This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Is there a way to tie the Cert auth to AD username for AD auth?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there a way to tie the Cert auth to AD username for AD auth?

Go to solution
x
L1 Bithead

‎12-08-2014 04:02 PM

Hi Guys,

Is there a way to make sure that the GP checks that the AD user name matches the certificate common name when using both AD and Cert profiles for authenticating users?

Thanks,

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
sspringer
L4 Transporter
In response to x

‎12-08-2014 09:12 PM

Hi,

This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:

51091—Two-factor authentication (where both a client certificate profile and an

authentication profile are configured) was not functioning as expected. The client was

not required to provide the login credentials associated with the authentication profile

after successfully authenticating with the client certificate

Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.

View solution in original post

5 REPLIES 5

Go to solution
bat
L5 Sessionator

‎12-08-2014 04:05 PM

Hi x,

I think you can, while creating a certificate profile you can provide the username field as (Subject) common name.

Hope it helps !

Go to solution
x
L1 Bithead
In response to bat

‎12-08-2014 04:24 PM

Thanks, that is what I have although, on IOS or Android, it doesn't seem to be doing that check. I will confirm.

0 Likes Likes

Go to solution
x
L1 Bithead
In response to bat

‎12-08-2014 09:01 PM

So as per TAC, there is no option to do this. They are two independent checks and are not tied together. I was told to submit a feature request.

0 Likes Likes

Go to solution
sspringer
L4 Transporter
In response to x

‎12-08-2014 09:12 PM

Hi,

This should be possible in PanOS 6.0 - the following release notes describe a bug fix included in PanOS 6.0.0:

51091—Two-factor authentication (where both a client certificate profile and an

authentication profile are configured) was not functioning as expected. The client was

not required to provide the login credentials associated with the authentication profile

after successfully authenticating with the client certificate

Have you tested with Windows or Mac clients? maybe there is limitation with mobile clients.

Go to solution
x
L1 Bithead
In response to sspringer

‎12-08-2014 09:52 PM

That's what I'm looking for.  I did test 6.0 (6.1) at one point and I remember that it was forcing me to use the username on the certificate but didn't realize this wasn't the case on version 5. I'm pretty sure it works on Windows so I need to confirm if it also works on non-windows machines. I'm hoping it will because this will be the solution.

Thanks so much for your help!

0 Likes Likes
  • 1 accepted solution
  • 3870 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks