05-09-2012 08:59 AM
Currently we have a beta-environment for GlobalProtect-VPN on Windows7 (64bit).
Authentication with LDAP works fine.
But we want to use a client-certificate (user) from our internal Windows-PKI which is already rolled out to the endpoints.
Where can i find a complete step-by-step-guide?
Thanks for your help
05-09-2012 11:02 PM
I am sorry. I know this guide but it doesn't cover my needs.
It starts on page 6 with "In this example the firewall is configured as CA server and this certificate to sign Gateway and Client certificates." - the guide is quiet good and it works with this configuration.
But we need it working together with our internal Windows-PKI and the depending client-certificates.
In the best case it works in the same way with iOS-devices (also with an already rolled out client-certificate).
05-14-2012 04:24 PM
The client certificate that is used internally in GlobalProtect is provided to the client through the GlobalProtect Portal. If you'd like to use a client certificate from your PKI here, you have to import into the Portal including the private key. The certificate is actually shared across all GlobalProtect clients in your deployment to ensure that only clients from your deployment can connect to your configured GlobalProtect Gateways. It doesn't provide true machine authentication and authorization as you are looking for.
05-15-2012 01:24 AM
Thank you. This is a bit disappointing that there is no way to fully use the Windows-PKI.
Could it be possible to use RADIUS instead?
05-15-2012 04:30 PM
Yes, you can use RADIUS (secure ID) as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level
You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password as the password
05-15-2013 04:39 AM
Will their be a working together with an internal Windows-PKI in future PANOS versions?
We are looking at IOS and Android devices using an individual client certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!