search cancel

Palo Alto VPN not doing 2FA with VIP 9.7

book

Article ID: 162741

calendar_today

Updated On:

Products

VIP Integrations

Issue/Introduction

Palo Alto Global Protect for VPN is used as the firewall for VPN users. The requirement is to have VIP do the 2FA for the VPN users. When logging in as a user with username>password+secure_token would fail. Logins with just username>secure token would work. Logins with username>ldap_password would work.

AUDIT    "2015-12-11 16:46:50.463 GMT-0600"   ValidationEngine 0 18501 "text=Access DENIED [VSWebServiceClient] The security code does not meet policy requirements. Verify the security code you have entered. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret, OTP length = 16, user=svip, bizCont=off ,reason=12" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:46:50.463 GMT-0600"   ValidationEngine 0 18501 "text=Access 0" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:47:20.353 GMT-0600"   ValidationEngine 0 0 "text=Access GRANTED 0x0: Success&tokenid=VSMT44516421, user=svip, bizCont=off ,reason=0&tokenid=VSMT44516421" Thread-16696 VSValidationEngine.c
AUDIT    "2015-12-11 16:47:20.353 GMT-0600"   ValidationEngine 0 0 "text=Access 0" Thread-16696 VSValidationEngine.c

 

Restarting the Symantec LDAP Directory Service fails with error 1067 and 1053 on the domain controller.

 

 

Cause

The backend server logs on the cloud show that the user is able to login with username & OTP, basically, 1 factor authentication. Logging in with the username & password+OTP fails with the above message.

We asked that VIP EGW 9.7 be installed after the server is rebooted.

Environment

VIP Enterprise Gateway 9.6.1

Resolution

Steps to resolve issue.  

  1. Reboot domain controller
  2. Remove VIP EGW 9.6.1 from Add or Remove Programs.
  3. Install VIP EGW 9.7 and complete the configuration for the userstore and validation server.
  4. Run LDAP Sync 

 

Attachments

PartnerIntegration_PaloAlto.pdf get_app