Solved: Hardware Token Works for 24 Hours Only

gabrielp · ‎02-09-2018

We’re using DUO in combination with Global Protect (Palo Alto Networks).

Our issue is that the hardware token will not work from a machine (windows) unless that machine/user has successfully authenticated using the DUO push (mobile app).

Once someone authenticates via push, they can use the pin generated by the token but it works for only 24 hours.

Anyone have an idea where our configuration is messed up?

Dooley · ‎02-13-2018

Hey Gabe, thanks for kicking off a super interesting conversation here at Duo about what might be doing on here!

We believe the issue might be related to your Palo Alto configuration. Can you confirm which version of PAN OS you’re using?

Here’s what we think is happening: When admins protect portal logins with LDAP and Gateway logins with Duo, concatenated auth methods such as passcodes will fail during portal login because it will lead to an incorrect password being received by Palo Alto. Autopush authentications will work as they don’t affect the password. Here are the instructions for protecting your portal logins as well: https://duo.com/docs/paloalto#configure-the-proxy-for-your-palo-alto-globalprotect.

Here’s why you’re seeing auths work for 24 hours: After a successful autopush authentication, there is a cookie that is set for the portal (duration is set on the Palo Alto). During the cookies’ lifetime, authentications would use the cookie for LDAP authentication and not send it to AD. It would then check with the Gateway and is why users can auth with a hardware token (that would fail if the cookie wasn’t set) after they successfully connect with push.

It sounds like that cookie is set for 24 hours currently.

View solution in original post

Dooley · ‎02-13-2018

Hey Gabe, thanks for kicking off a super interesting conversation here at Duo about what might be doing on here!

We believe the issue might be related to your Palo Alto configuration. Can you confirm which version of PAN OS you’re using?

Here’s what we think is happening: When admins protect portal logins with LDAP and Gateway logins with Duo, concatenated auth methods such as passcodes will fail during portal login because it will lead to an incorrect password being received by Palo Alto. Autopush authentications will work as they don’t affect the password. Here are the instructions for protecting your portal logins as well: https://duo.com/docs/paloalto#configure-the-proxy-for-your-palo-alto-globalprotect.

Here’s why you’re seeing auths work for 24 hours: After a successful autopush authentication, there is a cookie that is set for the portal (duration is set on the Palo Alto). During the cookies’ lifetime, authentications would use the cookie for LDAP authentication and not send it to AD. It would then check with the Gateway and is why users can auth with a hardware token (that would fail if the cookie wasn’t set) after they successfully connect with push.

It sounds like that cookie is set for 24 hours currently.

gabrielp · ‎02-15-2018

Hi Andrew,
Thank you very much! Just wanted to let you know we’ll be working on this item tomorrow w/our PAN group. I’ll come back with the results as soon as I have them.

Thanks,
Gabe

Dooley · ‎02-16-2018

Sure thing! Looking forward to hearing more from you!