We are running 8.1.5 and have a Duo Access Gateway (DAG) setup. The first time you hit the portal URL from a browser say https://vpn.company.com you get prompted for a login from DAG/LDAPS and then a second authentication method through Duo (Duo Push), then the software download page for Palo Alto GlobalProtect client. Works all as expected.
If however you try to hit the page again from the same browser on the same computer , you don’t get the first authentication method, it goes directly to the second (Duo Push) and then after you authenticate it errors out with " Authentication Failed. Please contact the administrator for further assistance. Error code=-1"
If I clear my cookies or use private mode then it will prompt me again for the first authentication method and it work correctly. So it seems like there’s an authentication cookie that’s not working correctly with PA or DUO.
GlobalProtect application works fine its only the download page that I’ve run into this issue.
The other interesting thing which is unrelated to the above is if you go directly to the download url, say https://vpn.company.com/global-protect/getsoftwarepage.asp you don’t get prompted at all for a login or any authentication of any type and you can download the app.
Anyone else run into this issue and is the no authentication with direct link a defect?