Currently we have a beta-environment for GlobalProtect-VPN on Windows7 (64bit).
Authentication with LDAP works fine.
But we want to use a client-certificate (user) from our internal Windows-PKI which is already rolled out to the endpoints.
Where can i find a complete step-by-step-guide?
Thanks for your help
I am sorry. I know this guide but it doesn't cover my needs.
It starts on page 6 with "In this example the firewall is configured as CA server and this certificate to sign Gateway and Client certificates." - the guide is quiet good and it works with this configuration.
But we need it working together with our internal Windows-PKI and the depending client-certificates.
In the best case it works in the same way with iOS-devices (also with an already rolled out client-certificate).
The client certificate that is used internally in GlobalProtect is provided to the client through the GlobalProtect Portal. If you'd like to use a client certificate from your PKI here, you have to import into the Portal including the private key. The certificate is actually shared across all GlobalProtect clients in your deployment to ensure that only clients from your deployment can connect to your configured GlobalProtect Gateways. It doesn't provide true machine authentication and authorization as you are looking for.
Yes, you can use RADIUS (secure ID) as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level
You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password as the password
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!