topic Re: Choosing user certificate when you have multiple such as multiple company VPNs in General Topics

Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Wed, 02 Dec 2020 20:20:15 GMT

If a user has multiple user certificates, how can I ensure that the firewall chooses the correct one to use?

For example, a user might have a VPN to two different companies that both have PA firewalls.

I'd strongly prefer not having to have a separate windows user account depending on which useraccount and portal I want to connect to. Thanks

Re: Choosing user certificate when you have multiple such as multiple company VPNs

reaper — Wed, 02 Dec 2020 21:40:34 GMT

When there's multiple user certificates, the user will get a pop-up requesting which one to use

Re: Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Wed, 02 Dec 2020 21:52:14 GMT

No such pop-up appearing requesting which one to use. I've had to delete a user certificate due to the lack of pop-up.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

rmfalconer — Thu, 03 Dec 2020 00:00:49 GMT

If the certificates are issued by different authorities, there *shouldn't* be a problem. Only the cert issued by the CA you define in the certificate profile should be used. The prompt should only happen if: there are multiple certs that are issued from the same authority, with client auth enabled and in the same cert store.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Thu, 03 Dec 2020 16:24:21 GMT

It's the same CA and the prompt is not occurring. For instance, I am testing user certificate of a third party complaining of issues connecting to VPN.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

reaper — Thu, 03 Dec 2020 16:36:59 GMT

So it is _not_ the same CA? Which version of GP are you/they on? May need to upgrade, or reach out to aupport

Re: Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Thu, 03 Dec 2020 17:03:32 GMT

5.2.3 GP originally. I upgraded to 5.2.4 GP and still have the same issue. Their is no prompt to choose the user certificate / username with the GP client. If I connect to the firewall web gui, I do get a prompt about which user certificate to use.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

Mick_Ball — Thu, 03 Dec 2020 18:13:58 GMT

I have 2 different certs from the same CA and i do get a prompt on v5.24

Re: Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Thu, 03 Dec 2020 18:28:45 GMT

If I completely uninstall 5.2.4 then install 5.2.3, I get the prompt. Does this only appear the first time you connect? Is there some setting that controls whether you are prompted once or every time?

Re: Choosing user certificate when you have multiple such as multiple company VPNs

Mick_Ball — Fri, 04 Dec 2020 03:17:09 GMT

It does prompt me on every connection, however.... i have a funny feeling that when i installed a second user cert from the same CA it just ignored it... as if it expected to use the one i had already been using prior to the second addition... and as far as i can remember i just connected to a different test portal for the first time to get the prompt. I have never seen a setting to tweak this but GP client may be trying to do something clever in the background hence a re install resolution for yourself. I have seen a few odd things when chopping and changing user certs but normally rectified by pangps service restart.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

Mick_Ball — Fri, 04 Dec 2020 03:37:06 GMT

I might be getting the prompt on every connection as it does not have a valid gateway because i only need to test the cert against a portal.

i will add a gateway later today and see if it goes away.... I only say this as picked this up from PAN docs..

When only one client certificate meets the requirements above, the app automatically uses that client certificate for authentication. However, when multiple client certificates meet the these requirements, GlobalProtect prompts the user to select the client certificate from a list of valid client certificates on the endpoint. While GlobalProtect requires users to select the client certificate only when they first connect, users might not know which certificate to select. In this case, we recommend you to narrow the list of available client certificates by certificate purpose (as indicated by the OID) and certificate store.

Re: Choosing user certificate when you have multiple such as multiple company VPNs

fhewiufhwefhwe — Mon, 07 Dec 2020 00:53:03 GMT

Thanks. My temporary workaround is the uninstall and reinstall of GlobalProtect VPN, or manually adding and deleting user certificates. I tried simply changing the portal, but didn't get prompted to choose between the user certificates