Globalprotect Portal failure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect Portal failure

L1 Bithead

I tried to replicate a Globalprotect portal setup from another site and it fails with the following message:

 

  • GlobalProtect portal(Kawailoa_Portal) setting is invalid: auth-profile exist(method none), client-cert-profile none(no username).
  • (Module: sslvpn)
  • Commit failed

 

What am I missing?

 

1 accepted solution

Accepted Solutions

I'm sorry but @emr_1's identification of the issue/resolution is incorrect.  (If your desire is only cert auth)

 

Like @Mick_Ball stated, if you're just wanting to do cert based auth you don't need anything in that main auth field.

 

 

Even @GIT_Sean mentioned the correct place as well.  For accuracy the correct "resolved" post should be identified.  (Now if you're doing more than cert auth and doing user auth as well then something is needed in the "Client Authentication" field)

 

Portal.PNGCert_Pro.PNG

View solution in original post

7 REPLIES 7

L5 Sessionator

You need to configure Client Authentication field.

gpportal.png

If you just require certificate authentication then you may need to modify your certificate profile username field.

Hi @GIT_Sean,

 

The error message tells you that you haven't configured any authentication method for the portal.

It is surprising that only the SSL/TLS service profile is required field on this tab, but actually you need to define authentication method.

 

You can configure:

- Client authentication pointing to specific authentication profile (for RADIUS, TACACS, LDAP etc)

- Client machine certificate authentication only

- Or both - authentication profile and machine cert (this will require the user to put his credentials and to provide valid machine certificate

 

Looking at the error message it seems you haven't selected any authentication profile. If I am guessing you have copy-pasted the set commands for the portal, but you have forgot to copy-past the set commands for the server profile and the relevant authentication profile. For that reason when you have put the set commands for the portal, the line for configuring the client authentication was referring to invalid auth profile, there for it is being set to none.

 

Double check the setup you are trying to replicate and confirm what type of authentication you are using.

Thanks for the quick replies everyone. It turned out, I had an Authentication profile created, but I had failed to select a type (was set to None). Set it to Local Database, and it works now.

I'm sorry but @emr_1's identification of the issue/resolution is incorrect.  (If your desire is only cert auth)

 

Like @Mick_Ball stated, if you're just wanting to do cert based auth you don't need anything in that main auth field.

 

 

Even @GIT_Sean mentioned the correct place as well.  For accuracy the correct "resolved" post should be identified.  (Now if you're doing more than cert auth and doing user auth as well then something is needed in the "Client Authentication" field)

 

Portal.PNGCert_Pro.PNG

That is true...I set @emr_1 as the solution because it made me check my Authentication profile again and I discovered the error there, I've updated the accepted solution as this is the most complete answer. 

IF we make cert profile to  use subject feild would it require user certificate for that ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
  • 1 accepted solution
  • 8417 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!