Is there a way to tie the Cert auth to AD username for AD auth?

Reply
x
L1 Bithead

Is there a way to tie the Cert auth to AD username for AD auth?

Hi Guys,

Is there a way to make sure that the GP checks that the AD user name matches the certificate common name when using both AD and Cert profiles for authenticating users?

Thanks,

bat
L5 Sessionator

Re: Is there a way to tie the Cert auth to AD username for AD auth?

Hi x,

I think you can, while creating a certificate profile you can provide the username field as (Subject) common name.

Hope it helps !

x
L1 Bithead

Re: Is there a way to tie the Cert auth to AD username for AD auth?

Thanks, that is what I have although, on IOS or Android, it doesn't seem to be doing that check. I will confirm.

x
L1 Bithead

Re: Is there a way to tie the Cert auth to AD username for AD auth?

So as per TAC, there is no option to do this. They are two independent checks and are not tied together. I was told to submit a feature request.

L4 Transporter

Re: Is there a way to tie the Cert auth to AD username for AD auth?

Hi,

This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:

51091—Two-factor authentication (where both a client certificate profile and an

authentication profile are configured) was not functioning as expected. The client was

not required to provide the login credentials associated with the authentication profile

after successfully authenticating with the client certificate

Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.

Highlighted
x
L1 Bithead

Re: Is there a way to tie the Cert auth to AD username for AD auth?

That's what I'm looking for.  I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.

Thanks so much for your help!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!