- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-14-2019 04:38 AM
Hi All,
I am trying to demo pre-logon and am really struggling with the client certificate authentication side of things.
I've generated a Root CA on the firewall which has been imported into the Personal and Trusted Root Stores of the machine.
The portal is set to use this certificate via a certificate profile which has been configured.
Connect method has been set to pre-logon always on.
When I attempt to access the VPN on the desktop, I get the message "Required client certificate not found". Despite the fact that the cert specified in the certificate profile is in all the right certificate stores.
Help! (GP Version 4.1.8)
Cheers,
Luke.
03-18-2019 07:08 AM
@Mick_Ball If you are only using the certificate-profile on the portal - set Username-field to "None" and only add the root-certificate to the profile.
UserName-field is only needed if you are authenticating to the gateway with a certificate as well. Subject us pulled from the certificate and is used as the "Username".
I am normally setting it up with certificate-profile on the Portal and LDAP with SSO on the gateway witch do not require that any information is pulled from the certificate.
As ive set up the certificates:
1. Imported Root CA and marked it as "Trusted"'
2. Imported Intermediate CA that is signed by the Root CA
3. Made sure client has a machinecertificate (In Personal Computer store) that is signed by the Intermediate CA
4. Made sure the client has the Root CA & Intermediate in the local certificatestore
5. Create Certificate Profile, set the Username-Field to None, add the Root CA
6. Add the Certificate Profile to the Portal and commit
I have not set it up on 7.1 before, so not sure what the difference could be.
03-19-2019 02:12 AM
@xen-pv , Hi, thanks for the info..
i think we need to go back a step here as I seem to have jumped into @LukeBullimore's call.
he logged a call regarding pre-logon, i suggested he just tried to get basic auth working first with certificates and he was unable to do this, i also tried to do this from scratch to explain exactly how I did it but it also failed for me yet I have been using it for many years on Windows (cert only) and IPad (cert and ldap).
so, i am not using it for pre-logon and i do need the subject set in the cert profile as this CN determines which portal app config they get..
so to test, as i always have done is to just browse to the portal.
on my V7.x all is OK but on my 8.0 and above it fails so I am deffo missing something obvious.
thanks again for your time and sorry for the confusion...
03-19-2019 04:24 AM
OK it seems that I had the same CN in my forward trust as i had in my trusted root CA for client certs, not sure why this would cause an auth fail as i clearly stated the trusted root CA in my cert profile.
I created a new root CA with a different CN ( a secondary ip interface) and all certs work for both portals and gateways.
@LukeBullimore , not sure how your getting on but will be happy to post step by step config for cert auth if required, cant help with pre-logon as don't use it.
Laters...
03-19-2019 06:58 AM
Hey Mick,
I actually was doing the same thing with ForwardTrust and that mine would be fixed as with yours but unfortunately not.
I have:
Self signed Root and Intermediate Certificate on FW which are added to cert profile
Certificate signed by intermediate imported onto client machine in Personal and Trusted Root stores
Still get the client certificate not found, what am I doing wrong!!
03-19-2019 07:02 AM
Luke, Hi.
firstly mine is signed by the root, i dont have an intermediate, never needed it...
secondly.. are you exporting client cert with PKCS12 format
03-19-2019 07:09 AM
Hi Mick,
Just tried with no intermediate; same result.
I'm importing it as a PKCS12 yep.
03-20-2019 05:15 AM
Me again....
Just to let you know i have had a strange time with this, as soon as i get it working and remove certs and generate new ones following the exact same process it fails with client cert not available.....
I have it working now but had to remove cert profile and certs, commit and reboot palo and add new certs from scratch and now working.
you may not have this luxury as i am on a couple of test boxes...
but to confirm... to get basic cert auth working, this is all i needed to do.
create self signed root CA on palo.
add new CA cert to cert profile.
modified portal and gateway to use new cert profile.
generate a user cert signed by my new CA and exported this with PKCS12 and imported to laptop/pc.
i have done this several times over the past couple of days and had so many issues even though i use the same pattern every time.
it's a sham there is no better cert auth debug to say what the palo is expecting and the client is offering.
sorry I cannot help any further.
12-10-2019 12:48 PM
I had the exact same issue (error message) and spent hours upon hours working on the issue. Finally broke down and called support. They said you need to have cert profile enabled under the authentication tab for both the Portal AND the Gateway. I was like no that won't fix it.... well I was wrong as soon as I also enabled the cert profile on the Gateway as I only had it enabled on the Portal it immediately worked. I was like dam! So anyway check that!
07-02-2024 01:23 PM
That worked for me as well! Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!