How to configure per-client certs on GlobalProtect?

L7 Applicator

you have been busy,,, nice one.


prepare to hit a wall.....


if using client auth profile you will need to set cert profile username field to none....


however... not sure what would happen if cn in cert is the same as the ldap username.


I need to ask.... do you need this to work. seems a bit odd identifying the user name twice...


i would have thought that ldap + device cert would suffice. 

L5 Sessionator


I see that you succesfully setup user auth with client certificates and LDAP, where username matches LDAP login. I succeeded in that as well.


Did you do any testing with Subject Alt - Email? because I have situation where I can't control CA and can't put LDAP usernames in certificate subject. However each certificate has email in subject alternative name attribute. But no matter what i select, PA keeps using subject field as username. Tested on 8.0.8 and 8.0.10.



L2 Linker

@santonic I tested your very question out on the previous page. All I got to work was having the CN match the username.


Alternatively, you can run a patched version of openconnect, which doesn't enforce username matching.


Caveat: in my opinion, that GP is relying on the client to enforce an InfoSec rule is a bug. After some run-around, Palo Alto agreed that this was a bug, so they might fix it one day if they haven't already.

L5 Sessionator

Ok ty. Seems it is a bug then. But I would hope they would fix it since November. Especially as it seems to me they only need to read different field from cert.


I'll open a case to see if any progress has been made on this.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!