topic Re: Global Protect Portal Client Certificate Authentication - Cert not found in GlobalProtect Discussions

Global Protect Portal Client Certificate Authentication - Cert not found

Chirah_Rana — Wed, 14 Jun 2023 19:32:32 GMT

I am trying to setup Global Protect Portal authentication using Client Certificate Authentication instead of radius. I generated CA and self signed cert on the palo. Configured Client Cert profile and attached it to Portal -> Authentication (removed Radius auth) and selected Client Cert profile. Also downloaded and installed the Cert and root CA to laptop in Personal cert store.

But when i attempt the GP Connection I keep getting "a valid client certificate is required for authentication". When i switch back to radius it works fine. Confirmed the cert is installed properly as well as the CA in store.

GP version 5.2.13

<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
<authentication-message></authentication-message>

(P6180-T10460)Debug(8440): 06/08/23 13:51:30:278 Set portal status to valid client cert needed.
(P6180-T10460)Debug(8450): 06/08/23 13:51:30:278 portal status is Client Cert Required.
(P6180-T10460)Debug(7685): 06/08/23 13:51:30:278 Portal required client certificate is not found.
(P6180-T10456)Debug(2513): 06/08/23 13:51:30:278 Setting debug level to 5

i followed the config from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Mick_Ball — Thu, 15 Jun 2023 12:50:52 GMT

what setting do you have in the certificate profile as you will need to set a username field...

also... try to https://<yourportaladdress> and see if the certificate is accepted via your browser...

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Chirah_Rana — Thu, 15 Jun 2023 14:28:55 GMT

For Cert Proifle, I have username Field set to subject. for SSL/TLS - we are using different Certification. for Client auth i generated a local ROOT CA and Client Cert on PA and exported to laptop.

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Mick_Ball — Thu, 15 Jun 2023 14:37:56 GMT

OK thatt sounds good but where did you put the user certificate, is it in the users personal store. perhaps run certmanager for users to see if the certificate is in here

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Chirah_Rana — Thu, 15 Jun 2023 14:53:58 GMT

I confirmed the cert was install in Personal folder of user as shown in your sceenshot. I also added Root CA in trust Root CA.. it seems the Global protect Agent is not able to locate the cert for some reason. because it says cent found. not invalid cert or any other issue.

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Mick_Ball — Fri, 16 Jun 2023 09:20:10 GMT

How did you export the user cert, did you use PKCS12 with password???

Re: Global Protect Portal Client Certificate Authentication - Cert not found

Chirah_Rana — Fri, 16 Jun 2023 13:04:35 GMT

yes that is correct. pkc12 with password. it imports sucessfully. also added the root ca in trust ca in store.

Re: Global Protect Portal Client Certificate Authentication - Cert not found

TomYoung — Fri, 16 Jun 2023 14:51:54 GMT

Hi @Chirah_Rana ,

Your configuration should work. I have done this many times.

One thing you can do to test is to push the certificate to the client by configuring the Agent tab in the portal. Change the client certificate to Local, and specify the certificate that you created on the NGFW (not the CA).

The portal will then install the certificate on the client. This solution is not permanent because it defeats the purpose of requiring the client certificate. But, you can see if it works and try to find out what changed on your Windows machine.

Thanks,

Tom