GlobalProtect not Redirecting to Captive Portal after Inbound Authentication

GlobalProtect not Redirecting to Captive Portal after Inbound Authentication

7782
Created On 04/07/19 11:13 AM - Last Modified 04/26/19 15:03 PM


Symptom
GlobalProtect configured to facilitate Multi-Factor Authentication Notifications, using the article below:
https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications.html.

GlobalProtect client successfully connects to GlobalProtect Gateway, and Access Routes (for internal resources) are pushed to the client Machine. When trying to RDP or SSH to an internal resource, the GlobalProtect client receives the Inbound Authentication Prompt from MFA Gateway.
User-added image

When clicking Authenticate, it tries to connect to the Captive Portal Redirect Host IP on port 6082, but the connection times out and the RDP/SSH fails.


Environment
– Captive Portal configured in redirect mode
– Authentication Policy configured for service TCP/3389 and TCP/22
– GlobalProtect configured to facilitate Multi-Factor Authentication notifications


Cause
This could happen when the Captive Portal Redirect Host IP or IP resolving to corresponding FQDN is unreachable from the GlobalProtect client. For instance, Captive Portal Redirect Host IP is configured with private IP 192.168.1.254, but the GlobalProtect access route is configured with 192.168.1.0/30, which does not include IP 192.168.1.254. In this case, the client machine will try to connect to 198.51.100.254 through its own link and not through the tunnel.

Resolution
Make sure the MFA page authentication happens through the GlobalProtect tunnel by using the appropriate Redirect Host IP address or modify the access route on the GlobalProtect gateway settings. For instance, add the entry 192.168.1.254/32 to the Include List of Split Tunnel settings along with the internal resources subnet.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLR1&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language