End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

L1 Bithead

I need some advices on this GP VPN Client with MFA issue: 

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

The current auth environment is that users use Active Directory in Azure  for MFA and use Radius to authentication process in Globalprotect.

 

 

6 REPLIES 6

Community Team Member

Hi @HarryScore ,

 

How long do you have timeout setup for RADIUS? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@JayGolf  current Radius timeout setup is 30 secs

is there a way to check GP timeout setting? 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A...

 

Community Team Member

Hi @HarryScore ,

 

Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A...

 

>configure
# set deviceconfig setting global-protect timeout 90
#commit

# show deviceconfig setting global-protect
global-protect {
  timeout 90;
}
# exit

 

Hope this helps,

Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L6 Presenter

@HarryScore wrote:

I need some advices on this GP VPN Client with MFA issue: 

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

The current auth environment is that users use Active Directory in Azure  for MFA and use Radius to authentication process in Globalprotect.

 

 


This isn't exactly your question, but can you do MFA from Azure?  If you tie the MFA from Azure it's an easier way to enforce the MFA process from an Azure authentication, vice letting the downstream system enforce it.  Also doing it at the Azure level ensure you have a consistent MFA process.

Community Team Member

@HarryScore ,

 

Try setting the timeout to at double of what you set up in Radius. If that doesn't work, I'd try increasing your radius to 60 sec. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Thanks everyone.

beside the radius server, we have another NPS server with NPS Extension for Azure MFA.

I have tried to setup the GP timeout to 90 secs, Radius server to 60 secs, still no luck.  Palo TAC doesn't help much either.

We are deploying Prisma now which should be resolve the issue.

 

  • 716 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!