topic Re: Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0 in General Topics

Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

torm — Thu, 12 Jun 2014 13:12:19 GMT

Hi,

We are running Global Protect with pre-logon. The GP Portal needs to allow users to login from "clean" computers without machine certificates, and at the same time allow pre-logon user(and other users) to authenticate with machine certificate. This has in 5.0 been done by using a certificate profile with the username field set to "none".

This was working fine in 5.0, but after upgrading to 6.0 I get a "valid certificate is required" when accessing the GP portal page through a web-browser.

I found the following article describing change in default behavior from 4.1 to 5.0 due to implementation of pre-logon.

GP Portal No Longer Prompting for Client Certificates Following PAN-OS v5.0.x Upgrade

Has this been changed again in 6.0? How can I get a Global Protect Portal to support both user/password and machine certificate authentication in 6.0?

- Tor

Re: Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

ahpadmin — Tue, 17 Jun 2014 15:41:26 GMT

I'm trying to figure this out as well. I've been working on this for a day or so now with no luck. I'll let you know if I am able to figure it out. Hopefully someone from PA can offer some assistance.

Re: Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

ahpadmin — Tue, 17 Jun 2014 16:44:37 GMT

Okay I finally got it to work. I followed the config in the global protect admin guide for 6.0 and download the latest client and I can see that it works now

Re: Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

torm — Tue, 17 Jun 2014 19:53:38 GMT

Thanks for your reply!

Are able to authenticate to the portal using bot username/password and computer/client certificate?

Or are you using just username/password for the portal? Read through the admin guide one more time, and it seems like I got it wrong, and that you donæt need a certificate profile on the portal for pre-logon after all. Is this correct?

"After authentication succeeds, the portal pushes the client configuration to the agent along with a

cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system

attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon

client configuration."

Re: Global Protect Portal with Certificate Profile - client certificate required after upgrading to 6.0

sjamaluddin — Tue, 17 Jun 2014 21:45:31 GMT

Ensure that the certificates and their signer certificates (in a chain) are all included in the GP Portal >> Client Configuration >> Root CA section. That became mandatory in the later versions of PAN OS v5.0x