topic Global Protect Client Certificate Issue in General Topics

Global Protect Client Certificate Issue

mtsadmin — Wed, 16 Jan 2019 07:32:46 GMT

Hi team

How can I implement in the Global Protect confuguration the use of client certificate and LDAP authentication as two factor authentication only for some user (or a user group) ? We had only rolled out private certificates from our PKI for some user that has access to sensitive services and these user should use their certificate as additional authentication for the global protect portal/gateway. All other user should able to connect without client certificate. How can I implent these scenario?

I only found this in the Global Protect portal/gateway configuration valid for all clients that connect.

Regards
Andrea

Re: Global Protect Client Certificate Issue

Mick_Ball — Wed, 16 Jan 2019 11:10:26 GMT

Certificate authentication is global to all users. you can have either just certificate auth, just ldap auth or both cert and ldap but

you cannot have both cert only and cert plus ldap on the same portal/gateway.

you could just use certificate authentication on the portal and then depending on the user group you could issue a different gateway, one with cert auth and one with ldap auth.

you will need additional license for multiple gateways.

Re: Global Protect Client Certificate Issue

Mick_Ball — Wed, 16 Jan 2019 11:12:43 GMT

if you only need this for access to restricted services then just use a security policy to only allow access to those needed services.

Re: Global Protect Client Certificate Issue

mtsadmin — Wed, 16 Jan 2019 11:30:38 GMT

Sure ! I have security policies that only allow the access to those people. But thats not the problem. The problem is that only a Username/password for authentication is not save enough for external access to the services. And I don't want to roll out hundred of private certificates for people that do not need this for access to non-sensitive services. For this scenario it would be helpful to have the additional certificate authorization only for restricted user.

Regards

Andrea

Re: Global Protect Client Certificate Issue

Mick_Ball — Wed, 16 Jan 2019 11:51:52 GMT

sure I understand.

what you are trying to configure is not possible on the same portal or gateway.

Do you have a gateway license?

Or, could you have a different portals for the different users?

Re: Global Protect Client Certificate Issue

mtsadmin — Wed, 16 Jan 2019 15:01:03 GMT

Actually we don't have gateway license.

And yes, I also thought about a different portal for this users but for this I need to add a second IP-address to the interface, is it right ?

Regards Andrea

Re: Global Protect Client Certificate Issue

Mick_Ball — Wed, 16 Jan 2019 15:09:48 GMT

yes it would be best to add second IP address but you may be able to configure a new portal and gateway on a loopback address. (so 2 portals on same interface but on different ports)

I have used it, it works well but i have never used it alongside an existing portal/gateway but should work.

here is a link but just search web for globalprotect loopback.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0

Re: Global Protect Client Certificate Issue

Mick_Ball — Wed, 16 Jan 2019 17:50:08 GMT

I would distribute certificates to all users. if using PKI then you can use Group Policy to install a certificate on domain logon.

Re: Global Protect Client Certificate Issue

mtsadmin — Thu, 17 Jan 2019 09:39:32 GMT

Unfortunately to most of the clients are Unix Computers ...

But thank you for providing the solution for the second portal ..I will check this .

Regards

Andrea