13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth timed out 13:32:04.801 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for DUO-Authentication-Profile-vsys1 13:32:04.801 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1892): Authenticating user "rajeev" with 13:32:04.801 -0700 debug: pan_auth_locklist_response_process(pan_auth_state_engine.c:4358): b_postauth_grpcheck=true, delay allow list check 13:32:04.800 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2648): Keep original username, i.e., whatever end-user typed, "rajeev" in request->username (prof/vsys: DUO-Authentication-Profile/vsys1) 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. No mfa server ids for the user "" (prof/vsys: DUO-Authentication-Profile/vsys1) 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. 13:32:04.800 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for DUO-Authentication-Profile-vsys1-mfa 13:32:04.800 -0700 debug: _get_authseq_profile(pan_auth_util.c:893): Auth profile/vsys (DUO-Authentication-Profile/vsys1) is NOT auth sequence 13:32:04.800 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1112): non-admin user thru Global Protect "rajeev" auth profile "DUO-Authentication-Profile" vsys "vsys1" We have configured all the requirements for the duo using the below mentioned link.Ĭan you please help me where we are missing or making a mistake. You will need to contact Palo Alto support for assistance with that MFA integration, as we didn’t create it.We have configured the duo mfa for global protect users. It looks like the Duo MFA solution for Captive Portal created by Palo Alto will work with a local database, per the step two callout at. I believe that the Palo Alto lets you configure multiple authentication sources, but then uses them for failover, so it will never do a second step off Duo auth after the first step of primary auth succeeds. However, my recollection is that PANOS does not chain authenticators, where if the first succeeds then it moves on to the second. Cisco ASA supports this, as does the Pulse Secure SA. Some VPN appliances let you chain authenticators, so one could use the local users database on the VPN for primary auth, and then add the Duo proxy configured to only perform Duo secondary authentication. The other alternative from Duo is RADIUS, but that also requires an authentication source for the Duo Authentication Proxy. I don’t think that you could use the local user store on the PA as an authentication source for DAG. The Duo Access Gateway requires an external LDAP, SAML, or OIDC authentication source for primary login.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |