Global Protect Client Certificate Issue

Reply
L1 Bithead

Global Protect Client Certificate Issue

Hi team

How can I implement in the Global Protect confuguration the use of client certificate and LDAP authentication as two factor authentication only for some user (or a user group) ? We had only rolled out private certificates from our PKI for some user that has access to sensitive services and these user should use their certificate as additional authentication for the global protect portal/gateway. All other user should able to connect without client certificate. How can I implent these scenario?

I only found this in the Global Protect portal/gateway configuration valid for all clients that connect.

Regards
Andrea 

L6 Presenter

Re: Global Protect Client Certificate Issue

Certificate authentication is global to all users. you can have either just certificate auth, just ldap auth or both cert and ldap but

you cannot have both cert only and cert plus ldap on the same portal/gateway.

 

you could just use certificate authentication on the portal and then depending on the user group you could issue a different gateway, one with cert auth and one with ldap auth.

 

you will need additional license for multiple gateways.

 

 

L6 Presenter

Re: Global Protect Client Certificate Issue

if you only need this for access to restricted services then just use a security policy to only allow access to those needed services.

L1 Bithead

Re: Global Protect Client Certificate Issue

Sure ! I have security policies that only allow the access to those people. But thats not the problem. The problem is that only a Username/password for authentication is not save enough for external access to the services. And I don't want to roll out hundred of private certificates for people that do not need this for access to non-sensitive services. For this scenario it would be helpful to have the additional certificate authorization only for restricted user.

 

Regards

Andrea

L6 Presenter

Re: Global Protect Client Certificate Issue

sure I understand.

 

what you are trying to configure is not possible on the same portal or gateway. 

 

Do you have a gateway license?

 

Or, could you have a different portals for the different users?

 

L1 Bithead

Re: Global Protect Client Certificate Issue

Actually we don't have gateway license.

And yes, I also thought about a different portal for this users but for this I need to add a second IP-address to the interface, is it right ?

 

Regards Andrea

L6 Presenter

Re: Global Protect Client Certificate Issue

yes it would be best to add second IP address but you may be able to configure a new portal and gateway on a loopback address. (so 2 portals on same interface but on different ports)

 

I have used it, it works well but i have never used it alongside an existing portal/gateway but should work.

 

here is a link but just search web for globalprotect loopback.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0

L6 Presenter

Re: Global Protect Client Certificate Issue

I would distribute certificates to all users. if using PKI then you can use Group Policy to install a certificate on domain logon.

 

 

L1 Bithead

Re: Global Protect Client Certificate Issue

 Unfortunately to most of the clients are Unix Computers ...
But thank you for providing the solution for the second portal ..I will check this .

 
Regards
Andrea
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!