topic Re: Machine Certificate Check/ Not working for me in GlobalProtect Discussions

Machine Certificate Check/ Not working for me

asiewert — Wed, 22 May 2024 15:30:55 GMT

Goal:

When a user connects to the Globalprotect Portal it will authenticate using the LDAP authentication profile, and check for the presence of a certificate on the device.

If the device(in my case I'm only going to use Windows 10 PCs) does not have the certificate, the authentication will fail.

What I've done so far:

The LDAP authentication profile works as expected.
Created a new RootCA from the firewall, created an IntermediateCA signed by the RootCA, and created a "machinecert" signed by the IntermediateCA
Created a Certificate Profile
Within the portal configuration authentication tab, I added the newly created certificate profile. Note that the certificate profile only has the rootca and intermediate certs, not the machinecert.
Under the portal Agent tab, agent config, the settings for save user credentials are set to No and no cookies are used.

The problem:

I can log into globalprotect with or without the certificates installed on my laptop using the settings above.
I may be missing something obvious, or completely misconfigured this for what I want.

I would appreciate some help or guidance on how to correct the config, or change it to meet the goal above. Thank you for your help! Let me know if you guys need further information.

Re: Machine Certificate Check/ Not working for me

kiwi — Thu, 23 May 2024 10:30:11 GMT

Hi @asiewert ,

Just a quick check, did you by chance "Allow Authentication with User Credentials OR Client Certificate" ?

If you select No, users must authenticate to the gateway using both user credentials and client certificates. If you select Yes, users can authenticate to the gateway using either user credentials or client certificates.

Hope this helps,

-Kim.

Re: Machine Certificate Check/ Not working for me

SirchRettop — Thu, 23 May 2024 17:48:07 GMT

Hi @asiewert ,

if you are looking to use the client/machine certificate for additional authentication to ldap, where have you installed this client/machine certificate? the client/machine certificate will need to be installed on the device requiring remote access. Then a check will be performed to see if this client certificate has been signed by the CAs in your certificate profile.

Try installing the certificate into the "Personal" folder of either the Local Computer or Current User cert store and test authentication again.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication

https://www.youtube.com/watch?v=TFstISND5PE (details the creation and export of a client certificate with public/private key pair)

Re: Machine Certificate Check/ Not working for me

asiewert — Thu, 23 May 2024 19:45:41 GMT

This problem was user error, me.

I did not realize I had installed the machinecert in the personal certificate store. That's why it kept on connecting even when I removed the certificates from the computer certificate store. Globalprotect is set on default to check both the user and computer certificate stores. Doh!