Logon Method for mixed users using certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logon Method for mixed users using certificates

L4 Transporter

Hello ,

 

I have a requirement ,  Currently both Internal and external users ( both are AD users) connect to GP via their AD user name and Password

 

Requirement is enroll Machine certificate to Internal Users and a Common Certificate issued by Palo Alto Generate Root CA to all External users

 

Internal Users are having Machine Certificate issued by PKI on their Windows 10 

 

External Users have a Common User certificate in their User certificate store. Certificate Profile is OK and has Root CA certificate from PKI and PA Root CA

 

So my queries are :

 

1) Can I still use Logon Method as User Logon ( Always on )  as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?

 

2)  Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store

 

Is this OK ?  

 

In the config selection criteria , 

 

I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ? 

2 REPLIES 2

Cyber Elite
Cyber Elite

@FWPalolearner,

1) Can I still use Logon Method as User Logon ( Always on )  as a common method for both types of users ? the requirement is that the certificate check should not kick in until user logs in ?

Yes, but if you are going through and deploying machine certificates to machines it makes more sense in the majority of situations to go with pre-logon. Obviously if that doesn't meet your requirements you can stick with User Logon but I really recommend looking into pre-logon since you've already done all of the work for these internal clients. 

 

2)  Client Certificate Store Look up is User and Machine :: So that it checks for both Spaces and find a certificate in one of the store

Correct. The thing to keep in mind here though is that anything in the user certificate store that actually matches your certificate profile is going to take priority over the machine certificate.

 

I have selected the User Groups ( mix of both internal and external) . Do i need to change it Pre-logon ? 

Only if you are actually going to deploy pre-logon mode. The thing to make sure here in testing prior to actual deployment is that the user is going to be identified from the certificate as you actually expect it to be for the users. It's not abundantly clear if you're talking about just doing certificate authentication for the internal users or if you plan on doing a certificate AND credential deployment instead. 

 

Talking about internal and external just has me curious on what you actually mean by this. Generally you would want to see an internal and an external gateway configured if you are actually utilizing GlobalProtect for internal hosts. So you might only have one portal address, but you would have two separate gateway configurations. It kind of sounds like you are lumping your internal and external GlobalProtect clients on one gateway, which would be somewhat odd from a deployment. Is that just odd word choice, or what was the reason behind the sole gateway deployment? 

@BPry  thanks for your reply.

 

The goal is to use both AD creds plus certificate check 

 

Corp users have machine certificate

Non corp users have user certificate

 

1) if I use user logon  for a machine certificate ,how the gp willl check the certificate?

 

I understand that prelogon is preferred way .

 

If I use prelogon then I need three rules in total on agent configuration:

 

1) prelogon to be selected under user/ user group

Logon method prelogon and certificate store look machine only

2) specific users under user/ user group .

Logon method prelogon and certificate store look machine only

 

3) specific users under user/ user group and logon methods user logon and certificate store look user only.

 

Gatway and portal use same interface .

 

 

 

 

 

 

  • 2034 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!