GlobalProtect 5.0 for iOS 12 and User Certificates

Reply
L2 Linker

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

@gwesson @MarkRosenecker I wouldn't say that this is a universal issue for all VPN vendors... If one were to search the interwebs for KB43862 of a competitor's product, one would find instructions for how to use email to distribute the certificates and add them to the proper app so that they can be used with SSL VPN. This particular process does not work for GlobalProtect at the moment, but I would hope that PANW updates the GP app very soon to support it.

L2 Linker

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

So, I was finally able to get it working, leveraging an old Mac and Apple Configurator 2.  It's not straightforward, but it is working.

 

Open Apple Configurator 2

Connect your iPhone via USB (you may be prompted to download and install an update...do this, and wait for it to complete successfully)

Create a new Profile (File -> New Profile)

Within the new profile, add your certificates (CA certificate, user certificate)

Within the new profile, create a VPN connection

         -Name the VPN connection GlobalProtect 2

         -Connection Type = Custom SSL

         -Identifier and Server are the DNS name of your GP Portal

         -Account is the username you're going to use (make sure it matches what's in the user cert)

         -Under User Authentication -> Authentication Type for Connection, select Certificate

         -Under Credential for Authenticating the Connection, select the certificate you added to the profile (user cert)

         -Save the profile and close the profile window

In the main Apple Configurator 2 window, double-click on your iPhone.

Click on the Profiles icon on the left

Click on the Add Profile button (or the plus in the top-right)

Select the profile you created above (this will push the profile to your iPhone)

You will likely be prompted to install the profile on your iPhone (it will need to be powered on and unlocked), and it will ask you for your passcode.

 

This is what worked for me...I finally got cert auth working again.  

 

Thanks to @gwesson for pointing me in the right direction!

L2 Linker

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

How can we get this work if users only have Windows PC?

L6 Presenter

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

hmmm i think you can ren a Mac OS X emulator for Windows....

L1 Bithead

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

The steps from @MarkRosenecker above ended up working for me as well.  Initially I skipped the VPN profile steps, but found out that it is needed to make it work.  I am now seeing a new issue.  I have my PA3020 configured to allow saved passwords, however in the new 5.0 app, its prompt me for a password each time i connect.  Anyone else seeing the same behavior?

L1 Bithead

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

Hello everyone,

 

i would like to implement IOS12 and GP 5 App on Apple Devices like it did with the IOS11 + GP Legacy app. In fact we're using AD-Authentication on Portal and AD Athentication as well as Certificate Profiles for the gateway. A machine certificate is deployed to the iOS device (also the Enterprise CA Root Cert). The Certificate Profile allows certificates from this CA.

 

This way was possible up to version 5 and also runs great with our windows machines. Is this a supported way? Do i have to use user certificates? Any experience or guidance?

 

Thanks,

 

Jochen

L6 Presenter

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

this will still work but you will need to re send the certificates to the devices via a profile from the apple configurator, this is explained in earlier posts.

L1 Bithead

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

Hey MickBall,
 
thanks for your reply.
 
We were able to use machine certs finally, but only when we push them out through AirWatch MDM. Apple Configurator or Mailing-Apps doesn't work (with the same certs).
 
So, we're hopefully done. Good luck everyone else in testing!
 
Regards,
 
Jochen
L0 Member

Re: GlobalProtect 5.0 for iOS 12 and User Certificates


@APatel wrote:

The steps from @MarkRosenecker above ended up working for me as well.  Initially I skipped the VPN profile steps, but found out that it is needed to make it work.  I am now seeing a new issue.  I have my PA3020 configured to allow saved passwords, however in the new 5.0 app, its prompt me for a password each time i connect.  Anyone else seeing the same behavior?


I am seeing this behavior. It prevents the app from reconnecting once the iPhone is disconnected from the internal network.

L2 Linker

Re: GlobalProtect 5.0 for iOS 12 and User Certificates

Hello All,

 

I spent some time with this problem.   All of the information here is correct, however there aren't a lot of correct examples of using Apple Configurator to generate a .mobileconfig file to install on iOS if using client certificate authentication.  I have found the following guide gets you almost all the way there (Certificates loaded, and vpn profile, but missing the Provider Bundle ID):

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSUCAY

 

IMPORTANT NOTE, THE ABOVE DOCUMENT SEEMS TO BE MISSING THE FOLLOWING KEY CONFIGURATION:

 

On Apple Configurator, there is a Provider Bundle Identifier that needs to have "app:com.paloaltonetworks.globalprotect.vpn" filled in, otherwise the iOS Global Protect App won't use the profile contents.Screen Shot 2019-08-14 at 8.55.00 AM.png

 

 

Hope this helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!