topic Re: How to solve the Administrator Certificate-Based Authentication with issue of Redirection to prompt the username and password in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-solve-the-administrator-certificate-based-authentication/m-p/599154#M3829 <P>Is there any option to customize a response page for admins who does not have certificates,&nbsp;<BR />we are getting error 400 bad request, we are expecting response like access denied&nbsp;</P> Tue, 01 Oct 2024 07:48:12 GMT C.Muniraju 2024-10-01T07:48:12Z How to solve the Administrator Certificate-Based Authentication with issue of Redirection to prompt the username and password https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-solve-the-administrator-certificate-based-authentication/m-p/571408#M2338 <P>The Certificate-Based Authentication for administrators to access the firewall through the web interface transparently authenticates the admin with a client certificate instead of prompting and entering manually the username and password.</P> <P>&nbsp;</P> <P>The Client Certificate must be generated and signed either by the built-in CA of the Firewall or an Enterprise CA. The Common Name that you enter in the CSR should be the username of the Admin and the same username should be also created in the firewall as non-local database account with the option <STRONG>"Use only client certificate authentication (Web)"</STRONG> checked.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6.png" style="width: 807px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56219i1E17DB8D5892F707/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> <P>The Certificate Profile that defines which CA's certificate the firewall will use to verify the Client Certificate. This certificate profile contains the option <STRONG>"Username Field"</STRONG>, In this field you need to select the option <STRONG>"Subject" </STRONG>to instruct the firewall to use the Common Name defined in the client certificate as the username when authenticating through the Web Interface.</P> <P>&nbsp;</P> <P>Without specifiying the Username Field in the Certificate Profile, the Admin will be redirected to enter a username and password as shown below because the firewall&nbsp; is unable to find which field in the client certificate it must use to authenticate the adming, and this is not the goal of using Administrator Certificate-Based Authentication.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 993px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56216i387F0EE0977CA16F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56217iD88F0EEE9BCD0215/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56218iE7BF99E09067FC2D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>To fix this, specify the Username Field to be the Common Name or the Subject Alternative Name.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.png" style="width: 997px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56220i04186184E280C57F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="5.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56221i563D1E216C7EBBD0/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></P> <P>&nbsp;</P> Tue, 02 Jan 2024 08:39:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-solve-the-administrator-certificate-based-authentication/m-p/571408#M2338 rmeddane 2024-01-02T08:39:07Z Re: How to solve the Administrator Certificate-Based Authentication with issue of Redirection to prompt the username and password https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-solve-the-administrator-certificate-based-authentication/m-p/599154#M3829 <P>Is there any option to customize a response page for admins who does not have certificates,&nbsp;<BR />we are getting error 400 bad request, we are expecting response like access denied&nbsp;</P> Tue, 01 Oct 2024 07:48:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-solve-the-administrator-certificate-based-authentication/m-p/599154#M3829 C.Muniraju 2024-10-01T07:48:12Z