06-11-2019 12:40 AM
I use DUO as the 2FA for the Palo Alto Networks GlobalProtect VPN connection.
When I connect to the VPN via GlobalProtect, I always receive 2 login requests. I need to approve the request twice each time.
Do you know how to change the setting to let me receive the 1 login request for every VPN connection?
Thank you.
06-11-2019 06:16 AM
Which version of PAN-OS are you using? Did you recently upgrade PAN-OS?
06-12-2019 09:50 PM
I’m using Pan OS 8.1 which the firewall is new installed.
06-13-2019 05:54 AM
Hey Charles, can you check the timeout and retry settings? Per this Knowledge Base article, this most often occurs when the timeout is too low and the number of retries is set too high. If this is indeed the case with your configuration, try changing your settings to a 60-second timeout and one retry.
Please let me know if this helps.
06-14-2019 07:20 AM
I’ve actually been seeing this with Cisco AnyConnect + Duo Radius Proxy too. I haven’t had too much time to dig into it but I did confirm the timeout and retry values were set to the recommended per Duo KB’s. I assumed it was AnyConnect / ASA skipping to ask the 2nd Radius server too quickly, then the person ends up with 2 pushes, but I checked the AAA Stats and the ASA has never actually asked the 2nd Radius server to authenticate.
06-17-2019 06:33 AM
For PAN VPN there is two levels of auth. One is for the portal itself, the other is for the VPN connection. Remove DUO from one of those workflows.
06-18-2019 01:40 AM
Yes, you are right.
Finally I remove gateway authentication and it resume normal.
Thank you very much for all of your reply.
Cheers~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide