How to have only one push prompt in Global Protect DUO MFA with On-Demand
12897
Created On 10/05/21 15:08 PM - Last Modified 03/09/22 21:36 PM
Objective
- Using DUO MFA for Global Protect can sometimes lead to double push prompts appearing when connecting.
- Changing the cookies of the Global Protect Portal and Gateway can allow you to have only one push when connecting to Global Protect DUO MFA with On-Demand
Environment
- Palo Alto Firewalls.
- PAN-OS 8.1 and above.
- Global Protect configured to use DUO MFA (multi factor authentication).
- On-Demand connect method
Procedure
- Navigate to GUI: Network > GlobalProtect > Portals > Agent > Authentication
- Set "Save User Credentials" to "No"
- Under Authentication Override have "Generate cookie for authentication override" > Checked and have "Accept cookie for authentication override" > Unchecked
- Navigate to GUI: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override
- Have "Generate cookie for authentication override" -> Unchecked and have "Accept cookie for authentication override" > Checked