https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/382779#M855 <P>Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.</P><P>&nbsp;</P><P>Here is what I learned during my deployment and troubleshooting:</P><UL><LI>When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.</LI><LI><SPAN>"Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-01-28 15_14_52-Clipboard.png" style="width: 798px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29728iB0842D18F2CD7C58/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2021-01-28 15_14_52-Clipboard.png" alt="2021-01-28 15_14_52-Clipboard.png" /></span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</SPAN></LI><LI><SPAN>After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!</SPAN></LI></UL><P><SPAN>Hope someone else finds this useful when they run into a similar fit!</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Jan 2021 23:27:18 GMT DelvinC 2021-01-28T23:27:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381675#M826 <P>I'm trying to setup a&nbsp;GlobalProtect On-Demand environment.</P><P>The portal uses an LDAP server profile for authentication and has been validated to be working fine.</P><P>I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile.</P><P>My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store).</P><P>I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment.</P><P>So far I've not been successful to get certificate profile.</P><P>I'm greeted by the "Required client certificate not found" error.</P><P>I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc.</P><P>FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile.</P><P>&nbsp;</P><P>I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode.</P><OL><LI>What certificate fields or options did you use?</LI><LI>What certificate profile options did you leverage?</LI><LI>Any interesting scenarios you ran in your deployment?</LI></OL> Fri, 22 Jan 2021 19:24:40 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381675#M826 DelvinC 2021-01-22T19:24:40Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381713#M827 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42079">@DelvinC</a>&nbsp;</P> <P>&nbsp;</P> <P>We are using the Prelogon and then on demand&nbsp; for GP.</P> <P>We are using Machine cert for Client Authentication using prelogon and then on demand.</P> <P>&nbsp;</P> <P>We do have our Internal PKI server.</P> <P>We have imported the Intermediate cert from the PC to the PA.</P> <P>PA already has Root CA.</P> <P>&nbsp;</P> <P>!&gt;Our cert profile has Root and Intermediate certs.</P> <P>2&gt;For Cert for VPN it has CN field.</P> <P>3&gt;You need to make sure cert which you have on PC make sure import its Root and Intermediate to the PA.</P> <P>&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> Fri, 22 Jan 2021 21:37:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381713#M827 MP18 2021-01-22T21:37:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381727#M828 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp; Thanks for your response.</P><P>&nbsp;</P><P>I've had success in the past deploying machine certificates for authentication. But, this time I'm specifically trying to get user certificate authentication to work with just the on-demand mode.</P><P>&nbsp;</P><P>During my research, I came across the <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0" target="_self">PAN KB article (Basic GlobalProtect Configuration with Pre-logon)</A>&nbsp; that hints that this is possible.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DelvinC_0-1611352025876.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29641i7EBBF8C38DFE0D1C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="DelvinC_0-1611352025876.png" alt="DelvinC_0-1611352025876.png" /></span></P><P>&nbsp;</P> Fri, 22 Jan 2021 21:47:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381727#M828 DelvinC 2021-01-22T21:47:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381736#M829 <P>Yes as per that link it is possible.</P> Fri, 22 Jan 2021 22:31:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/381736#M829 MP18 2021-01-22T22:31:15Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/382779#M855 <P>Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.</P><P>&nbsp;</P><P>Here is what I learned during my deployment and troubleshooting:</P><UL><LI>When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.</LI><LI><SPAN>"Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-01-28 15_14_52-Clipboard.png" style="width: 798px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29728iB0842D18F2CD7C58/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2021-01-28 15_14_52-Clipboard.png" alt="2021-01-28 15_14_52-Clipboard.png" /></span>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</SPAN></LI><LI><SPAN>After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!</SPAN></LI></UL><P><SPAN>Hope someone else finds this useful when they run into a similar fit!</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Jan 2021 23:27:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/382779#M855 DelvinC 2021-01-28T23:27:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/383122#M860 <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42079">@DelvinC</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for updating the Community.</P> <P>&nbsp;</P> <P>Regards</P> Sun, 31 Jan 2021 06:35:24 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/383122#M860 MP18 2021-01-31T06:35:24Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/597697#M5816 <P>thank you, very useful to know</P> Thu, 12 Sep 2024 16:57:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-on-demand-using-authentication-profile-and-user/m-p/597697#M5816 n.willemkotze 2024-09-12T16:57:15Z