Client-VPN w. GlobalProtect and client certificates w/o

tkenning — Fri, 09 Dec 2011 17:07:58 GMT

Hello everybody,

we are running the latest PAN-OS 4.1.0 and Panorama in an evaluation environment and would like to deploy Client-VPN the following way:

We do run our own CA in our Corporate network.

We use our own PKI infrastructure and Aladdon eToken with client certificates on it for Client-VPN throgh MS ISA since years.

Users do not know their MS AD-User account passwords, they do know their PIN for the PKI eToken only.

We do not use Single-Sign-On.

We do have our own Radius server (IAS).

Problem:

---------------

Connecting via client-vpn using (AD) user and password is not an option (s. above).

Question(s):

---------------

PaloAlto only supports PAP, but no EAP for certificates. True?

To replace our ww infrastructure of MS ISA f. client-vpn, we need to logon using certificates on our clients and (if possible) PIN of PKI client.

Is there any way to manage this?

tkenning

Re: Client-VPN w. GlobalProtect and client certificates w/o

amansour — Wed, 21 Dec 2011 03:14:28 GMT

Our product integrates CA signed client certficates with the palo Alto agents and integrates identity into User-ID for the PA.

It's called RADCAT. No per cert license, I'd be happy to hook you up with a demo box. Let me know.