Fixed DUO MFA popup twice for approval login GloablProtect

Q: We configured PA 850 firewall to use DUO for GloablProtect MFA. It works. However, we have an issue. In GloablProtect Gateway Configuration>Agent>Client Settings, if I add a user, for example blin. it works fine. If I add an AD OU, for example Employees, the login user will get two DUO approval popup twice.

boblin_0-1683769185596.png

From the DUO Authentication, I can see two Granted.

boblin_1-1683769394673.png

Why it works if I add a user manually one by one, but it popup for two MFA approvals if I add the group or UO to the Gateways?

Troubleshooting: If you configure DUO MFA on both the Portal and the Gateway,  you may want to enable Authentication cookies at all to avoid the double prompt.

To resolve this matter, please follow the step-by-step instructions provided below:

  1. Go to Network > Global Protect > Gateways.
  2. Locate the Gateway Profile and click on “Agent,” followed by “Client Settings.”
  3. Select the “End Users Agent” and navigate to the “Authentication override” tab.

4. Ensure that both the “Generate cookie for authentication override” and “Accept cookie for authentication override” options are checked.

5. By default, the “Cookie Lifetime” is set to 8. Please verify this value and make adjustments if necessary.

6. Finally, select a “Certificate to Encrypt/Decrypt Cookie.”

7. Click OK and then Commit.

This is from PA support:

Please note that these changes need to be implemented on both the DUO MF VPN and End Users agents:

1. Navigated to: Network > GlobalProtect > Portals > Agent > Authentication.
2. Set the “Save User Credentials” option to “yes” per your request.
3. Verified that “Generate cookie for authentication override” is enabled under Authentication Override, while “Accept cookie for authentication override” is disabled.
4. Selected the certificate profile.
5. Adjusted the cookie lifetime to expire in 7 days.

Regarding the gateway, we made the following modifications:

1.Accessed: Network > GlobalProtect > Gateways > Agent > Client Settings > Authentication Override.
2. Ensured that “Generate cookie for authentication override” is disabled, and “Accept cookie for authentication override” is enabled.

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Leave a Reply