This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Captive portal auth with Client Certificate as first auth method and local auth as fallback
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Captive portal auth with Client Certificate as first auth method and local auth as fallback
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-23-2019 08:00 AM - edited 02-23-2019 08:02 AM
Hello team,
To identify my users, I have used Captive Portal with ldap authentication profile.
Then I removed the ldap from the captive protal config and added a "Certificate profile", and it works well as well.
However, when I assign both an ldap profile AND a certificate profile to my captive portal configuration (Device> User Identification> Captive Portal settings), the paloalto first ask me to provide a client certificat then it allways prompt me for username/ password .... which is not something I want.
My question is the following, is there a way to configure to paloalto so that if the client certificate authentication succeed then it doesn't prompt us for username/password. And if the client certificat authentication fails then it does prompt us for username password.
I'm in lab environment and I can show my config,
Many thanks for your help
karim benyelloul
7 REPLIES 7
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2019 01:51 AM
Client certificates are a strict authentication method that it is part of the handshake whereas username/password happen after a connection is established
It is inefficient to first establish a session that requires a client certificate, to then restart a new session that doesn't require a client certificate
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2019 02:03 AM
Dear @karimanizer,
"You don’t need an authentication profile or sequence for client certificate authentication. If
you configure both an authentication profile/sequence and certificate authentication, users
must authenticate using both."
Admin Guide 8.1 page 466
So it's expected behavior to have both validated
Best Regards
Chacko
Chacko
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-25-2019 02:31 AM
Hi @reaper ,
Thanks for your reply,
| It is inefficient to first establish a session that requires a client certificate, to then restart a new session that doesn't require a client certificate
This is not what I was expecting to happen. For me client certificate authentication is a relyable authenticate method by itself, and the firewall does not need to ask the user to enter its username/password to validate its identity.
The senario I was expecting looks like this:
if { client_certificate auth is sucessful }
get the username from the certificat and map it to its IP adress.
else
prompt the user to enter username/password.Is it because the firewall sees it as a different authentication factor "something the user have" ? instead of the username/password which are "something the user know"?
many thanks,
Related Content
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- PA 3220 function as a secondary / sub-ca in General Topics
- mac users gp authentication issue in GlobalProtect Discussions
- Captive portal authentication over TLS in General Topics
- Global Protect stopped working after upgrade to 5.2.9 in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks