topic User management with Client certificates not working in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-management-with-client-certificates-not-working/m-p/397256#M1154 <P>Hello experts,</P><P>&nbsp;</P><P>We are trying to authenticate users connecting to GP via client certs, idea is to revoke client certs and thus prevent users from connecting to GP. Test user is still able to connect after certification has been revoked. Due to some reasons, OCSP has been disabled on the gateway, CRL does not contain revocation status, only delta CRL does, which is not supported by PAN-OS ref (tac case <SPAN>01728222</SPAN>).</P><P>&nbsp;</P><P>In PANGPS following logs are seen:</P><P><SPAN>(T532)Info (5289): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 verification result is 0x4 </SPAN></P><P><SPAN>(T532)Info (5292): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 failed revocation verificaiton </SPAN></P><P><SPAN>(T532)Debug(5309): 02/05/21 15:23:47:711 Check certificate revocation returns FALSE</SPAN></P><P>&nbsp;</P><P>Questions here are:</P><P>&nbsp;</P><P>1&gt; Does the above logs indicate that the GP agent has detected that the cert is expired or that the revocation check has failed.</P><P>2&gt; Will the GP agent do a client cert validation prior to allowing the user to connect. or not.</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Apr 2021 16:03:19 GMT ksoni 2021-04-12T16:03:19Z User management with Client certificates not working https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-management-with-client-certificates-not-working/m-p/397256#M1154 <P>Hello experts,</P><P>&nbsp;</P><P>We are trying to authenticate users connecting to GP via client certs, idea is to revoke client certs and thus prevent users from connecting to GP. Test user is still able to connect after certification has been revoked. Due to some reasons, OCSP has been disabled on the gateway, CRL does not contain revocation status, only delta CRL does, which is not supported by PAN-OS ref (tac case <SPAN>01728222</SPAN>).</P><P>&nbsp;</P><P>In PANGPS following logs are seen:</P><P><SPAN>(T532)Info (5289): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 verification result is 0x4 </SPAN></P><P><SPAN>(T532)Info (5292): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 failed revocation verificaiton </SPAN></P><P><SPAN>(T532)Debug(5309): 02/05/21 15:23:47:711 Check certificate revocation returns FALSE</SPAN></P><P>&nbsp;</P><P>Questions here are:</P><P>&nbsp;</P><P>1&gt; Does the above logs indicate that the GP agent has detected that the cert is expired or that the revocation check has failed.</P><P>2&gt; Will the GP agent do a client cert validation prior to allowing the user to connect. or not.</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Apr 2021 16:03:19 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-management-with-client-certificates-not-working/m-p/397256#M1154 ksoni 2021-04-12T16:03:19Z Re: User management with Client certificates not working https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-management-with-client-certificates-not-working/m-p/397296#M1155 <P>Are you utilizing cookies as well and if so what are they set too?&nbsp; It could it be possible that you are using a 24 hour cookie and its using this to authenticate the client (but I'm not 100% sure of this).&nbsp; If you do a manual "Refresh Connections" does it fail to connect after?</P> Mon, 12 Apr 2021 18:10:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-management-with-client-certificates-not-working/m-p/397296#M1155 mlinsemier 2021-04-12T18:10:47Z