"Client cert is invalid to the gateway" error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"Client cert is invalid to the gateway" error

L2 Linker

Hi,

 

I am trying to setup machine cert authentication, but it appears I am missing something. Local user auth works fine without certificates. Gateway and Portal are on a single 3020 with 7.1. 

 

I created a local-CA and generated a cert for all windows 7 machines.

I imported this cert into the Local Computer personal stores on the windows 7 computer (two of them).

I created a cert profile referencing the local-CA.

I have tried the username settings of "None" or "Subject" but not sure how this fits in (neither work)

I attached the cert profile to the gateway auth config.

 

In the cert profile there is a setting:

 

"Block session if the certificate was not issued to the authenticating device"

 

If I leave this unchecked, the user connects. If I check this the user cannot connect and I get this message:

 

(T1532) 12/15/16 08:44:56:995 Debug(1049): Client cert is invalid to the gateway x.x.x.x
(T1532) 12/15/16 08:44:56:995 Debug(2816): Login to gateway x.x.x.x without ipv6
(T1532) 12/15/16 08:44:56:995 Debug(3270): portal/gateway pre-login is done!
(T1532) 12/15/16 08:44:56:995 Debug(7645): StopCaptivePortalDetection() captive portal detection is in progress
(T1532) 12/15/16 08:44:56:996 Debug(2846): REGION-PRIO, gateway region code is
(T1532) 12/15/16 08:44:56:996 Debug(2849): REGION-PRIO, this is old gateway, so we ignore the re-discover checking
(T1532) 12/15/16 08:44:56:996 Debug(2966): prelogin status is Error
(T1532) 12/15/16 08:44:56:996 Error(2969): pre-login error message: Invalid client certificate

 

I am assuming I need to check the box in order to prevent devices without the cert to be able to login.

 

What am I missing?

 

Thanks,

 

Bryan

2 REPLIES 2

L0 Member

So I got this to work while troubleshooting a more difficult scenario (trying AD CA). I am on 7.0.11.

I don't recall exactly the settings, but I do know, in your Cert Profile, Username Field should be None.

7.0.11 does not have that exact setting "Block session if the certificate was not issued to the authenticating device". There are two other similar boxes but I did not need to check those for it to work. When done right, it only allows machines who pass the cert check to authenticate and everyone else is denied, so I doubt you need that setting.

 

Everything else sounds right. Is the captive portal log related to VPN and if so, is that intentional?

 

 

Apparently I was not supposed to check that box. That box is only if you are validating the cert belongs to that machine. I was using a shared certificate model. This is from support:

 

- When you check the following option under the Certificate Profile "Block session if the certificate was not issued to the authenticating device/machine".
- The host id for the client certificate is validated, if this is not present in the client certificate it would not connect to the Global Protect.
- The HostID depends on the operating it varies by device type, either GUID (Windows) MAC address of the interface (Mac), Android ID (Android devices), UDID (iOS devices), or a unique name that GlobalProtect assigns (Chrome).
-For windows machine it has to be GUID , below is the link I found on internet to find the GUID of a windows machine.
>https://www.puryear-it.com/find-global-unique-identifier-guid-windows-program
- The hostID including GUID should be specified in the Common Name field.

  • 2813 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!