Why would the GlobalProtect client connect to the gateway prior to the Radius MFA prompt being answered?
5384
Created On 02/10/22 02:08 AM - Last Modified 05/21/25 02:41 AM
Question
Why does the GlobalProtect client connect to the gateway prior to the radius authentication failing when MFA during portal authentication is not responded to?
Environment
- GlobalProtect (GP) Portal and Gateway is configured Authentication Override
- Radius Server is configured as Authentication Server Profile in the Panorama/Firewall/Cloud Managed Prisma
- Radius is tied with the MFA (Multi-factor Authentication
- GlobalProtect Client user (end user) responds initial radius authentication username and passwords but does not respond the MFA prompt
Answer
- If GlobalProtect Client user does not respond to MFA, portal login will time out (i.e. it is not authentication failure, it's similar to portal is not reachable).
- The GP client will then try to load cached portal config which contains user authentication override cookie. If the cookie is still valid to gateway, then it's possible to create tunnel with that cookie.
Additional Information
- User can test if the configured Radius Timeout is working properly or not by deleting the .dat files containing cookie and portal config
- For windows cookie and portal config files are on folder C:\Users\%Username%\AppData\Local\Palo Alto Networks\GlobalProtect (Portal cached config file begins with PanPortalCfg_ and cookie file begins with PanPUAC_)
- For mac these will be on /Users/$USER/Library/Application Support/PaloAltoNetworks/GlobalProtect/