https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36106#M26535 <HTML><HEAD></HEAD><BODY><P>Thanks Chadd,<BR />I was misinformed on my user cert requirement.&nbsp; We are using machine certs, not user certs.&nbsp; Using machine certs everything works as expected whether I'm using an AD account or a local account on the firewall.</P></BODY></HTML> Mon, 11 Nov 2013 17:51:50 GMT dan731028 2013-11-11T17:51:50Z https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36104#M26533 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Is it possible to use client certificates for both AD and local users for global protect?&nbsp; I have a working authentication sequence, but have a requirement to use client certs.&nbsp; If it is possible, would it be better to generate the certificates from the domain microsoft CA or could I generate them on the PAN device?&nbsp; I would prefer to use client certs generated by a self-signed root ca on the PAN because I would rather push out the root CA from the PAN to both my domain and non-domain users, than push my domain root CA cert to the non-domain local users.</P><P></P><P>Any thoughts? </P></BODY></HTML> Wed, 06 Nov 2013 23:50:17 GMT https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36104#M26533 dan731028 2013-11-06T23:50:17Z https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36105#M26534 <HTML><HEAD></HEAD><BODY><P>Hello Daniel.</P><P></P><P>You can use client certificates in both situations.&nbsp; </P><P></P><P>You do not need to push your root CA to the clients though.&nbsp; What you can do is upload the CA public key to the firewall, and use that in a "Certificate Profile".&nbsp; Then, you will just issue (sign) cerficates for your clients from the Microsoft server, and push them to your clients via a GPO.</P><P></P><P>You can also have one client (machine) certifcation for all your clients and configure that as the "client certificate" on your portal and then give that same certificate to all your clients (GPO maybe).&nbsp; Then that certificate will be checked against the one configured on the firewall to make sure they are the same cert.</P><P></P><P>There is a third way as well, which would allow you to upload the public key (CA) to your firewall, and have that pushed out to all your clients, so that it is in their trusted root store.&nbsp; That way, they don't get the nag message about a bad cert.&nbsp; This is not needed though.</P><P></P><P>Hope this helps.</P><P></P><P>-chadd.</P></BODY></HTML> Thu, 07 Nov 2013 00:32:24 GMT https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36105#M26534 cchristiansen 2013-11-07T00:32:24Z https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36106#M26535 <HTML><HEAD></HEAD><BODY><P>Thanks Chadd,<BR />I was misinformed on my user cert requirement.&nbsp; We are using machine certs, not user certs.&nbsp; Using machine certs everything works as expected whether I'm using an AD account or a local account on the firewall.</P></BODY></HTML> Mon, 11 Nov 2013 17:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/using-client-certificates-with-an-authentication-sequence-for/m-p/36106#M26535 dan731028 2013-11-11T17:51:50Z