https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-require-machine-cert-only-for-windows-and-mac/m-p/518455#M3335 <P>Hi there,<BR /><BR />I'm trying to build out a config in my lab where my global protect configuration requires a machine cert and username/password for only Windows OS and MAC OS systems and then for IOS and ANDROID devices, they will only require username/password.&nbsp; My lab is running an old PA-5050 on PAN OS 8.1.23.&nbsp; I'm finding that the only option is to enable a certificate profile for ALL systems and we cannot specify specific settings based on OS.</P> <P>&nbsp;</P> <P>Has anyone successfully done this?</P> <P>&nbsp;</P> <P>Alternatively is it possible to configure multiple gateways on the same edge and then use the portal 'agent configuration' to redirect to different gateways that enforce different certificate profiles?</P> <P>&nbsp;</P> <P>I'm also looking at options on PAN OS 9.1.X.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>&nbsp;</P> <P>Michael</P> Wed, 19 Oct 2022 22:16:40 GMT mslavens 2022-10-19T22:16:40Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-require-machine-cert-only-for-windows-and-mac/m-p/518455#M3335 <P>Hi there,<BR /><BR />I'm trying to build out a config in my lab where my global protect configuration requires a machine cert and username/password for only Windows OS and MAC OS systems and then for IOS and ANDROID devices, they will only require username/password.&nbsp; My lab is running an old PA-5050 on PAN OS 8.1.23.&nbsp; I'm finding that the only option is to enable a certificate profile for ALL systems and we cannot specify specific settings based on OS.</P> <P>&nbsp;</P> <P>Has anyone successfully done this?</P> <P>&nbsp;</P> <P>Alternatively is it possible to configure multiple gateways on the same edge and then use the portal 'agent configuration' to redirect to different gateways that enforce different certificate profiles?</P> <P>&nbsp;</P> <P>I'm also looking at options on PAN OS 9.1.X.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>&nbsp;</P> <P>Michael</P> Wed, 19 Oct 2022 22:16:40 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-require-machine-cert-only-for-windows-and-mac/m-p/518455#M3335 mslavens 2022-10-19T22:16:40Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-require-machine-cert-only-for-windows-and-mac/m-p/518756#M3353 <P>Hi Michael,</P> <P>&nbsp;</P> <P>The Certificate profile config is indeed for all operating systems, but at least in 9.1 the "<SPAN><STRONG>Allow Authentication with User Credentials OR Client Certificate</STRONG>" setting can be configured per operating system. You could have it like this for example:</SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Cert profile:</STRONG> configured for all<BR /><STRONG>OS Windows:</STRONG>&nbsp;<EM>Allow Authentication with User Credentials OR Client Certificate</EM> = NO</SPAN></P> <P><SPAN><STRONG>OS Android:</STRONG>&nbsp;<EM>Allow Authentication with User Credentials OR Client Certificate</EM> = YES</SPAN></P> <P>&nbsp;</P> <P>This should result in Windows needing a Client Cert + User Credentials, but Android would need only one or the other.</P> <P>&nbsp;</P> <P>Your second option is also valid. You can use OS in the Config Selection Criteria of the Portal to give a different Portal config to different OS's, and those different Portal configs send them to different Gateways which have different cert profile configs.</P> <P>&nbsp;</P> <P>- DM</P> Fri, 21 Oct 2022 18:08:41 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-require-machine-cert-only-for-windows-and-mac/m-p/518756#M3353 dmifsud 2022-10-21T18:08:41Z