How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

L3 Networker

Hi,

I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients.

Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each  user.

As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out.

I would like to have a intermediate solution where I can test this first.

Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this?

 

Remko

1 accepted solution

Accepted Solutions

ok just to confirm .... save some embarrassment...

 

you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.

 

 

Mick.

View solution in original post

7 REPLIES 7

L7 Applicator

hmmmm... certificate auth is global to the gateway and portal.

 

I was thinking perhaps you could keep the portal auth just LDAP, then for you as a user, you can give yourself a different gateway to test cert/ldap auth but with only one external address you are going to struggle.

 

I was hoping you could add :4433 to your new gateway address and then do something clever with a loopback address listening on port 4433.

 

I don't think this is possible but some members of this forum have come up with some clever workarounds so you never know, you could of course try it yourself.

 

If not many users then just test out of hours or during a low traffic period. I would just export/import the cert to yourself first and test, this will not affect current connections, only those connecting at the time of commit.

I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant.

Let me give this a try. Thanks for your thoughts on this.

 

No problem...

do you have a gateway license, this is required for multiple gateways.

If not then just create a new test portal for yourself. this can then have its own gateway.

 

please also note that if using  cert auth along with with LDAP, leave the "username field" in your cert profile as "none".

 

good luck....

Learning something new everyday 🙂

 

I was not aware an extra license was required. So I need to create a new portal and a new gateway.

Will give this a try.

 

About your remark

please also note that if using  cert auth along with with LDAP, leave the "username field" in your cert profile as "none".

 

I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto.

So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate.

 

Would this be possible?

 

i'm sure it would work, I only say this as I have no idea cos never tried...

 

not sure why you would need a user cert as well as LDAP. why not just a device cert. this is the same as user cert but all have same cert and doesn't use username field so no need to create a cert for each user.

 

also. i wonder what would happen if the user cert cn was different to the ldap name.

 

I have a feeling that the cn in the cert is ignored as long as the root CA for it is in the cert profile.

 

ah.. hold on...

 

I have just connected with my ipad via LDAP and user cert. the cn in the user cert is not the same as LDAP but still connected and connected as LDAP name. so yes it will work but dont see the point of assigning individual certs to users. just give them a global one.

 

when we first started using mixed auths we used to get a pop up saying username fiels is incorrect. this must have changed at sometime. hence my previous offering.

 

 

 

 

ok just to confirm .... save some embarrassment...

 

you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.

 

 

Mick.

I have been playing with this some more and managed to get things working.

I created a ROOT certificate and two user certificates based on this ROOT certificate.

The user certificates have a Common-Name the same as there LDAP login username.

 

I created an extra tunnel, portal and gateway on a different external IP address and created a public DNS record.

On the Portal and Gateway I enabled a certificate profile which has the ROOT certificate defined and in the Username Field: Subject

 

Then I tested the connection without a user cert.

The connection failed as expected with the warning that no valid certicate was found.

When I imported the Certificate of  User "A" the userfield on Global Protect was automatically entered and greyed out.

The same when I delete the certicate of User "A" and import User "B".

 

So I believe that I got what I want. Thanks for pointing me out in the right direction!

 

I can tweak the settings some more to for example use SSO with the Windows Credentials. Then the user does not need to enter his password for the second time. This seems to also work as expected.

 

  • 1 accepted solution
  • 3688 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!