Comp certificate expired, how to allow users to log in

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Comp certificate expired, how to allow users to log in

L1 Bithead

Hi,

 

Few of my users have not connected to GP (and to AD) for extended period of time and their computer certificate has expired.

They are remote, so coming to office would be problematic - continent-size problematic 🙂

I was under impression, that when i change Authentication profile from "Require username AND device cert" to "Require username OR device cert", I will be able to allow them to connect  - that way their comp cert would renew and they'd be ok going forward.

 

But I was wrong, GP client was not willing to connect.  i know there is a way, as previous Manager was allowing it through, but at that time I was not working on Palo's, so not sure what else I need to amend to make it happen..

Regards
Rob T.
5 REPLIES 5

Cyber Elite
Cyber Elite

did you change this setting on both the portal AND the gateway? Make sure you're allowing it on both for those users to be able to connect

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Hi,

I have today, have also as per other suggestion I saw somewhere to remove a cert profile from portal - nothing worked, it has thou for one sec showed me MFA prompt for user..    but at the end it refused to connect anyway - with same "Client certificate not found" message..

Logging call with my Palo Support company for it, but any other suggestion welcome..

 

Is there any way I can generate a machine cert on my CA and install it on remote comp?   Problem is that I use a specific template for it and unsure if it would work if problematic machine has no access to internal CA..

 

Any other way of generating maybe self-signed cert on palo firewall (or Panorama) to allow it through?

Regards
Rob T.

Have you checked the certificate profile to see if any options here are ticked

 

Mick_Ball_1-1709128311313.png

 

 

 

Can you not email a new certificate to the users device or do they have no connection without GlobalProtect?

L1 Bithead

Hi, Just realised have not posted how we dealt with it, so just as a closure:

 

We have decided easiest way would be to remove cert from authentication requirements for brief moments when we have that issue, so have set "user credentials OR device cert required", allowed user to log in, then recreated cert once user was  in.

After that I just changed that back to "creds AND cert required". Few minutes of lowered protection, but solved that problem just fine.

Regards
Rob T.
  • 1749 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!