For details on cookie usage on our site, read our Privacy Policy
How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication
- LIVEcommunity
- Discussions
- General Topics
- How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 02:36 AM
Hi,
I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients.
Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each user.
As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out.
I would like to have a intermediate solution where I can test this first.
Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this?
Remko
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 08:43 AM
ok just to confirm .... save some embarrassment...
you only get the error if you use certificate only authentication and forget to put a value in the username field of the certificate profile.
Mick.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 03:07 AM
hmmmm... certificate auth is global to the gateway and portal.
I was thinking perhaps you could keep the portal auth just LDAP, then for you as a user, you can give yourself a different gateway to test cert/ldap auth but with only one external address you are going to struggle.
I was hoping you could add :4433 to your new gateway address and then do something clever with a loopback address listening on port 4433.
I don't think this is possible but some members of this forum have come up with some clever workarounds so you never know, you could of course try it yourself.
If not many users then just test out of hours or during a low traffic period. I would just export/import the cert to yourself first and test, this will not affect current connections, only those connecting at the time of commit.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 04:53 AM
I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant.
Let me give this a try. Thanks for your thoughts on this.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 05:12 AM
No problem...
do you have a gateway license, this is required for multiple gateways.
If not then just create a new test portal for yourself. this can then have its own gateway.
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
good luck....
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-19-2017 05:23 AM
Learning something new everyday 🙂
I was not aware an extra license was required. So I need to create a new portal and a new gateway.
Will give this a try.
About your remark
please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none".
I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto.
So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate.
Would this be possible?
- EAP authentication for IPSec IKEv2 tunnel to VPN provider in General Topics
- Mac devices unable to authenticate to Global Protect in GlobalProtect Discussions
- What is source of SSO and how to stop it in Cloud Identity Engine Discussions
- Radius authentication not working in General Topics
- Azure SAML double windows to select account in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
