Hey Gabe, thanks for kicking off a super interesting conversation here at Duo about what might be doing on here!
We believe the issue might be related to your Palo Alto configuration. Can you confirm which version of PAN OS you’re using?
Here’s what we think is happening: When admins protect portal logins with LDAP and Gateway logins with Duo, concatenated auth methods such as passcodes will fail during portal login because it will lead to an incorrect password being received by Palo Alto. Autopush authentications will work as they don’t affect the password. Here are the instructions for protecting your portal logins as well: https://duo.com/docs/paloalto#configure-the-proxy-for-your-palo-alto-globalprotect.
Here’s why you’re seeing auths work for 24 hours: After a successful autopush authentication, there is a cookie that is set for the portal (duration is set on the Palo Alto). During the cookies’ lifetime, authentications would use the cookie for LDAP authentication and not send it to AD. It would then check with the Gateway and is why users can auth with a hardware token (that would fail if the cookie wasn’t set) after they successfully connect with push.
It sounds like that cookie is set for 24 hours currently.