The usual fix is to put
portal auth > AD
gateway auth > MFA server
However we found with some OTP/fob code users it wasn't working well
Fix was
Upgrade GP to preferred release (6.2.3 a time of writing)
Enable the authentication cookie settings on GP
Portal - Generate cookie for auth override
Choose the same cert you use for the GP
Gateway - Accept cookie for auth override
Choose the same cert you used in portal
Push policy
Watch out for any AD changes may take 15 mins to update on the palo so if you move a user into another group for testing it might not work for 15 minutes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MACCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
No comments:
Post a Comment