This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN access can be made without credentials After GP 5.2.9 version update

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN access can be made without credentials After GP 5.2.9 version update

Go to solution
bilal_guclu
L1 Bithead

‎01-05-2022 11:54 PM

Connection problem without credentials in version 5.2.9

 

We switched from GP 5.2.4 version to 5.2.9 version with transparent update. Windows users report that they can connect directly without entering a password when making vpn connections.

 

In the global protect > portal > agent configuration, save user credentials section is selected as no.

 

In the Globalprotect >portal > agent> app configuration, the option to save Windows SSO information is selected as no.

 

However, windows users using version 5.2.9 can connect directly without entering a username and password.

 

Anyone have this problem or have a solution ?

bilal_guclu
1 person had this problem.
1 accepted solution

Accepted Solutions

Go to solution
JeongHoonKim
L1 Bithead

‎07-26-2022 12:52 AM

Have you solved this issue? We have same issue. 

View solution in original post

8 REPLIES 8

Go to solution
Sarc845
L2 Linker

‎01-06-2022 12:55 AM - edited ‎01-06-2022 12:59 AM

Hi Blilal,

 

Ive tested this on 5.2.9 and do not see the same problem. 

 

Kindly can you confirm if you have authentication override setup?

Network> Portal/Gateway > Agent > Relevant Agent Config > Authentication > Authentication Override:

 

Sarc845_1-1641459579587.png

 

 

If you have this setup it could be that the agent has a cookie and is using the cookie to authenticate.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/about-globalp...

 

If you do not have this on the portal and gateway I would recommend opening a case with PANW to investigate.

Stay Safe
0 Likes Likes

Go to solution
bilal_guclu
L1 Bithead
In response to Sarc845

‎01-06-2022 01:59 AM

 

Hi,

 

yes, I override authentication.

 

Ekran Resmi 2022-01-06 12.41.21.png

 


The strange thing is that this problem is fixed in authentication, only when I register with the username.

 

At the same time, when I uninstall the global protect application and reinstall it, it is temporarily fixed and after a while it happens again.

 

All windows machines that have this problem are in the company domain. I guess somehow it uses global protect by taking the credentials on windows machines from the cache.

 

I created a case for this situation. I haven't received an answer yet

bilal_guclu
0 Likes Likes

Go to solution
kinanakelstcs
L1 Bithead

‎01-06-2022 07:18 AM

Do you see SSO login in the agent logs?

0 Likes Likes

Go to solution
Adrian_Jensen
L6 Presenter

‎01-06-2022 01:22 PM - edited ‎01-06-2022 01:25 PM

From the system logs, are the users authenticating against the portal or the gateway when reconnecting (or both)? And also what method was the authentication?

Monitor -> Logs -> System -> filter: ( eventid eq globalprotectportal-auth-succ ) or ( eventid eq globalprotectgateway-auth-succ )

  "GlobalProtect portal user authentication... Auth type: ????"

 

Also, I see you that you do not have Components that Require Dynamic Passwords enabled. Seems like the GP client saves and reuses the user creds after a successful connection, regardless if the save creds option is set. If you forcibly logout a user after a period of time this is troublesome... You don't actually seem to need to have a dual auth setup, as the section would seem to imply, to use the dynamic password option. From the note attached "...to authenticate users as opposed to using saved credentials. As a result, the user will always be prompted to enter new credentials..."

0 Likes Likes

Go to solution
bilal_guclu
L1 Bithead
In response to kinanakelstcs

‎01-06-2022 11:08 PM

Hi,

 

No, ı dont see, but I have already blocked using sso under agent>app

 

.Ekran Resmi 2022-01-07 10.07.51.png

bilal_guclu
0 Likes Likes

Go to solution
bilal_guclu
L1 Bithead
In response to Adrian_Jensen

‎01-06-2022 11:25 PM

Hi,

 

VPN Authentication is done with ldap. Windows users are included in the domain, they login with ldap.I guess it somehow gets this data from the cache.

Also even though the Auto Restore VPN Connection Timeout duration is selected as 0 min. When these users change wi-fi, they can establish a direct connection without entering a username and password.

 

bilal_guclu
0 Likes Likes

Go to solution
JeongHoonKim
L1 Bithead

‎07-26-2022 12:52 AM

Have you solved this issue? We have same issue. 

Go to solution
bilal_guclu
L1 Bithead
In response to JeongHoonKim

‎12-06-2022 03:05 AM

No, unfortunately we couldn't. After gp update the problem has not recurred so far.

bilal_guclu
0 Likes Likes
  • 1 accepted solution
  • 5923 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks