Who Me Too'd this topic

Who Me Too'd this topic

L2 Linker

GlobalProtect gateway timeouts in sorting results after latent two-factor authentication

Just trying to get an idea here if anyone else has ran into this issue, I currently have a ticket open with TAC, but as usual its getting into more of a fight about "thats just how it works" and contact your SE if you want to change it!

 

Environment:

I currently am running a portal and a gateway on a 7.0.6 firewall, and two other gateways in geographically diverse locations running 7.0.5-h2.  I'm using two-factor authentication with Duo. End users are connecting via 3.0.3 GlobalProtect client.

 

Problem:

When a GlobalProtect user connects using Auto Discovery and fails to enter an OTP during a single (not currently configurable) gateway timeout period (or N-1 gateways in environment), the gateway sending the authentication attempt is considered timed out during the sorting results.  This causes some of my users to experience latent connections because their first and geographically best gateway is thrown out due to latent OTP authentication.  The current two-factor authentication for GlobalProtect just doesn't seem to account for real world circumstances where a user may not have their OTP availible at the start of connection, such as their phone is in another room.

 

Has anyone else ran into this issue?  Do you think I have something configured wrong? How do you combat this?  Educating the end user (check your gateway and reconnect, only use manual connections, etc)?

 

Thanks!

Who Me Too'd this topic