Double OTP needed to get connectivity to GlobalProtect gateway

Double OTP needed to get connectivity to GlobalProtect gateway

2508
Created On 09/17/23 14:52 PM - Last Modified 05/02/24 02:42 AM


Symptom


  • User will be presented with 2FA OTP twice
  • Portal Login is presented
Portal-login-Page.png
  • 2FA OTP is requested for the portal authentication.
first-otp-portal.png
  • 2FA OTP is requested for the Gateway now because the credentials provided during the portal authentication are being used now, as both portal and gateway are using the same authentication profile here.
2nd-opt-gateway.png
  • If the option for Dynamic password is selected for the "External Gateways-manual only" or " External gateways-auto discovery", then the user will be prompted to provide the user credentials again for the gateway.
Dynamic-2FA.png

Environment


  • Palo Alto Firewalls
  • Supported PANOS
  • GlobalProtect(GP) App

Cause


The Authentication override option is not enabled or no cookies are being used.

Resolution


  1. Generate the cookies on the portal for authentication override
  2. Accept the cookies on the gateway for Authentication override.
  3. Commit the configuration
  4. By this the user will not have to provide the OTP twice.
portal-cookie.png
cookies-enabled-gateway.png

Additional Information


  • The sequence of authentication would be as below: 
    • The user provides the credentials for the portal
    • Gets an OTP for 2FA Gateway:
    • Accept the user credentials provided during portal authentication the Portal (the user will not enter the credentials here)
    • Gets the OTP for 2FA
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2DoCAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail