GlobalProtect not redirecting to Captive Portal after inbound authentication from MFA Gateway
16848
Created On 04/07/19 11:13 AM - Last Modified 08/15/23 17:04 PM
Symptom
This knowledge base article assumes that GlobalProtect has already been configured to facilitate Multi-Factor Authentication Notifications using this article.
GlobalProtect client successfully connects to GlobalProtect Gateway, and Access Routes (for internal resources) are pushed to the client Machine. When trying to RDP or SSH to an internal resource, the GlobalProtect client receives the Inbound Authentication Prompt from MFA Gateway.
When clicking Authenticate, it tries to connect to the Captive Portal Redirect Host IP on port 6082, but the connection times out and the RDP/SSH fails.
Environment
– Captive Portal configured in redirect mode
– Authentication Policy configured for service TCP/3389 and TCP/22
– GlobalProtect configured to facilitate Multi-Factor Authentication notifications
Cause
This could happen when the Captive Portal Redirect Host IP or IP resolving to corresponding FQDN is unreachable from the GlobalProtect client. For instance, Captive Portal Redirect Host IP is configured with private IP 192.168.1.254, but the GlobalProtect access route is configured with 192.168.1.0/30, which does not include IP 192.168.1.254. In this case, the client machine will try to connect to 198.51.100.254 through its own link and not through the tunnel.
Resolution
Make sure the MFA page authentication happens through the GlobalProtect tunnel by using the appropriate Redirect Host IP address or modify the access route on the GlobalProtect gateway settings. For instance, add the entry 192.168.1.254/32 to the Include List of Split Tunnel settings along with the internal resources subnet.