GlobalProtect user login attempt not cycling through multiple Client Authentication Profiles
15496
Created On 02/12/21 21:26 PM - Last Modified 03/09/21 03:03 AM
Symptom
- Two Authentication Profiles are configured which are RADIUS and Local DB.
- When a user from the 2nd Authentication Profile tries to log in they are prompted with "User not found" or "Incorrect Username and Password"
- Logs at GUI: Monitor >GlobalProtect logs show the user is only hitting the first authentication profile in the list. (RADIUS" in this case) instead of Local DB User.
- The authentication attempt is not cycling over to the next profile where the user resides.
- GlobalProtect Portal shown below with Radius and Local Database authentication. It can differ as per customer configuration.
Environment
- Palo Alto Firewall
- Any PAN-OS
- GlobalProtect
- Portal Authentication contains multiple Client Authentication profiles.
Cause
When the OS type of "Any" being configured, Only a single authentication profile can be used. If multiple profiles are used, only the first profile is used for all user authentication attempts. Refer article in the additional information section.
Resolution
Create a single Client Authentication profile using an Authentication Sequence that includes both RADIUS and Local DB Authentication methods.
- Navigate to GUI: Device> Authentication Sequence
- Click Add > Specify a name for the authentication Sequence
- Under the section "Authentication profiles" Click Add and select the configured RADIUS profile and the Local DB profiles
- Click OK
NOTE: Make sure RADIUS is on the top of the list. These profiles must already be configured to be seen in the list.
- Navigate to GUI: Network > GlobalProtect > Portals
- Click on Portal config to edit.
- Click on the Authentication tab
- Remove the configured Client Authentication Profiles by using Delete
- Click Add to create new Client Authentication
- Enter name, for Authentication Profile, select the Authentication Sequence created above and click OK
- Commit changes