12-17-2018 05:06 AM
When you are connecting to Global Protect you actually face two authentications: one authentication for the portal and one for the gateway. By default PAN firewall will try to use the same credentials provided for the portal again for the gateway. If you are using LDAP authentication for both (portal and gateway) the user will be asked for credetials only once, and he will get the impretion that only one authentication is happening.
Howeve if youare using OTP tokens the default behaviour wouldn't work. The reason for that is - once the user put his OTP when prompted by the portal to authenticate, the firewall will cache the OTP and will try to sent it again to the Radius server (RSA server) when prompted to authenticate to the gateway, howeve since this token has been already used the RSA will reply to the firewall with Access Reject message, which will force the firewall to prompt the user to enter credentials to authenticate to the gateway.
That is why during user login in the RSA logs you probably will see:
- one successful login message (when user has authenticated with OTP to the portal)
- one failed login message (when firewall is using the same OTP to authenticate gainst the gateway)
- one successful login message (when user generate new OTP and authenticat to the gateway)
As other already suggested the solution will be to enable Authentication Override cookies. This will generate and install a auth. cookie on the user PC once he authenticate to the portal, when prompted to authenticate to the gateway the PC will use the cookie instead of prompting the user for credentials again.
My suggestion:
- For the portal, enable only "generate cookie for authentication override". Do not enable "accept cookies", that way users will always be prompted to authenticate when connecting to the portal
- For the gateway, enable only "accept cookie" and set cookie lifetime to the minumim (one minute)
