Is there a way to tie the Cert auth to AD username for AD auth?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is there a way to tie the Cert auth to AD username for AD auth?

L1 Bithead

Hi Guys,

Is there a way to make sure that the GP checks that the AD user name matches the certificate common name when using both AD and Cert profiles for authenticating users?

Thanks,

1 accepted solution

Accepted Solutions

Hi,

This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:

51091—Two-factor authentication (where both a client certificate profile and an

authentication profile are configured) was not functioning as expected. The client was

not required to provide the login credentials associated with the authentication profile

after successfully authenticating with the client certificate

Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi x,

I think you can, while creating a certificate profile you can provide the username field as (Subject) common name.

Hope it helps !

Thanks, that is what I have although, on IOS or Android, it doesn't seem to be doing that check. I will confirm.

So as per TAC, there is no option to do this. They are two independent checks and are not tied together. I was told to submit a feature request.

Hi,

This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:

51091—Two-factor authentication (where both a client certificate profile and an

authentication profile are configured) was not functioning as expected. The client was

not required to provide the login credentials associated with the authentication profile

after successfully authenticating with the client certificate

Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.

That's what I'm looking for.  I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.

Thanks so much for your help!

  • 1 accepted solution
  • 3514 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!