This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using client certificates with an authentication sequence for Global Protect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using client certificates with an authentication sequence for Global Protect

dan731028
L3 Networker

‎11-06-2013 03:50 PM

Hello,

Is it possible to use client certificates for both AD and local users for global protect?  I have a working authentication sequence, but have a requirement to use client certs.  If it is possible, would it be better to generate the certificates from the domain microsoft CA or could I generate them on the PAN device?  I would prefer to use client certs generated by a self-signed root ca on the PAN because I would rather push out the root CA from the PAN to both my domain and non-domain users, than push my domain root CA cert to the non-domain local users.

Any thoughts?

Labels:
0 Likes Likes
2 REPLIES 2

cchristiansen
L3 Networker

‎11-06-2013 04:32 PM

Hello Daniel.

You can use client certificates in both situations. 

You do not need to push your root CA to the clients though.  What you can do is upload the CA public key to the firewall, and use that in a "Certificate Profile".  Then, you will just issue (sign) cerficates for your clients from the Microsoft server, and push them to your clients via a GPO.

You can also have one client (machine) certifcation for all your clients and configure that as the "client certificate" on your portal and then give that same certificate to all your clients (GPO maybe).  Then that certificate will be checked against the one configured on the firewall to make sure they are the same cert.

There is a third way as well, which would allow you to upload the public key (CA) to your firewall, and have that pushed out to all your clients, so that it is in their trusted root store.  That way, they don't get the nag message about a bad cert.  This is not needed though.

Hope this helps.

-chadd.

dan731028
L3 Networker
In response to cchristiansen

‎11-11-2013 09:51 AM

Thanks Chadd,
I was misinformed on my user cert requirement.  We are using machine certs, not user certs.  Using machine certs everything works as expected whether I'm using an AD account or a local account on the firewall.

0 Likes Likes
  • 2694 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks