I have an issue with double OTP requests.
I have configured a Palo Alto firewall (PAN-OS 10.1.12) connected via Radius to PrivacyIdea (3.9.3).
PrivacyIdea and Radius are installed on the same system (Ubuntu 20.04.6).
I followed this guide https://www.youtube.com/watch?v=0_hvm5mSQaE and everything works correctly; I can connect to Global Protect, only being asked for the OTP code once.
However, when I configure a realm/users for the SQL connection of users, it requests double OTP.
Specifically, when I connect to the GP client, it asks for the OTP code twice, two different OTP codes, with a double email sending of the OTP codes.
If an incorrect OTP code is entered in one of the two OTP requests, it gives me an error and returns me to the username and password request screen.
After some research, I found Need to type Pass or PIN + OTP Twice to be authenticated (?) - #4 by plettich but following the advice in the last post, the problem persists. The strange thing is that if I delete the SQL configuration to return to the configuration of local users, the problem of the double OTP request arises, whereas before the SQL configuration, the problem was not present.
Thanks for any help!
Please elaborate on “it rquests double OTP”. What does this mean. What happens?
Thanks for your reply.
After entering username and password in the GlobalProtect client, the following steps are required:
- You’ll be prompted to enter a first OTP code sent via email. Once you’ve correctly entered this OTP code,
- you’ll be prompted for an additional OTP code. This second code, different from the first one, will be sent via email. Entering this second code correctly allows the connection through the GlobalProtect client.
Interesting.
Take a look at the audit log.
Read: 4. WebUI — privacyIDEA 3.10dev1 documentation
You will see /validate/check requests.
Is the first OTP code correct?
THe sending of the OTP code via email is triggered with a /validate/check request.
This is done by the Palo Alto against FreeRADIUS, which sends the request to privacyIDEA.
Why would Palo Alto do this? Evil one 
Do you have an idea?
In the audit log i found:
'565','2024-05-07T09:19:07.003591','OK','OK','POST /validate/check','0','PIEM0001324D','email','user01','realm','sqlresolver','None','','Please enter OTP','localhost','Two-Factor,Two-Factor,Two-Factor','127.0.0.1','None','None','2024-05-07T09:19:06.669015','0.334496','None'
'566','2024-05-07T09:19:18.059052','OK','OK','POST /validate/check','1','PIEM0001324D','None','user01','realm','sqlresolver','None','','Found matching challenge','localhost','None','127.0.0.1','None','None','2024-05-07T09:19:17.823261','0.235719','None'
'567','2024-05-07T09:19:19.634295','OK','OK','POST /validate/check','0','PIEM0001324D','email','user01','realm','sqlresolver','None','','Please enter OTP','localhost','Two-Factor,Two-Factor,Two-Factor','127.0.0.1','None','None','2024-05-07T09:19:19.362702','0.271523','None'
'568','2024-05-07T09:19:35.113595','OK','OK','POST /validate/check','1','PIEM0001324D','None','user01','realm','sqlresolver','None','','Found matching challenge','localhost','None','127.0.0.1','None','None','2024-05-07T09:19:34.779822','0.333672','None'
thanks for your help