topic Re: GP fails on iOS, connects on Android, Mac and Windows... in GlobalProtect Discussions

GP fails on iOS, connects on Android, Mac and Windows...

gsjltd1921x — Mon, 13 May 2024 15:56:32 GMT

We're migrating to a new PKI, the Issuing servers are signed by the root and all (3) certificates (Root, Issuing 1 & Issuing 2) are being pushed to the iOS devices via Workspace One. The config is more or less identical to the original PKI (the old PKI was using an 'Interim' Root which is now not being used, although I have pushed that down as I'm hitting a brick wall). The only difference is the new PKI is configured to issue user certs that are sha-512 (the previous is sha-256).

The client provides the error;

GlobalProtect service started (client version: 6.1.0-84, OS version: Apple iOS 16.7.5).
[Error]: A valid client certificate is required for authentication. If the issue persists, contact your administrator.

The full chain is being installed on the device, the user cert gets installed in the keychain/cert store but for some reason it's just not trusting it, the iOS device logs show the following error:

trustd[429] <Notice>: cert[0]: MissingIntermediate =(leaf)[force]> 0

The two issuing / intermediate certs are installed on the device, so I'm really confused as to why it's not connecting.

The PAN GPS logs show:
P 591-T20739 02/05/2024 21:28:18:857 Info ( 891): Couldn't find any matching identities. Trying to continue without client cert
P 591-T6147 02/05/2024 21:28:18:940 Info ( 565): Finished with PORTAL ADDRESS
P 591-T6147 02/05/2024 21:28:18:940 Debug( 505): Client cert error detail is Client cert usage check failed
P 591-T6147 02/05/2024 21:28:18:941 Debug( 517): error detail is Client cert usage check failed
P 591-T6147 02/05/2024 21:28:18:946 Debug( 396): Received data with length 539
P 591-T6147 02/05/2024 21:28:18:946 Debug( 421): m_errorDetails is Client cert usage check failed.

Any, ANY help would really be appreciated here please

Re: GP fails on iOS, connects on Android, Mac and Windows...

kiwi — Tue, 14 May 2024 09:25:33 GMT

Hi @gsjltd1921x ,

Make sure that you deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/mobile-endpoint-management/manage-the-globalprotect-app-using-workspace-one/configure-workspace-one-for-ios-endpoints/configure-a-user-initiated-remote-access-vpn-configuration-for-ios-endpoints-using-workspace-one

https://www.manageengine.com/mobile-device-management/help/certificate_management/mdm_certificate_repository.html#user

Hope this helps,

-Kim.

Re: GP fails on iOS, connects on Android, Mac and Windows...

gsjltd1921x — Tue, 14 May 2024 11:42:31 GMT

Hi Kim, the client/user cert gets generated in the request and is pushed down to the device via the MDM profile, I can see the user cert is installed in the keychain (in the same way as the old PKI does), I believe the same CA template is used so everything looks to be matching

Re: GP fails on iOS, connects on Android, Mac and Windows...

Jan_Defecinski — Mon, 30 Dec 2024 15:22:23 GMT

Hi. I came across the same problem, did you find a solution?

Re: GP fails on iOS, connects on Android, Mac and Windows...

gsjltd1921x — Wed, 01 Jan 2025 21:33:43 GMT

Yes I did, it turned out that iOS requires more chaining than the other platforms (Mac included). My problem was the internal root CA's weren't installed on the gateways, so maybe look out for something that isn't installed somewhere internally, especially if everything is landing on the device itself fine. Androids just needed the device cert and it connected fine, so quite the contrast!