User-ID Connection Security Won't Work

Reply
Highlighted
L0 Member

User-ID Connection Security Won't Work

UserID Agent version 9.0.5-8
Firewall 9.0.8

Windows Server 2016 UserID Agent Servers x2

 

I've tried following this guide and numerous others (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGFCA0)

 

Keep getting 'Failed to validate client certificate, thread : 1 , 5-10054!' as shown at the very bottom of the aforementioned support article and seeing SSL failures in the system log of the firewall.

 

I've tried generating the cert about a hundred different ways and formats on the server/firewall, and I still get the issue. I've tried using IP, FQDN, Subject-Alternative-Name including IP, Hostname, FQDN, one all or any. Port 5007 is open and the server worked previously. Now my certificate is stuck in the User-ID software and I cant delete it or use the server any longer with the firewall for regular user ID which is annoying. There is no delete/remove button to take the cert back out of the software so I pretty much have to get this working now as I'm down to 1 User-ID box.

 

At this point I'm missing something fundamental, like a check box on the firewall or some hidden thing. I've installed certificates for Decrypt in and out, Management address, and all sorts of certificates and never had any problems until this. Has anyone successfully set this up and they can walk me through how you did it and maybe I can see my error? I have heard that IP address must be used in the SAN attribute, but that didn't work either.

 

Highlighted
L2 Linker

Hello TylerHay,

 

There are really no tricks...

Here's a working config I just did in my lab. It might give you an idea of what went wrong with your setup.

 

On the PA Firewall:

  • Create a CA root:
    Rievax_0-1601050933302.png

    No need to enter any other information as this is to create a self signed cert later

  • Now, create the self signed certificate. Make sure you signed it with the CA we just created. Enter at least the valid IP in the attributes to make this certificate valid:

    Rievax_1-1601051133513.png
  • You will end up with something similar:
    Rievax_2-1601051191317.png

     

  • Now, select the self-signed certificate (PA-UID-Cert in this case) and export it with the private key:
    Rievax_4-1601051308004.png

     

  • Now, create a certificate profile with no other information than the CA root that has been created:

    Rievax_5-1601051424446.png

  • Assign this Certificate profile too the "Connection Security" tab:
    Rievax_6-1601051530439.png

     

  • You can now add the user ID agent configuration:
    Rievax_7-1601051658048.png
  • Commit the changes.

 

On the UserID server:

  • Add the certificate :
    Rievax_8-1601051838947.png

     

  • Save and commit the changes...
  • Go to "User Identification". After a few seconds, it should change the status to connected:
    Rievax_9-1601051944044.png

     

  • On the PA side, it says the same:
    Rievax_10-1601052001004.png

     

Hope that helps!

R.

Highlighted
Cyber Elite

Hello,

If this is mission critical I would say call TAC and get their assistance. While I have never set this up myself, I have setup other things and usually missed something simple, not saying you haven't gone over this a bunch of times.

 

Regards,

Highlighted
L2 Linker

Hi TylerHay,

 

I posted a full how-to earlier but it has never been published... There might be a delay or a bug somewhere in the forum...

Anyways, it should not be a issue.

Make sure the certificate you import in the client is fully recognized by the PA firewall (including the root CA that signed this certificate - the attached certificate profile should be linked to this root CA...). Regarding the SAN, I just added the IP address in the certificate. Worked well 1st time.

 

Hope that helps... and maybe the full description I did this morning will be posted eventually.

 

Regards.

Highlighted
Cyber Elite

@TylerHay,

The example that @Rievax wrote up is great and definitely works perfectly fine. The one thing that I would say is that if you have this certificate signed by an external CA, be sure that you actually have the full cert chain in the certificate profile. You may have to manually chain the certificates if it's signed by an intermediary to get things to work properly. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!