timeout duration is selected as 0 min. When these users change wi-fi, they can establish a direct connection without entering a username and password.

 

bilal_guclu

L1 Bithead

Have you solved this issue? We have same issue. 

No, unfortunately we couldn't. After gp update the problem has not recurred so far.

bilal_guclu
  • 1 accepted solution
  • 6141 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!