GlobalProtect authentication invoked twice when Device Checks is enabled on Portal and Authentication Override Cookie enabled on Portal and Gateway

GlobalProtect authentication invoked twice when Device Checks is enabled on Portal and Authentication Override Cookie enabled on Portal and Gateway

18614
Created On 10/12/21 15:03 PM - Last Modified 05/06/25 19:41 PM


Symptom


When the Machine Certificate Check (Device Checks) is enabled under Portal configuration selection criteria, users are prompted twice for DUO authentication, even though generate and accept authentication override cookie is enabled on Portal and Gateway

 

Environment


  • NGFW
  • PAN-OS 9.0 & above
  • GlobalProtect Portal with Configuration Selection Criteria and Authentication Override Cookie enabled
  • GlobalProtect app Windows and MacOS clients

Cause


  • This issue is caused when both Portal Configuration Selection Criteria and Authentication Override Cookie are enabled simultaneously.
  • Starting PAN-OS 9.0, if both Authentication Override Cookie and Device Checks/Custom Checks under Portal Configuration Selection Criteria is configured, Authentication Override Cookie will be disabled.
  • This is the reason for second DUO authentication being invoked when connecting to the gateway.

Resolution


The resolution is to disable Portal Config selection Criteria in the firewall Web GUI: Network > GlobalProtect > Portals > (Portal Config)  Agent > (Agent Config) > Config Selection Criteria > Device Checks / Custom Checks
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMcHCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language