Using Duo to protect Palo Alto Global Protect VPN


#1

Hi all. I’m new to Duo and new to the Duo community; so hopefully this is a good place to post this.

With a little help I was able to get Duo setup to protect my Palo Alto VPN gateway. About 80 people use the VPN, however, I am only testing with 4 users (including myself). After entering a username and password and clicking ‘Connect’, the connection waits for the user to interact with Duo – this is GREAT!

Upon tapping ‘Approve’ from the Push Notification you get connected to VPN and all is well; it’s perfect! Further testing led me to try tapping ‘Deny’. Answering the ‘Why are you denying…?’ question with either option produces the same result. Duo shows the ‘Denied!’ message – but I still move forward and successfully connect to VPN.

The logs on my proxy server show the following:

2017-11-01T20:17:36-0500 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.5.1.50’, 45383), 92): Duo authentication returned ‘deny’: 'Login request denied.'
2017-11-01T20:17:36-0500 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.5.1.50’, 45383), 92): Returning response code 3: AccessReject
2017-11-01T20:17:36-0500 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.5.1.50’, 45383), 92): Sending response

From my limited knowledge it would appear that all is working. Am I missing something simple?

Thanks!


#2

Hi mmgrath,

I suggest you contact Duo support about this. To troubleshoot we’d want to see more context around the authentication attempt that was denied from Authentication Proxy debug logging, which may not be best shared in this public forum.

Here’s how to enable debug logging on the Authentication Proxy.


#3

Thanks. I figured it out. It had to do with my authentication sequence on my Palo Alto.

Max