This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Certificate profile - option Block session if the certificate was not....

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Certificate profile - option Block session if the certificate was not....

Rene_Belloni
L0 Member

‎05-12-2020 02:37 AM

Basic GP setup, portal and gateway using certificate authentication only, certificates issues by internal CA, Palo Alto firewall is not involved in the certificate enrollment process.

 

Certificate profile used is configured with Root and intermediate certificate, set for using CRL and options (block session if certificate status cannot be retrieved within timeout, Block session if the certificate was not issued to the authenticating device and Block sessions with expired certificate) has been selected. 

 

Clients now tries to connect, but fails with message (Client certificate could not be authenticated), if I then remove the option Block session if the certificate was not issued to the authenticating device, then the clients are able to authenticate and connect.

 

My question:

Is the option "Block session if the certificate was not issued to the authenticating device" only valid e.g can be used if the Palo Alto firewall handles the original certificate enrolment process, and shouldn't be used if this is done using other methods ?

0 Likes Likes
2 REPLIES 2

vathreya
L4 Transporter

‎05-14-2020 03:37 PM

Hi,

 

Did you ensure that serial number attribute in the subject of the client certificate matches the host ID that the GlobalProtect app reports for the endpoint?

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certifi...

 

Regards,

VRA

 

.

Rene_Belloni
L0 Member
In response to vathreya

‎05-22-2020 02:12 AM

Dear Vathreya

 

Thank you for the reply, yes we added the IPAD UDID into the Common Name in the certificate, but it seems like in GP for IOS in version 5.0, the client isnt able any longer to grap the UDID straight from the IPAD, but needs to be specific configured via VPN profile to map the UDID with Mobile-ID in order to get the correct information sent in the HIP report to the gateway.

 

https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-rele...

 

Our MDM platform used is Intunes and so far we havent been able to find the ability to perform such a customization of the VPN profile.

 

I missed to include information in the orginal post that it was issue with IPAD's

0 Likes Likes
  • 4696 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks