https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/432659#M1694 <P>I'm also having issue with smartcard authentication on Red Hat Enterprise Linux (RHEL) 7.&nbsp; I can successfully connect to Cisco VPN using OpenConnect client and smartcard, but I haven't been able to successfully connect to GlobalProtect VPN yet using same client and smartcard.&nbsp; It appears my client certificate is not being successfully provided to the GP VPN server.&nbsp; Below is a log of what I see when I try to login:</P><P>&nbsp;</P><LI-CODE lang="markup">[user@mycomputer ~]$ sudo openconnect vpn.fakeglobalprotectserverurl.com:443 --usergroup=gateway --protocol=gp -vvvv --dump-http-traffic -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' [sudo] password for user: POST https://vpn.fakeglobalprotectserverurl.com/ssl-vpn/prelogin.esp?tmp=tmp&amp;clientVer=4100&amp;clientos=Linux Attempting to connect to server 123.456.789.012:443 Connected to 123.456.789.012:443 Using PKCS#11 certificate pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private PIN required for FAKE.NAME.Q.1234567890 Enter PIN: Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private Using client certificate 'FAKE.NAME.Q.1234567890' Got no issuer from PKCS#11 SSL negotiation with vpn.fakeglobalprotectserverurl.com Connected to HTTPS on vpn.fakeglobalprotectserverurl.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM) &gt; POST /ssl-vpn/prelogin.esp?tmp=tmp&amp;clientVer=4100&amp;clientos=Linux HTTP/1.1 &gt; Host: vpn.fakeglobalprotectserverurl.com &gt; User-Agent: PAN GlobalProtect &gt; Got HTTP response: HTTP/1.1 200 OK Date: Wed, 08 Sep 2021 18:20:47 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 539 Connection: keep-alive ETag: "1234567890fakeetag" Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-FRAME-OPTIONS: DENY Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (539) &lt; &lt;?xml version="1.0" encoding="UTF-8" ?&gt; &lt; &lt;prelogin-response&gt; &lt; &lt;status&gt;Error&lt;/status&gt; &lt; &lt;ccusername&gt;&lt;/ccusername&gt; &lt; &lt;autosubmit&gt;&lt;/autosubmit&gt; &lt; &lt;msg&gt;Valid client certificate is required&lt;/msg&gt; &lt; &lt;newmsg&gt;Required client certificate not found. Please contact your IT administrator.&lt;/newmsg&gt; &lt; &lt;license&gt;yes&lt;/license&gt; &lt; &lt;authentication-message&gt;&lt;/authentication-message&gt; &lt; &lt;username-label&gt;&lt;/username-label&gt; &lt; &lt;password-label&gt;&lt;/password-label&gt; &lt; &lt;panos-version&gt;1&lt;/panos-version&gt; &lt; &lt;saml-default-browser&gt;yes&lt;/saml-default-browser&gt;&lt;region&gt;US&lt;/region&gt; &lt; &lt;/prelogin-response&gt; Valid client certificate is required Failed to obtain WebVPN cookie</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Sep 2021 18:57:12 GMT crispjw 2021-09-08T18:57:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/363003#M555 <P>There is a Smart Card solution that uses pkcs#11 and middlware that provides OS communication to the card. Is there a way to use this certificate from the card for GlobalProtect authentication?</P><P>GP is looking for a cert in a specific location, but it is not possible to extract it from the Smart Card and import for GP (<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMaCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMaCAO</A>).</P><P>&nbsp;</P><P>Is this supported at all? If so, is there any information available?</P> Fri, 13 Nov 2020 14:50:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/363003#M555 nikoo 2020-11-13T14:50:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/376748#M753 <P>I am having the same issue on CentOS 7 using pcsc, Coolkey, and sometimes OpenSC.&nbsp; GP agent is looking in a specific directory for pfx and dat files I believe, but I cannot get a p12 cert exported from my smart card to import.&nbsp; I would like GP to use my smart card for credentials. Any success regarding this issue, if it is even supported?</P> Wed, 30 Dec 2020 15:48:27 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/376748#M753 mccarty_jeff 2020-12-30T15:48:27Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/432659#M1694 <P>I'm also having issue with smartcard authentication on Red Hat Enterprise Linux (RHEL) 7.&nbsp; I can successfully connect to Cisco VPN using OpenConnect client and smartcard, but I haven't been able to successfully connect to GlobalProtect VPN yet using same client and smartcard.&nbsp; It appears my client certificate is not being successfully provided to the GP VPN server.&nbsp; Below is a log of what I see when I try to login:</P><P>&nbsp;</P><LI-CODE lang="markup">[user@mycomputer ~]$ sudo openconnect vpn.fakeglobalprotectserverurl.com:443 --usergroup=gateway --protocol=gp -vvvv --dump-http-traffic -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' [sudo] password for user: POST https://vpn.fakeglobalprotectserverurl.com/ssl-vpn/prelogin.esp?tmp=tmp&amp;clientVer=4100&amp;clientos=Linux Attempting to connect to server 123.456.789.012:443 Connected to 123.456.789.012:443 Using PKCS#11 certificate pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private PIN required for FAKE.NAME.Q.1234567890 Enter PIN: Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private Using client certificate 'FAKE.NAME.Q.1234567890' Got no issuer from PKCS#11 SSL negotiation with vpn.fakeglobalprotectserverurl.com Connected to HTTPS on vpn.fakeglobalprotectserverurl.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM) &gt; POST /ssl-vpn/prelogin.esp?tmp=tmp&amp;clientVer=4100&amp;clientos=Linux HTTP/1.1 &gt; Host: vpn.fakeglobalprotectserverurl.com &gt; User-Agent: PAN GlobalProtect &gt; Got HTTP response: HTTP/1.1 200 OK Date: Wed, 08 Sep 2021 18:20:47 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 539 Connection: keep-alive ETag: "1234567890fakeetag" Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-FRAME-OPTIONS: DENY Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (539) &lt; &lt;?xml version="1.0" encoding="UTF-8" ?&gt; &lt; &lt;prelogin-response&gt; &lt; &lt;status&gt;Error&lt;/status&gt; &lt; &lt;ccusername&gt;&lt;/ccusername&gt; &lt; &lt;autosubmit&gt;&lt;/autosubmit&gt; &lt; &lt;msg&gt;Valid client certificate is required&lt;/msg&gt; &lt; &lt;newmsg&gt;Required client certificate not found. Please contact your IT administrator.&lt;/newmsg&gt; &lt; &lt;license&gt;yes&lt;/license&gt; &lt; &lt;authentication-message&gt;&lt;/authentication-message&gt; &lt; &lt;username-label&gt;&lt;/username-label&gt; &lt; &lt;password-label&gt;&lt;/password-label&gt; &lt; &lt;panos-version&gt;1&lt;/panos-version&gt; &lt; &lt;saml-default-browser&gt;yes&lt;/saml-default-browser&gt;&lt;region&gt;US&lt;/region&gt; &lt; &lt;/prelogin-response&gt; Valid client certificate is required Failed to obtain WebVPN cookie</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Sep 2021 18:57:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-linux-smart-card/m-p/432659#M1694 crispjw 2021-09-08T18:57:12Z