I have configured GlobalProtect to use Authentication Profile using LDAP (sAMAccountName) and a Certificate profile.
I have user certificates pushed through Group Policy. The configuration works. However, I noticed a few things
1) If I login as UserA and delete the certificate from UserA's personal store, VPN will not connect (this is expected)
2) If I login as UserA, delete UsersA certificate and import UserB's cerificate, VPN connects! (this is unexpected)
The easy and obvious solution is don't allow export of certificates. I feel there should be a way to prevent this scenario from connecting, but haven't been able to figure it out.
@asillikerI tried setting the username field in the certificate profile to Subject Alt, It surely fixes the username issue, as it will cause the username to be firstname.lastname@example.org and is greyed out. The problem is it will never accept the user's password, even if it's the right username/password combo.
@ce1028 I am interested in getting the User certificate configured as well. Did you configure the user certificate yourself or was it done previously by someone else. Just curious if you have tips or a good reference guide to setup the user certificate correctly. I've only been able to setup device certificates with ADCS but I keep getting impersonation errors when trying to deploy user certificates. Any guide or reference point would be much appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!