This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to configure VPN login via unique certificate and LDAPauthentication with enterprise CA server

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

How to configure VPN login via unique certificate and LDAPauthentication with enterprise CA server

leo_yuanyang
L0 Member

‎10-16-2016 12:42 AM

Hello, currently our network team is setting up Palo Alto FW and VPN for users, VPN users will use GlobaProtect client to connect to intranet. The environment as below:

  1. Certificates required be managed by enterprise CA server (domain)based on unique user name
  2. All the users are using non domain machines but have domain user account for access intranet

What we done so far:

From Palo Alto, generated csr, and used it to sign by enterprise CA server, imported it as server cert e.g. named A. Also, import enterprise root CA as trust CA named cert B.

We created certificate profile, username field: subject common-name, ca certificate select cert B. OCSP will be configured later.

We use user1 account requested user1 cert from enterprise CA web portal and confirmed it been installed to correct location.

For the portal configuration, we selected A as server certificate, selected authentication profile, certificate profile, but we not sure how to select the client certificate? Choose enterprise root ca (cert B) or need to export the user1 cert from his PC and import to Palo Alto as well? Which format we need to take care during the export and import?

0 Likes Likes
1 REPLY 1

bmorris1
L4 Transporter

‎10-17-2016 03:49 AM

Hi Leo_yuanyang,

 

Try checking these articles:

 

Set up 2FA (client certificate)

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the...

 

Set up client certificate authentication

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the...

 

You'll need an auth profile based on your LDAP server (or alternative) and a certifcate profile that has your client certificates & root CA in it. In the user name field of your certificate profile, select the appropriate value of where you have configured the username to be in your certificates.

 

When your user tries to authenticate they will present their client certificate for authorisation and if the username in the configured certificate value matches what your LDAP/auth profile services is expecting then you will be authenticated, just make sure your certificate profile is applied to your GP components.

 

hope this helps,

Ben

0 Likes Likes
  • 1731 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks