we are running the latest PAN-OS 4.1.0 and Panorama in an evaluation environment and would like to deploy Client-VPN the following way:
We do run our own CA in our Corporate network.
We use our own PKI infrastructure and Aladdon eToken with client certificates on it for Client-VPN throgh MS ISA since years.
Users do not know their MS AD-User account passwords, they do know their PIN for the PKI eToken only.
We do not use Single-Sign-On.
We do have our own Radius server (IAS).
Connecting via client-vpn using (AD) user and password is not an option (s. above).
PaloAlto only supports PAP, but no EAP for certificates. True?
To replace our ww infrastructure of MS ISA f. client-vpn, we need to logon using certificates on our clients and (if possible) PIN of PKI client.
Is there any way to manage this?
Our product integrates CA signed client certficates with the palo Alto agents and integrates identity into User-ID for the PA.
It's called RADCAT. No per cert license, I'd be happy to hook you up with a demo box. Let me know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!