GlobalProtect Portal authentication by certificate fails with "Valid client certificate is required"

Adrian_Jensen — Thu, 21 Apr 2022 17:37:20 GMT

I have been trying for some time to get a mutli-stage GP login working in an always-on VPN. Going from an existing user/pass login to both the Portal and Gateway (with third party MFA over radius, cookies to prevent dual auth request), to a certificate login to the Portal (for automatic login/updates of GP client configs and immediate internal host detection) and user/pass on the Gateway.

It seems that when the Portal and Gateway are on the same IP, the Gateway SSL/TLS Profile and Client Authentication settings override the Portal configuration settings. Can anyone confirm this? I can't find it documented anywhere.

Example config:

GP -> Portals -> [VPN_ISP1_Portal] -> Authentication:

SSL/TLS Profile = [PublicCert_1]

Client authentication = Certificate Profile -> [VPN_Client_Certs]

GP -> Gateways -> [VPN_ISP1_Gateway] -> Authentication:

SSL/TLS Profile = [PublicCert_2]

Client authentication = user/pass profile

Browse to the Portal/Gateway IP (or try to connect with GP client) and get a page with "Valid client certificate is required" error, page is signed with PublicCert_2. If you delete the Gateway (or presumably move it to to a different IP - not tested yet), the you get a successful certificate authentication against the Portal and the webpage is signed by PublicCert_1.

topic GlobalProtect Portal authentication by certificate fails with "Valid client certificate is required" in GlobalProtect Discussions

GlobalProtect Portal authentication by certificate fails with "Valid client certificate is required"