GlobalProtect with Certificate Profle

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

GlobalProtect with Certificate Profle

I have configured GlobalProtect to use Authentication Profile using LDAP (sAMAccountName) and a Certificate profile.

 

I have user certificates pushed through Group Policy.  The configuration works. However, I noticed a few things

 

1) If I login as UserA and delete the certificate from UserA's personal store, VPN will not connect  (this is expected)

2) If I login as UserA, delete UsersA certificate and import UserB's cerificate, VPN connects!  (this is unexpected)

 

The easy and obvious solution is don't allow export of certificates. I feel there should be a way to prevent this scenario from connecting, but haven't been able to figure it out.

 

 


Accepted Solutions
Highlighted
L3 Networker

Do you have a Username Field specified in your Certificate Profile?

 

If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in. 

 

 

View solution in original post


All Replies
Highlighted
L3 Networker

Do you have a Username Field specified in your Certificate Profile?

 

If you do, the Username field in the GP Client should be locked and you would need to use UserB's password to log in. 

 

 

View solution in original post

Highlighted
L3 Networker

@asillikerI tried setting the username field in the certificate profile to Subject Alt, It surely fixes the username issue, as it will cause the username to be username@mydomain.com and is greyed out. The problem is it will never accept the user's password, even if it's the right username/password combo.

 

 

Highlighted
L3 Networker

duh me. I figured it out, my authenticaiton profile needed to be changed from sAMAccountName to userPrincipalName

Highlighted
L1 Bithead

@ce1028 I am interested in getting the User certificate configured as well. Did you configure the user certificate yourself or was it done previously by someone else. Just curious if you have tips or a good reference guide to setup the user certificate correctly. I've only been able to setup device certificates with ADCS but I keep getting impersonation errors when trying to deploy user certificates. Any guide or reference point would be much appreciated.

Highlighted
L3 Networker

@harevalo_eog Yes, I did, it's been a long time since I've touched certificate services.  See if this video helps you, at least from the ADCS side

 

https://www.youtube.com/watch?v=S7IFp8cGOLs

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!