Just a quick post to discuss some findings and to see if anyone has had something similar. The title basically describes it but I am doing a token based (RSA) VPN (GlobalProtect) with ISE. 

My problem essentially lies with the next tokencode mode process when a token is out of sync, needs a new pin etc. I was trying to leverage EAP-GTC instead of PAP and therein lies the drama.

What I have found to date is that I can't get next tokencode moessages to work successfully with anything other than PAP. Initially I utilised EAP-GTC and am able to successfully authenticate and connect when there is no token issue. Problem with EAP-GTC is when next tokencode mode is invoked the messages just will not appear on the GP client. When I change the protocol back to PAP the prompts and tokencode process work as expected.

I have not been able to ascertain whether the issue is with ISE, Palo or indeed the RSA 8.1 server. The ISE logs for both protocols indicate that the next token is required but as stated EAP-GTC configurations don't pass the message to the VPN client.

I am going to post this on the other appropriate forums to see what I find and will update this post accordingly. I mainly post in case anyone else has this issue in the future. If anyone is aware of what the issue is I would appreciate a response as PAP is not the desired protocol for this.