<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009a3V2dCAEOkta Classic EngineAuthenticationAnswered2025-09-13T09:01:51.000Z2023-09-07T23:21:06.000Z2023-10-18T15:27:47.000Z

0gamw (0gamw) asked a question.

September 7, 2023 at 11:21 PM
Unable to Authenticate with Okta to global protect

There is an user that is unable to log in to global protect, the user is trying to authenticate using Okta. We were able to reset users password with a password reset email. User access okta and then update the password successfully.

But when she tries to open global protect, she gets an error saying password incorrect, and we just update the password. Before that, she was unable to send the push with okta verify, the logs said push rejected

  • 2 answers
  • 1.33K views

  • User15730773762704152560 (Vendor Management)

    Hello! Thank you for reaching out on our Community forum! I am Norbert, from Okta.

     

     If you can validate the user's password by logging into Okta, which translates to Okta as the Identity Provider being able to validate the credentials used to verify the user's identity, then that would indicate that this issue is caused by a potential app misconfiguration.

     

     I am happy to provide some troubleshooting steps that could help you identify and mitigate this issue:

    • Validate the information available in the System logs. 

     

     You could use eventType eq "user.authentication.sso" and target.displayName co "[YourAppName]" and target.displayName co "[UserDisplayName]" to query for these events. Validate if the correct username is being displayed under the target field of the entry. If any direct error responses are displayed we need to address them individually.

     

    • Validate the information available in the RADIUS logs:

     https://help.okta.com/en-us/content/topics/integrations/radius-best-pract-logging.htm

     

    Additionally, you could review the following:

     

    • The RADIUS Server Agent is rejecting valid login attempts
    • Verify the user is assigned to the RADIUS App in Okta.
    • Verify that the user is enrolled in MFA.
    • Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch causes all authentications to fail.
    • Also look for any errors that could indicate that the API token expired.
    • If you see a malformed username in the logs, it indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
    • Check VPN device for any settings that could/would restrict login.

     

     Based on the information available I would say that although the Okta password of the user works, Okta is not doing primary authentication for this application, and the newly reset password is not synced yet. As far as why would the Okta Verify push fail, our documentation states: (for EAP-TLS based protocols)

     

    "Supported, as long as challenge is avoided.

    For example:

    MFA-only or "Password, MFA" for TOTP.

    Push can work with primary authentication with MFA as the push challenge is sent out-of-band."

     

    You could potentially mitigate this by checking Accept password and security token in the same login request in the Radius App Sign-on settings configuration screen.

     

    In order for us to be able to provide a more detailed and tailored solution and given the fact that determining the scope of this issue would imply sharing sensitive data, I would kindly suggest opening a case with our Support department:

     

    https://support.okta.com/pkb_Help

     

    Best regards,

     

    Norbert Pall

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post
    Selected as Best

  • User15730773762704152560 (Vendor Management)

    Hello! Thank you for reaching out on our Community forum! I am Norbert, from Okta.

     

     If you can validate the user's password by logging into Okta, which translates to Okta as the Identity Provider being able to validate the credentials used to verify the user's identity, then that would indicate that this issue is caused by a potential app misconfiguration.

     

     I am happy to provide some troubleshooting steps that could help you identify and mitigate this issue:

    • Validate the information available in the System logs. 

     

     You could use eventType eq "user.authentication.sso" and target.displayName co "[YourAppName]" and target.displayName co "[UserDisplayName]" to query for these events. Validate if the correct username is being displayed under the target field of the entry. If any direct error responses are displayed we need to address them individually.

     

    • Validate the information available in the RADIUS logs:

     https://help.okta.com/en-us/content/topics/integrations/radius-best-pract-logging.htm

     

    Additionally, you could review the following:

     

    • The RADIUS Server Agent is rejecting valid login attempts
    • Verify the user is assigned to the RADIUS App in Okta.
    • Verify that the user is enrolled in MFA.
    • Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch causes all authentications to fail.
    • Also look for any errors that could indicate that the API token expired.
    • If you see a malformed username in the logs, it indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
    • Check VPN device for any settings that could/would restrict login.

     

     Based on the information available I would say that although the Okta password of the user works, Okta is not doing primary authentication for this application, and the newly reset password is not synced yet. As far as why would the Okta Verify push fail, our documentation states: (for EAP-TLS based protocols)

     

    "Supported, as long as challenge is avoided.

    For example:

    MFA-only or "Password, MFA" for TOTP.

    Push can work with primary authentication with MFA as the push challenge is sent out-of-band."

     

    You could potentially mitigate this by checking Accept password and security token in the same login request in the Radius App Sign-on settings configuration screen.

     

    In order for us to be able to provide a more detailed and tailored solution and given the fact that determining the scope of this issue would imply sharing sensitive data, I would kindly suggest opening a case with our Support department:

     

    https://support.okta.com/pkb_Help

     

    Best regards,

     

    Norbert Pall

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post
    Selected as Best

  • a0n5s (a0n5s)

    @0gamw (0gamw) Does your tenant enable delegate authentication? if it is enabled, you should find log in AD/LDAP Agent.

This question is closed.
Loading
Unable to Authenticate with Okta to global protect