How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

L3 Networker

Hi,

I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients.

Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each  user.

As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out.

I would like to have a intermediate solution where I can test this first.

Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this?

 

Remko

1 ACCEPTED SOLUTION

Accepted Solutions

ok just to confirm .... save some embarrassment...

 

you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.

 

 

Mick.

View solution in original post

7 REPLIES 7

L7 Applicator

hmmmm... certificate auth is global to the gateway and portal.

 

I was thinking perhaps you could keep the portal auth just LDAP, then for you as a user, you can give yourself a different gateway to test cert/ldap auth but with only one external address you are going to struggle.

 

I was hoping you could add :4433 to your new gateway address and then do something clever with a loopback address listening on port 4433.

 

I don't think this is possible but some members of this forum have come up with some clever workarounds so you never know, you could of course try it yourself.

 

If not many users then just test out of hours or during a low traffic period. I would just export/import the cert to yourself first and test, this will not affect current connections, only those connecting at the time of commit.

I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant.

Let me give this a try. Thanks for your thoughts on this.

 

No problem...

do you have a gateway license, this is required for multiple gateways.

If not then just create a new test portal for yourself. this can then have its own gateway.

 

please also note that if using  cert auth along with with LDAP, leave the "username field" in your cert profile as "none".

 

good luck....

Learning something new everyday 🙂

 

I was not aware an extra license was required. So I need to create a new portal and a new gateway.

Will give this a try.

 

About your remark

please also note that if using  cert auth along with with LDAP, leave the "username field" in your cert profile as "none".

 

I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto.

So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate.

 

Would this be possible?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!