- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-06-2013 03:50 PM
Hello,
Is it possible to use client certificates for both AD and local users for global protect? I have a working authentication sequence, but have a requirement to use client certs. If it is possible, would it be better to generate the certificates from the domain microsoft CA or could I generate them on the PAN device? I would prefer to use client certs generated by a self-signed root ca on the PAN because I would rather push out the root CA from the PAN to both my domain and non-domain users, than push my domain root CA cert to the non-domain local users.
Any thoughts?
11-06-2013 04:32 PM
Hello Daniel.
You can use client certificates in both situations.
You do not need to push your root CA to the clients though. What you can do is upload the CA public key to the firewall, and use that in a "Certificate Profile". Then, you will just issue (sign) cerficates for your clients from the Microsoft server, and push them to your clients via a GPO.
You can also have one client (machine) certifcation for all your clients and configure that as the "client certificate" on your portal and then give that same certificate to all your clients (GPO maybe). Then that certificate will be checked against the one configured on the firewall to make sure they are the same cert.
There is a third way as well, which would allow you to upload the public key (CA) to your firewall, and have that pushed out to all your clients, so that it is in their trusted root store. That way, they don't get the nag message about a bad cert. This is not needed though.
Hope this helps.
-chadd.
11-11-2013 09:51 AM
Thanks Chadd,
I was misinformed on my user cert requirement. We are using machine certs, not user certs. Using machine certs everything works as expected whether I'm using an AD account or a local account on the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!