Palo Alto Web Authentication times out

Question
1

Hello all,

I setup privacyIDEA with Palo Alto, but I have a problem. I have a Palo Alto PA-820 with software version 11.0.0 and I am running the privacyIDEA version 3.8.1 on an ubuntu VM. Global Protect (VPN) works as it should be. The problem is when I try to authenticate an administrators using the Radius.
Most of the times when I try to login to Web of Palo Alto it “stucks” after adding the OTP password for some time. At the end I get the message of Timeout.
The scenarios of it the web authentication that are working are:
1 . When I delete all the tokens of the users and the email token is automatically created.
2. When I change the timeout timers of Palo Alto and commit the changes. I changed the timeout of the Radius server Profile as well as the session Timeouts. It works once and then the same issue.

I enabled privacyIDEA debug mode and I was checking the logs on the PA. None of the two are showing any problems/errors.
I am currently out of ideas of what else to check. Any help would be appreciated.

Thank you

2

Hello again,

I found the issues. Both of it were related with Palo Alto. Sorry to post here. I was kind of frustrated :sweat_smile:

In any case, for people facing the same issue.

  1. Make sure the default timeout Palo Alto (Device → Setup → session → Session Timeouts ->Default (sec) ->) is less or equal than max_request_time on FreeRadius (/etc/freeradius/3.0/radiusd.conf).
  2. If you are connected with one administrator on PA and log out, make sure you wait for timeout time to pass before trying a new reconnection. Default is 30 seconds. If you try to connect before the timeout time, you will get a timeout message.
  3. For each administrator, create a different Authentication profile. If you assign the same authentication profile on two administrators, then these two will not be able to connect to PA at the same time. The second one will always get Timeout.

Hope this helps any other fellow members.

1 Like