We are not officially supported by Palo Alto networks, or any of it's employees, however all are welcome to join and help each other on a journey to a more secure tomorrow. In the 5.2.9 logs, i see the URL for the Azure AD login page, with the word BLOCK in front of it.This subredditt is for those that administer, support, or want to learn more about Palo Alto Networks firewalls. It just hands on the "enter password" screen like it never gets back a "succesful". NOTE: I just tried 5.2.9 and it actually gets stuck earlier in the process, just after the user enters their Azure AD password. Then nothing until we cancel GlobalProtect. In the logs, the last thing we see GP do is open two Duo web service URLs. We see the Azure AD credentials authenticate succesfully and the Microsoft prompt goes away (so that must be working), and we briefly see the Duo MFA Universal Prompt attempt to open, but it flashes on the screen for a second and then the GP window just shows a blank window. With GlobalProtect 5.2.8, the browser window appears to be stuck between Azure AD and Duo MFA. The issue we are having is with Connect BEFORE Logon. You can test if this worked by clicking the File menu and selecting ‘Connect’.
Change the password to your new password and click ‘Apply’. This works fine when we are using Connect AFTER Logon (user logs into Windows first and then connects the VPN). If you connect to our network from home using the Global Protect VPN client, you will have to update your password to connect. The process is then repeated for the gateway, although we have the portal configured to use cookies so that the user doesn't get prompted for MFA twice. Enter your username (NetID) and password (NetID password) and click Sign In. This can be changed by opening the settings menu on the top right of the client login screen. We are using SAML for authentication, so when the user clicks 'Connect', GlobalProtect does the portal connection first and is told by the Palo Alto to open it's embedded browser, call the Duo SSO web service, which in turn calls the Azure AD SSO web service, collects and validates the user's username/password, then passes GP back to Duo to prompt for MFA which once approved is passed back to the Palo Alto to allow GP to connect to the portal. If you have used GlobalProtect before, you will be connected to the portal you last used. We recently implemented Duo Multi-Factor Authentication (MFA) and have configured GlobalProtect to use Duo's SSO service (which in turn Duo uses Azure AD for authenticating the user).
0 kommentar(er)
