Global Protect Client Certificate Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Client Certificate Issue

L1 Bithead

Hi team

How can I implement in the Global Protect confuguration the use of client certificate and LDAP authentication as two factor authentication only for some user (or a user group) ? We had only rolled out private certificates from our PKI for some user that has access to sensitive services and these user should use their certificate as additional authentication for the global protect portal/gateway. All other user should able to connect without client certificate. How can I implent these scenario?

I only found this in the Global Protect portal/gateway configuration valid for all clients that connect.

Regards
Andrea 

8 REPLIES 8

L7 Applicator

Certificate authentication is global to all users. you can have either just certificate auth, just ldap auth or both cert and ldap but

you cannot have both cert only and cert plus ldap on the same portal/gateway.

 

you could just use certificate authentication on the portal and then depending on the user group you could issue a different gateway, one with cert auth and one with ldap auth.

 

you will need additional license for multiple gateways.

 

 

L7 Applicator

if you only need this for access to restricted services then just use a security policy to only allow access to those needed services.

Sure ! I have security policies that only allow the access to those people. But thats not the problem. The problem is that only a Username/password for authentication is not save enough for external access to the services. And I don't want to roll out hundred of private certificates for people that do not need this for access to non-sensitive services. For this scenario it would be helpful to have the additional certificate authorization only for restricted user.

 

Regards

Andrea

sure I understand.

 

what you are trying to configure is not possible on the same portal or gateway. 

 

Do you have a gateway license?

 

Or, could you have a different portals for the different users?

 

Actually we don't have gateway license.

And yes, I also thought about a different portal for this users but for this I need to add a second IP-address to the interface, is it right ?

 

Regards Andrea

yes it would be best to add second IP address but you may be able to configure a new portal and gateway on a loopback address. (so 2 portals on same interface but on different ports)

 

I have used it, it works well but i have never used it alongside an existing portal/gateway but should work.

 

here is a link but just search web for globalprotect loopback.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0

I would distribute certificates to all users. if using PKI then you can use Group Policy to install a certificate on domain logon.

 

 

 Unfortunately to most of the clients are Unix Computers ...
But thank you for providing the solution for the second portal ..I will check this .

 
Regards
Andrea
  • 3315 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!