OTP is prompted twice for GlobalProtect configured with two factor authentication
14323
Created On 10/28/21 15:33 PM - Last Modified 04/28/23 21:19 PM
Symptom
- Two factor authentication is configured for GlobalProtect (GP).
- When the client tries to connect to GP, OTP is prompted twice.
Environment
- Palo Alto Networks Firewall
- Supported PAN-OS
- GlobalProtect (GP)
- Multi Factor or Two Factor authentication configured for GP.
Cause
- GlobalProtect App will pass on the Portal credentials to the gateway for seamless authentication.
- After successful two-factor authentication (OTP) with Portal, GP will pass on the portal OTP to the Gateway.
- Since the OTP is changed during gateway authentication, the Radius server (RSA server) will send an "Access-Reject" message.
- Due to this Radius message, the gateway authentication fails and user is prompted to re-authenticate with the gateway.
Resolution
- In the portal, enable "Generate a cookie for authentication override". Do not enable "accept cookies".
- With this configuration, will always be prompted to authenticate when connecting to the portal.
- In the gateway, enable only "accept cookie" and set cookie lifetime to the minimum (one minute)
- Commit the configuration.
On Portal GUI: Network > GlobalProtect > Portal > Agent > (select the agent) > Authentication > click on "Generate cookie for authentication override"
On Gateway GUI: Network > GlobalProtect > Gateways > Agent > (select the agent) > Client Settings > Authentication Override > Accept cookie for authentication override"
Additional Information
https://live.paloaltonetworks.com/t5/general-topics/globalprotect-requires-token-twice-possible-rsa-inconvenience/td-p/166905