Configure Palo Alto Networks GlobalProtect to Address the Double-authentication Problem
Please follow these steps to remove the double authentication problem of the Palo Alto Networks VPN client. These steps require a change in the Portal and in the Gateway configuration.
Step 1 - Configure the Portal
From Palo Alto Web Management Site, go to Network โ GlobalProtect โ Portals and select the GlobalProtect Portal Configuration item associated with the endpoint that needs to be modified (e.g.,. pa-vpn-02).
Click on the name of the GlobalProtect item that you want to configure. The following screen will appear:
Go to the โAgentโ section on the menu on the left. From the โAgentsโ table, click on the item you would like to configure (e.g., pa-vpn-client-02).
The following screen will appear:
From the โAuthenticationโ tab, configure the โAuthentication Overrideโ section as follows:
Check the checkboxes next to the following items:
Generate cookie for authentication override
Accept cookie for authentication override
Set the attributes to following values as described:
Cookie Lifetime: โHoursโ and โ24โ
Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02).
Click โOKโ to save the settings.
Certificate example: The following screen shows a sample certificate for the Pa-vpn-server-02 location:
Sample Pa-vpn-server-02 certificate details:
Step 2 - Configure the Gateway
Go to Network โ GlobalProtect โ Gateways. Select the GlobalProtect Gateway Configuration item associated to the endpoint that you would like to configure (e.g., pa-vpn-gateway-02), and click on it:
The following screen will appear:
Go to the โAgentโ section on the menu on the left. From the โClient Settingsโ tab, click on the item you would like to configure (e.g., pa-vpn-client-02). Then, select the โAuthentication Overrideโ tab:
From the โAuthentication Overrideโ tab, configure the following options:
Check the boxes next to the following items:
Generate cookie for authentication override
Accept cookie for authentication override
Set the attributes to the following values as described:
Cookie Lifetime: โHoursโ and โ24โ
Certificate to Encrypt: Select the certificate associated with the Palo Alto Networks Server (e.g., pa-vpn-server-02)
Click โOKโ to save the settings.
Back on the GlobalProtect Gateway Configuration screen, click on the โOKโ button.
Step 3
Commit all changes using the Palo Alto Networks management portal.