GlobalProtect 5.0 for iOS 12 and User Certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect 5.0 for iOS 12 and User Certificates

L2 Linker

I have several customers (and my homelab) that leverage user certificates issued from Active Directory Certificate Authorities as a second authentication factor.  Since upgrading to the new 5.0 client for iOS, the client errors out on connection to the portal, indicating that the required certificate cannot be found.  If I attempt to connect to the same portal via the 4.1 client, it works flawlessly.  Upgrading to iOS12 prevents me from using the 4.1 client, and I fear that many of my customers' users will upgrade their own devices to iOS12, not knowing the problems this may cause.

 

Is anyone else having problems with user certificates and the new 5.0 client?

 

Thanks!

 

Mark Rosenecker

1 accepted solution

Accepted Solutions

L7 Applicator

This is expected, because of the way Apple changed the way certificates are handled in iOS 12 compared with 11 and older.

The new features guide talks about it under the "Authentication

 

https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

 

The location of the certificates in iOS 11 is different than iOS 12, so you'll need to re-import the certs. The steps are different for admins who manage their devices with an MDM versus unmanaged devices.

View solution in original post

20 REPLIES 20

L7 Applicator

This is expected, because of the way Apple changed the way certificates are handled in iOS 12 compared with 11 and older.

The new features guide talks about it under the "Authentication

 

https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

 

The location of the certificates in iOS 11 is different than iOS 12, so you'll need to re-import the certs. The steps are different for admins who manage their devices with an MDM versus unmanaged devices.

For MDM based client certificate deployments, please refer to the following link for more details:

 

https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

 

These changes were pre-announced in July 2018 on live articles and also as part of GP App 5.0 Beta program.

Thank you, gwesson!  That was a very helpful post!  I will re-import my certs and check again.

 

I had only become aware of the new client when the old client had an "update".  When run on iOS 11, it exhibited the same problem (which makes sense, if it's looking in a non-existant location for the certs).  I chalked it up to a .0 bug.

Sarao,

 

I appreciate your reply, but there are a few things:

 

1) I'm not using an MDM, so that portion is not applicable to me (or my customers).

2) I never saw any pre-announcement about GP 5.0, and I'm a platinum partner, a CNSE (before it was called PCNSE) since 2012, and multiple-PSE certified engineer.  I was also at SKO a few weeks ago as well, and I didn't hear a thing about it.  Granted, I don't spend my days whiling away on Live Communities...

3) I obviously wasn't part of the beta program (otherwise I'd have found this problem long ago and resolved it).

 

Perhaps I was reading too much into your reply (it is 10pm, and I've been up since 3am), but there was a condescending tone to it that I did not appreciate.  If I am wrong, I am sorry for my misinterpretation.  If I am right, please exhibit more tact in the future, when addressing other professionals.

 

Thank you!

Hello all,

 

Can someone detail the steps they took to "reimport" the certificates for an unmanaged iOS device? I reimported the certs I use for Global Protect and I still can't authenticate to my Gateway. I used the same steps to import the certs that I've always used: email the certs to myself; import in this order: CA, Intermediate, Client; trust the CA under Settings>General>About>Certificate Trust Settings. I still get the same error I was getting before:

 

GlobalProtect gateway user authentication failed. Login from: xxx.xxx.xxx.xxx, Source region: US, User name: , Client OS version: Apple iOS 12.0, Reason: client cert not present, Auth type: profile.

 

BTW: I use two-factor auth in the form of local username/password and a shared client certificate.

 

Thanks.

Hi @icartwright, yeah, me too....

i have upgraded to ios 12 and gp 5 and removed all certs and re emailed and installed.

 

GP is stating no client certificate found but when i browse to my portal via safari it accepts the cert.

 

please update if you manage to resolve.

 

thanks.

Yep, emailing them won't work anymore. Apple removed the ability for VPN applications to access certs that are emailed as a standalone file (.p12, for example). The portal works from Safari because it's not initiating a VPN tunnel, so it can access the keystore.

 

You can deploy them using Apple Configurator in a .mobileconfig file, which CAN be emailed to be installed.

 

It's a pain, but it's universal with all VPN apps in iOS 12 (not just GlobalProtect).

@gwesson, hi.

many thanks for your reply and information, 

not really a pain as all our ipads are sent profiles via the cofigurator.

 

i was just playing with mine and i usually test cert auth by email.

 

i can of course still do this via safari but will now ensure that when our ipads are upgraded to V5 a new profile will follow.

 

once again, many thanks for your time and prompt reply.

So, that essentially means that I (and my customers) need to have a Mac or an MDM system, in order to distribute certificates.  That totally, utterly sucks.

 

#HackintoshTime

 

Thanks again, gwesson!  You've been an immeasurable help!


@gwesson wrote:

Yep, emailing them won't work anymore. Apple removed the ability for VPN applications to access certs that are emailed as a standalone file (.p12, for example). The portal works from Safari because it's not initiating a VPN tunnel, so it can access the keystore.

 

You can deploy them using Apple Configurator in a .mobileconfig file, which CAN be emailed to be installed.

 

It's a pain, but it's universal with all VPN apps in iOS 12 (not just GlobalProtect).


 

@gwesson @MarkRosenecker I wouldn't say that this is a universal issue for all VPN vendors... If one were to search the interwebs for KB43862 of a competitor's product, one would find instructions for how to use email to distribute the certificates and add them to the proper app so that they can be used with SSL VPN. This particular process does not work for GlobalProtect at the moment, but I would hope that PANW updates the GP app very soon to support it.

So, I was finally able to get it working, leveraging an old Mac and Apple Configurator 2.  It's not straightforward, but it is working.

 

Open Apple Configurator 2

Connect your iPhone via USB (you may be prompted to download and install an update...do this, and wait for it to complete successfully)

Create a new Profile (File -> New Profile)

Within the new profile, add your certificates (CA certificate, user certificate)

Within the new profile, create a VPN connection

         -Name the VPN connection GlobalProtect 2

         -Connection Type = Custom SSL

         -Identifier and Server are the DNS name of your GP Portal

         -Account is the username you're going to use (make sure it matches what's in the user cert)

         -Under User Authentication -> Authentication Type for Connection, select Certificate

         -Under Credential for Authenticating the Connection, select the certificate you added to the profile (user cert)

         -Save the profile and close the profile window

In the main Apple Configurator 2 window, double-click on your iPhone.

Click on the Profiles icon on the left

Click on the Add Profile button (or the plus in the top-right)

Select the profile you created above (this will push the profile to your iPhone)

You will likely be prompted to install the profile on your iPhone (it will need to be powered on and unlocked), and it will ask you for your passcode.

 

This is what worked for me...I finally got cert auth working again.  

 

Thanks to @gwesson for pointing me in the right direction!

How can we get this work if users only have Windows PC?

hmmm i think you can ren a Mac OS X emulator for Windows....

The steps from @MarkRosenecker above ended up working for me as well.  Initially I skipped the VPN profile steps, but found out that it is needed to make it work.  I am now seeing a new issue.  I have my PA3020 configured to allow saved passwords, however in the new 5.0 app, its prompt me for a password each time i connect.  Anyone else seeing the same behavior?

  • 1 accepted solution
  • 24048 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!