- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-14-2019 04:38 AM
Hi All,
I am trying to demo pre-logon and am really struggling with the client certificate authentication side of things.
I've generated a Root CA on the firewall which has been imported into the Personal and Trusted Root Stores of the machine.
The portal is set to use this certificate via a certificate profile which has been configured.
Connect method has been set to pre-logon always on.
When I attempt to access the VPN on the desktop, I get the message "Required client certificate not found". Despite the fact that the cert specified in the certificate profile is in all the right certificate stores.
Help! (GP Version 4.1.8)
Cheers,
Luke.
03-14-2019 07:27 AM
not sure about pre logon stuff but for my certificate auth i created a root CA on the Palo, i then genereated another certificate for a user that was signed by that CA.
I then exported the user cert in pks12 format and imported that cert into the computer or user personal store.
the original CA is in the cert profile listed under portal and gateway auth.
you will also need to ensure the GP portal app allows bot user and comp store.
03-14-2019 07:34 AM
Hey @Mick_Ball
I've just tried this and unfortunately, I still get the same result. Was your user cert marked as a CA? Mine currently isn't.
Any other suggestions?
Thanks,
Luke.
03-14-2019 07:46 AM - edited 03-14-2019 07:47 AM
Hi,
Did you create a Root CA, Intermediate CA and Machine Cert so the whole certificatechain is complete?
Root and Intermediate needs to be marked as CA.
If so you should be able to export the Machine Certificate as PKCS as MickBall mentioned and import it to your local certificate (computer)store.
Section B in the below link should help you wuth all the steps for certificate authentication.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK
Did you do any specific settings in the Certificate Profile? Ive seen some strange issues if some of the boxes are marked.
/PV
03-14-2019 07:54 AM
no, my users certs are not CA they just show the CA as the issuer.
ok why dont you go back a step and forget the pre logon stuff and firstly just get the cert auth to work without pre logon.
the other info coming in fro @xen-pv may be more helpful for pre logon as we do not actually use it,
03-14-2019 08:00 AM
sorry i meant to say go back a step just to test your cert auth, once you've got that sussed then add pre-logon.
03-14-2019 08:50 AM
Hi @Mick_Ball
I disabled prelogon and still get the same result.
I just tried with the full chain and the still result. Self-signed root and intermediate on the firewall, both specified in the cert profile.
Generated a primary cert signed by the intermediate, exported to the client and stored in personal and trusted root and still get "Required client certificate not found"
Am I doing something wrong?
Thanks,
Luke.
03-14-2019 08:56 AM
do you get the same error when you browse https to the portal address
03-14-2019 09:37 AM
could you check the client machine cert to ensure it has something in the subject field.
03-14-2019 09:40 AM
also lokk in IE under options/content/certificates just to make sure you can see this cert if you import to the users personal store.
03-18-2019 04:15 AM
@LukeBullimore , did you manage to sort this out...
the reason i ask is that i too am having issues with cert auth on V8 whereas i had no issues on V7.
i cannot get basic cert auth working, never mind the pre-logon stuff...
03-18-2019 04:25 AM
Hey @Mick_Ball
I cannot get this to work either, basic cert auth.
I even had a scenario with a proper PKI setup and even then it wasn't working. There must be something I'm missing here!
03-18-2019 05:14 AM
Hey @LukeBullimore
Been away for abit..
I have set up a working solution in 8.0 and 8.1 with only certificates. Also used certificates from an internal PKI, but that should not matter if you have exported the certificates to your client in the correct way.
How is your certificate-profile setup?
Is the UserName-filed set to subject-alt and Principal Name?
You could try to set it up with simple logon with local-accounts to starts with. When you have verified that you can connect to both Portal and Gateway you can go ahead and change the authentication on the Portal to only the certificate-profile. When that is in place you can also verify that pre-logon is working.
/xen-pv
03-18-2019 06:37 AM
@xen-pv , Hi.
I am also having the same issue, i just need cert auth for portal only.
I have it configured on 7.1.15 for GlobalProtect using both PKI for windows users and Self Signed for IPad users.
I am doing exactly the same process on 8.0.10 but cert auth is failing, @LukeBullimore seems to be having a similar issue so I'm also sure i've missed something simple....
I have generated a self cert, as a CA.
I have then generated a user cert signed by the above and entered a CN.
i have exported/imported as PKCS12 onto my laptop user store.
I have a cert profile set to subject common-name and added this profile to my portal auth page...
this is a replication of what I have done on 7.1x so completely stumped.....
thanks in advance
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!