Globalprotect Portal failure

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
GIT_Sean
L1 Bithead

Globalprotect Portal failure

I tried to replicate a Globalprotect portal setup from another site and it fails with the following message:

 

  • GlobalProtect portal(Kawailoa_Portal) setting is invalid: auth-profile exist(method none), client-cert-profile none(no username).
  • (Module: sslvpn)
  • Commit failed

 

What am I missing?

 


Accepted Solutions
Brandon_Wertz
Cyber Elite

I'm sorry but @emr_1's identification of the issue/resolution is incorrect.  (If your desire is only cert auth)

 

Like @MickBall stated, if you're just wanting to do cert based auth you don't need anything in that main auth field.

 

 

Even @GIT_Sean mentioned the correct place as well.  For accuracy the correct "resolved" post should be identified.  (Now if you're doing more than cert auth and doing user auth as well then something is needed in the "Client Authentication" field)

 

Portal.PNGCert_Pro.PNG

View solution in original post


All Replies
emr_1
L4 Transporter

You need to configure Client Authentication field.

gpportal.png

MickBall
L7 Applicator

If you just require certificate authentication then you may need to modify your certificate profile username field.

AlexanderAstardzhiev
L4 Transporter

Hi @GIT_Sean,

 

The error message tells you that you haven't configured any authentication method for the portal.

It is surprising that only the SSL/TLS service profile is required field on this tab, but actually you need to define authentication method.

 

You can configure:

- Client authentication pointing to specific authentication profile (for RADIUS, TACACS, LDAP etc)

- Client machine certificate authentication only

- Or both - authentication profile and machine cert (this will require the user to put his credentials and to provide valid machine certificate

 

Looking at the error message it seems you haven't selected any authentication profile. If I am guessing you have copy-pasted the set commands for the portal, but you have forgot to copy-past the set commands for the server profile and the relevant authentication profile. For that reason when you have put the set commands for the portal, the line for configuring the client authentication was referring to invalid auth profile, there for it is being set to none.

 

Double check the setup you are trying to replicate and confirm what type of authentication you are using.

GIT_Sean
L1 Bithead

Thanks for the quick replies everyone. It turned out, I had an Authentication profile created, but I had failed to select a type (was set to None). Set it to Local Database, and it works now.

Brandon_Wertz
Cyber Elite

I'm sorry but @emr_1's identification of the issue/resolution is incorrect.  (If your desire is only cert auth)

 

Like @MickBall stated, if you're just wanting to do cert based auth you don't need anything in that main auth field.

 

 

Even @GIT_Sean mentioned the correct place as well.  For accuracy the correct "resolved" post should be identified.  (Now if you're doing more than cert auth and doing user auth as well then something is needed in the "Client Authentication" field)

 

Portal.PNGCert_Pro.PNG

View solution in original post

GIT_Sean
L1 Bithead

That is true...I set @emr_1 as the solution because it made me check my Authentication profile again and I discovered the error there, I've updated the accepted solution as this is the most complete answer. 

MandarKulkarni
L4 Transporter

IF we make cert profile to  use subject feild would it require user certificate for that ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!