06-12-2014 06:12 AM
We are running Global Protect with pre-logon. The GP Portal needs to allow users to login from "clean" computers without machine certificates, and at the same time allow pre-logon user(and other users) to authenticate with machine certificate. This has in 5.0 been done by using a certificate profile with the username field set to "none".
This was working fine in 5.0, but after upgrading to 6.0 I get a "valid certificate is required" when accessing the GP portal page through a web-browser.
I found the following article describing change in default behavior from 4.1 to 5.0 due to implementation of pre-logon.
GP Portal No Longer Prompting for Client Certificates Following PAN-OS v5.0.x Upgrade
Has this been changed again in 6.0? How can I get a Global Protect Portal to support both user/password and machine certificate authentication in 6.0?
06-17-2014 08:41 AM
I'm trying to figure this out as well. I've been working on this for a day or so now with no luck. I'll let you know if I am able to figure it out. Hopefully someone from PA can offer some assistance.
06-17-2014 09:44 AM
Okay I finally got it to work. I followed the config in the global protect admin guide for 6.0 and download the latest client and I can see that it works now
06-17-2014 12:53 PM
Thanks for your reply!
Are able to authenticate to the portal using bot username/password and computer/client certificate?
Or are you using just username/password for the portal? Read through the admin guide one more time, and it seems like I got it wrong, and that you donæt need a certificate profile on the portal for pre-logon after all. Is this correct?
"After authentication succeeds, the portal pushes the client configuration to the agent along with a
cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system
attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon
06-17-2014 02:45 PM
Ensure that the certificates and their signer certificates (in a chain) are all included in the GP Portal >> Client Configuration >> Root CA section. That became mandatory in the later versions of PAN OS v5.0x
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!