topic Re: "Client cert is invalid to the gateway" error in General Topics

"Client cert is invalid to the gateway" error

BBartik — Thu, 15 Dec 2016 17:13:32 GMT

Hi,

I am trying to setup machine cert authentication, but it appears I am missing something. Local user auth works fine without certificates. Gateway and Portal are on a single 3020 with 7.1.

I created a local-CA and generated a cert for all windows 7 machines.

I imported this cert into the Local Computer personal stores on the windows 7 computer (two of them).

I created a cert profile referencing the local-CA.

I have tried the username settings of "None" or "Subject" but not sure how this fits in (neither work)

I attached the cert profile to the gateway auth config.

In the cert profile there is a setting:

"Block session if the certificate was not issued to the authenticating device"

If I leave this unchecked, the user connects. If I check this the user cannot connect and I get this message:

(T1532) 12/15/16 08:44:56:995 Debug(1049): Client cert is invalid to the gateway x.x.x.x
(T1532) 12/15/16 08:44:56:995 Debug(2816): Login to gateway x.x.x.x without ipv6
(T1532) 12/15/16 08:44:56:995 Debug(3270): portal/gateway pre-login is done!
(T1532) 12/15/16 08:44:56:995 Debug(7645): StopCaptivePortalDetection() captive portal detection is in progress
(T1532) 12/15/16 08:44:56:996 Debug(2846): REGION-PRIO, gateway region code is
(T1532) 12/15/16 08:44:56:996 Debug(2849): REGION-PRIO, this is old gateway, so we ignore the re-discover checking
(T1532) 12/15/16 08:44:56:996 Debug(2966): prelogin status is Error
(T1532) 12/15/16 08:44:56:996 Error(2969): pre-login error message: Invalid client certificate

I am assuming I need to check the box in order to prevent devices without the cert to be able to login.

What am I missing?

Thanks,

Bryan

Re: "Client cert is invalid to the gateway" error

cnluke — Thu, 22 Dec 2016 19:28:05 GMT

So I got this to work while troubleshooting a more difficult scenario (trying AD CA). I am on 7.0.11.

I don't recall exactly the settings, but I do know, in your Cert Profile, Username Field should be None.

7.0.11 does not have that exact setting "Block session if the certificate was not issued to the authenticating device". There are two other similar boxes but I did not need to check those for it to work. When done right, it only allows machines who pass the cert check to authenticate and everyone else is denied, so I doubt you need that setting.

Everything else sounds right. Is the captive portal log related to VPN and if so, is that intentional?

Re: "Client cert is invalid to the gateway" error

BBartik — Sat, 24 Dec 2016 01:15:46 GMT

Apparently I was not supposed to check that box. That box is only if you are validating the cert belongs to that machine. I was using a shared certificate model. This is from support:

- When you check the following option under the Certificate Profile "Block session if the certificate was not issued to the authenticating device/machine".
- The host id for the client certificate is validated, if this is not present in the client certificate it would not connect to the Global Protect.
- The HostID depends on the operating it varies by device type, either GUID (Windows) MAC address of the interface (Mac), Android ID (Android devices), UDID (iOS devices), or a unique name that GlobalProtect assigns (Chrome).
-For windows machine it has to be GUID , below is the link I found on internet to find the GUID of a windows machine.
>https://www.puryear-it.com/find-global-unique-identifier-guid-windows-program
- The hostID including GUID should be specified in the Common Name field.