topic Re: Logon Method for mixed users using certificates in General Topics

Logon Method for mixed users using certificates

FWPalolearner — Fri, 25 Sep 2020 07:49:30 GMT

Hello ,

I have a requirement , Currently both Internal and external users ( both are AD users) connect to GP via their AD user name and Password

Requirement is enroll Machine certificate to Internal Users and a Common Certificate issued by Palo Alto Generate Root CA to all External users

Internal Users are having Machine Certificate issued by PKI on their Windows 10

External Users have a Common User certificate in their User certificate store. Certificate Profile is OK and has Root CA certificate from PKI and PA Root CA

So my queries are :

1) Can I still use Logon Method as User Logon ( Always on ) as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?

2) Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store

Is this OK ?

In the config selection criteria ,

I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ?

Re: Logon Method for mixed users using certificates

BPry — Sat, 26 Sep 2020 05:21:42 GMT

@FWPalolearner,

1) Can I still use Logon Method as User Logon ( Always on ) as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?

Yes, but if you are going through and deploying machine certificates to machines it makes more sense in the majority of situations to go with pre-logon. Obviously if that doesn't meet your requirements you can stick with User Logon but I really recommend looking into pre-logon since you've already done all of the work for these internal clients.

2) Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store

Correct. The thing to keep in mind here though is that anything in the user certificate store that actually matches your certificate profile is going to take priority over the machine certificate.

I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ?

Only if you are actually going to deploy pre-logon mode. The thing to make sure here in testing prior to actual deployment is that the user is going to be identified from the certificate as you actually expect it to be for the users. It's not abundantly clear if you're talking about just doing certificate authentication for the internal users or if you plan on doing a certificate AND credential deployment instead.

Talking about internal and external just has me curious on what you actually mean by this. Generally you would want to see an internal and an external gateway configured if you are actually utilizing GlobalProtect for internal hosts. So you might only have one portal address, but you would have two separate gateway configurations. It kind of sounds like you are lumping your internal and external GlobalProtect clients on one gateway, which would be somewhat odd from a deployment. Is that just odd word choice, or what was the reason behind the sole gateway deployment?

Re: Logon Method for mixed users using certificates

FWPalolearner — Sat, 26 Sep 2020 06:06:51 GMT

@BPry thanks for your reply.

The goal is to use both AD creds plus certificate check

Corp users have machine certificate

Non corp users have user certificate

1) if I use user logon for a machine certificate ,how the gp willl check the certificate?

I understand that prelogon is preferred way .

If I use prelogon then I need three rules in total on agent configuration:

1) prelogon to be selected under user/ user group

Logon method prelogon and certificate store look machine only

2) specific users under user/ user group .

Logon method prelogon and certificate store look machine only

3) specific users under user/ user group and logon methods user logon and certificate store look user only.

Gatway and portal use same interface .