How to have only one push prompt in Global Protect DUO MFA with On-Demand

How to have only one push prompt in Global Protect DUO MFA with On-Demand

13958
Created On 10/05/21 15:08 PM - Last Modified 03/09/22 21:36 PM


Objective


  • Using DUO MFA for Global Protect can sometimes lead to double push prompts appearing when connecting.  
  • Changing the cookies of the Global Protect Portal and Gateway can allow you to have only one push when connecting to Global Protect DUO MFA with On-Demand

Environment


  • Palo Alto Firewalls.
  • PAN-OS 8.1 and above.
  • Global Protect configured to use DUO MFA (multi factor authentication).
  • On-Demand connect method

Procedure


  1. Navigate to GUI: Network > GlobalProtect > Portals > Agent > Authentication
  2. Set "Save User Credentials" to "No"
  3. Under Authentication Override have "Generate cookie for authentication override" > Checked and have "Accept cookie for authentication override" > Unchecked
  4. Navigate to GUI: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override
  5. Have "Generate cookie for authentication override" -> Unchecked and have "Accept cookie for authentication override" > Checked
 
User-added image
 
User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LvbCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language