GlobalProtect with Certificate Profle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect with Certificate Profle

L4 Transporter

I have configured GlobalProtect to use Authentication Profile using LDAP (sAMAccountName) and a Certificate profile.

 

I have user certificates pushed through Group Policy.  The configuration works. However, I noticed a few things

 

1) If I login as UserA and delete the certificate from UserA's personal store, VPN will not connect  (this is expected)

2) If I login as UserA, delete UsersA certificate and import UserB's cerificate, VPN connects!  (this is unexpected)

 

The easy and obvious solution is don't allow export of certificates. I feel there should be a way to prevent this scenario from connecting, but haven't been able to figure it out.

 

 

1 accepted solution

Accepted Solutions

L3 Networker

Do you have a Username Field specified in your Certificate Profile?

 

If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in. 

 

 

View solution in original post

5 REPLIES 5

L3 Networker

Do you have a Username Field specified in your Certificate Profile?

 

If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in. 

 

 

@asillikerI tried setting the username field in the certificate profile to Subject Alt, It surely fixes the username issue, as it will cause the username to be username@mydomain.com and is greyed out. The problem is it will never accept the user's password, even if it's the right username/password combo.

 

 

duh me. I figured it out, my authenticaiton profile needed to be changed from sAMAccountName to userPrincipalName

@ce1028 I am interested in getting the User certificate configured as well. Did you configure the user certificate yourself or was it done previously by someone else. Just curious if you have tips or a good reference guide to setup the user certificate correctly. I've only been able to setup device certificates with ADCS but I keep getting impersonation errors when trying to deploy user certificates. Any guide or reference point would be much appreciated.

@harevalo_eog Yes, I did, it's been a long time since I've touched certificate services.  See if this video helps you, at least from the ADCS side

 

https://www.youtube.com/watch?v=S7IFp8cGOLs

 

  • 1 accepted solution
  • 5678 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!