Is there a way to make sure that the GP checks that the AD user name matches the certificate common name when using both AD and Cert profiles for authenticating users?
Solved! Go to Solution.
I think you can, while creating a certificate profile you can provide the username field as (Subject) common name.
Hope it helps !
So as per TAC, there is no option to do this. They are two independent checks and are not tied together. I was told to submit a feature request.
This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:
51091—Two-factor authentication (where both a client certificate profile and an
authentication profile are configured) was not functioning as expected. The client was
not required to provide the login credentials associated with the authentication profile
after successfully authenticating with the client certificate
Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.
That's what I'm looking for. I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.
Thanks so much for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!