Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE 2.4p6, Palo Alto Global Protect and RSA 8.1

Just a quick post to discuss some findings and to see if anyone has had something similar. The title basically describes it but I am doing a token based (RSA) VPN (GlobalProtect) with ISE. 


My problem essentially lies with the next tokencode mode process when a token is out of sync, needs a new pin etc. I was trying to leverage EAP-GTC instead of PAP and therein lies the drama.


What I have found to date is that I can't get next tokencode moessages to work successfully with anything other than PAP. Initially I utilised EAP-GTC and am able to successfully authenticate and connect when there is no token issue. Problem with EAP-GTC is when next tokencode mode is invoked the messages just will not appear on the GP client. When I change the protocol back to PAP the prompts and tokencode process work as expected.


I have not been able to ascertain whether the issue is with ISE, Palo or indeed the RSA 8.1 server. The ISE logs for both protocols indicate that the next token is required but as stated EAP-GTC configurations don't pass the message to the VPN client.


I am going to post this on the other appropriate forums to see what I find and will update this post accordingly. I mainly post in case anyone else has this issue in the future. If anyone is aware of what the issue is I would appreciate a response as PAP is not the desired protocol for this. 

Everyone's tags (4)
Cisco Employee

Re: ISE 2.4p6, Palo Alto Global Protect and RSA 8.1

I recommend also engaging TAC to debug
Check out the resources section of the following page