How to Configure GlobalProtect for Authentication Using Only Certificates

Printer Friendly Page

Overview

This document describes the steps to configure GlobalProtect for authentication using certificates only, without the user being prompted for login.

 

Steps

  1. Create the certificate profile under Device > Certificate Management > Certificate Profile.
    Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'. Add the root CA under CA Certificates.
    Certificate Profile.pngCertificate Profile
  2. The image below shows the certificates created:
    certificates.pngCertificates
  3. Configure the GlobalProtect Gateway.
    Set Authentication Profile to None and select the certificate profile set to the one created in Step 1 above.
    gateway.pngGlobalProtect Gateway
  4. Configure the GlobalProtect Portal
    Set the Authentication Profile set to None. Select the Client Certificate and Certificate Profile.
    Note: Having the firewall generate a Client Certificate assumes that the Certificate infrastructure is set up on the network to support that client certificate.  Alternatively, a client cert may not be necessary and may also not be advisable in a multi-user environment.  It may better to use a certificate profile with the CA which will be used to sign each user's certificate, so that each user can and will receive a unique certificate from the CA.
    portal.pngGlobalProtect Portal
  5. In the Client Configuration tab, disable SSO.
    Screen Shot 2013-06-24 at 8.23.43 PM.png
  6. Install the root and the client certificates in the machine local store of the client PC.
    Note: When exporting the client machine certificate from the Palo Alto Networks device, it needs to be in PKCS12 format.
    localstore.png
  7. Install the client certificate in the user personal store.
    userstore.png
  8. In the GlobalProtect client, there is no need to enter the Username and Password:
    gp_nouser.png
  9. Commit the configuration on the firewall. The GlobalProtect client will automatically connect to the gateway.
    The remote users for the Gateway will show up as the client certificate logging in.
    clientcert_auth.png

owner: pvermuri

Comments

This document says that we need to add a client certificate and a certificate profile to the portal configuration.

Upon testing, I have confirmed that the client cert is not necessary and is also not advisable in a multi-user environment. It is better to use a certificate profile with the CA which will be used to sign each user's certificate. In this way, each user can and will receive a unique certificate from the CA.

I would bring out few points from this article which are important and which help to make this authentication method work without problems.

I have PanOS 6.1.1 installed.

If you want to use on-demand authentication (not pre-logon) using only certificates:

* This is important "Make sure Username Field is set to 'Subject' and the grey area to the right of it shows 'common-name'"- otherwise authentication will not work.

* In step 4 portal configuration client certificate and certificate portal is not needed and rather not advisable as stated also by ven_css_ut.

* Client certificate has to be PKCS12 format when exported from PAN firewall as stated in step 6.

* Client certificate has to be installed only in the user personal store as in step 7. You do not need any other certificates in computer so step 6 is not necessary.

If you want to use pre-logon:

* Client certificate has to be PKCS12 format when exported from PAN firewall as stated in step 6.

* Make sure that you install certificates to computer correctly and place them to correct store. Follow this article GlobalProtect Agent Prelogon Failing Even After Importing Private PKI Certificates

* Make sure that computer certificate contains subject field with some info/name in it (though when you create certificate in PAN then you have to enter CN field). Check this article Pre-logon Fails with Issued Machine Certificate

* You should have FQDN for server certificate and GP firewall interface in your DNS server. Here is this issue described GlobalProtect Gateway Certificate Error When Trying to Use GlobalProtect Agent 2.1.0

* In step 4 portal configuration client certificate and certificate portal is not needed and rather not advisable as stated also by ven_css_ut.

Has anyone attempted this type of authentication with iOS or Android devices?

I tested it, and it works. but when i revoke the certificate, the user can connect the vpn without problem.

How can i fix this ?

MPoffal, 

 

I believe you also need to setup using the CRL with these instructions.  Otherwise these lists are not checked just the certificate itself against the CA certificate.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Enable-CRL-and-OCSP-from-the-WebG...

I have configured OCSP in the interface management, and it works.

To get this working on Mac we had to put the client certificate into the login keychain.