Certificate profile - option Block session if the certificate was not....

Reply
Highlighted
L0 Member

Certificate profile - option Block session if the certificate was not....

Basic GP setup, portal and gateway using certificate authentication only, certificates issues by internal CA, Palo Alto firewall is not involved in the certificate enrollment process.

 

Certificate profile used is configured with Root and intermediate certificate, set for using CRL and options (block session if certificate status cannot be retrieved within timeout, Block session if the certificate was not issued to the authenticating device and Block sessions with expired certificate) has been selected. 

 

Clients now tries to connect, but fails with message (Client certificate could not be authenticated), if I then remove the option Block session if the certificate was not issued to the authenticating device, then the clients are able to authenticate and connect.

 

My question:

Is the option "Block session if the certificate was not issued to the authenticating device" only valid e.g can be used if the Palo Alto firewall handles the original certificate enrolment process, and shouldn't be used if this is done using other methods ?

Highlighted
L3 Networker

Hi,

 

Did you ensure that serial number attribute in the subject of the client certificate matches the host ID that the GlobalProtect app reports for the endpoint?

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certifi...

 

Regards,

VRA

 

.

Highlighted
L0 Member

Dear Vathreya

 

Thank you for the reply, yes we added the IPAD UDID into the Common Name in the certificate, but it seems like in GP for IOS in version 5.0, the client isnt able any longer to grap the UDID straight from the IPAD, but needs to be specific configured via VPN profile to map the UDID with Mobile-ID in order to get the correct information sent in the HIP report to the gateway.

 

https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-rele...

 

Our MDM platform used is Intunes and so far we havent been able to find the ability to perform such a customization of the VPN profile.

 

I missed to include information in the orginal post that it was issue with IPAD's

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!