Choosing user certificate when you have multiple such as multiple company VPNs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Choosing user certificate when you have multiple such as multiple company VPNs

L4 Transporter

If a user has multiple user certificates, how can I ensure that the firewall chooses the correct one to use?

For example, a user might have a VPN to two different companies that both have PA firewalls.

 

I'd strongly prefer not having to have a separate windows user account depending on which useraccount and portal I want to connect to.  Thanks

1 accepted solution

Accepted Solutions

I might be getting the prompt on every connection as it does not have a valid gateway because i only need to test the cert against a portal.

 

i will add a gateway later today and see if it goes away....   I only say this as picked this up from PAN docs..

 

 

When only one client certificate meets the requirements above, the app automatically uses that client certificate for authentication. However, when multiple client certificates meet the these requirements, GlobalProtect prompts the user to select the client certificate from a list of valid client certificates on the endpoint. While GlobalProtect requires users to select the client certificate only when they first connect, users might not know which certificate to select. In this case, we recommend you to narrow the list of available client certificates by certificate purpose (as indicated by the OID) and certificate store.

 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

When there's multiple user certificates, the user will get a pop-up requesting which one to use

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

No such pop-up appearing requesting which one to use.  I've had to delete a user certificate due to the lack of pop-up.

If the certificates are issued by different authorities, there *shouldn't* be a problem. Only the cert issued by the CA you define in the certificate profile should be used. The prompt should only happen if: there are multiple certs that are issued from the same authority, with client auth enabled and in the same cert store.

 

 

It's the same CA and the prompt is not occurring.  For instance, I am testing user certificate of a third party complaining of issues connecting to VPN.

So it is _not_ the same CA? Which version of GP are you/they on? May need to upgrade, or reach out to aupport

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

5.2.3 GP originally.  I upgraded to 5.2.4 GP and still have the same issue.  Their is no prompt to choose the user certificate / username with the GP client.  If I connect to the firewall web gui, I do get a prompt about which user certificate to use.

I have 2 different certs from the same CA and i do get a prompt on v5.24

 

 
 
 

aaprompt.png

If I completely uninstall 5.2.4 then install 5.2.3, I get the prompt.  Does this only appear the first time you connect?  Is there some setting that controls whether you are prompted once or every time?

It does prompt me on every connection, however....   i have a funny feeling that when i installed a second user cert from the same CA it just ignored it... as if it expected to use the one i had already been using prior to the second addition... and as far as i can remember i just connected to a different test portal for the first time to get the prompt.   I have never seen a setting to tweak this but GP client may be trying to do something clever in the background hence a re install resolution for yourself. I have seen a few odd things when chopping and changing user certs but normally rectified by pangps service restart.

I might be getting the prompt on every connection as it does not have a valid gateway because i only need to test the cert against a portal.

 

i will add a gateway later today and see if it goes away....   I only say this as picked this up from PAN docs..

 

 

When only one client certificate meets the requirements above, the app automatically uses that client certificate for authentication. However, when multiple client certificates meet the these requirements, GlobalProtect prompts the user to select the client certificate from a list of valid client certificates on the endpoint. While GlobalProtect requires users to select the client certificate only when they first connect, users might not know which certificate to select. In this case, we recommend you to narrow the list of available client certificates by certificate purpose (as indicated by the OID) and certificate store.

 

Thanks.  My temporary workaround is the uninstall and reinstall of GlobalProtect VPN, or manually adding and deleting user certificates.  I tried simply changing the portal, but didn't get prompted to choose between the user certificates

  • 1 accepted solution
  • 9156 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!