GlobalProtect Requests Authentication Credentials to Clients Twice
Resolution
Scenario
A Palo Alto Network device is configured as both GlobalProtect Gateway and GlobalProtect Portal. The GlobalProtect Gateway and GlobalProtect Portal have been configured using different authentication profiles.
Issue
When a GlobalProtect client connects to the Palo Alto Networks device, the device requests authentication credentials twice. Even if client authenticates successfully to Gateway, logs will show authentication failure.
Cause
The GlobalProtect client first connects to the GlobalProtect Portal. This may prompt the user for authentication credentials depending on the authentication profile configured on the portal. The GlobalProtect Portal will then direct the client to the GlobalProtect Gateway, which is located on the same device. The device will also automatically send credentials provided to Portal for authentication to the Gateway. With a different authentication profile configured on the GlobalProtect Gateway, this may cause a failed authentication attempt and the user will be prompted to enter his/her authentication credentials for the gateway authentication profile.
Resolution
PAN-OS 6.0 introduced a new "Authentication Modifier" option under the GlobalProtect Portal > Client Configuration > General tab. The "Different password for external gateway" modifier (as shown in the screenshot below) indicates that the portal and gateway use different authentication credentials. This causes the Palo Alto Networks firewall to prompt the user for gateway password after portal authentication succeeds.
owner: mdjeric