08-01-2022 12:58 AM
Hello Team,
I have one question with GP remote access
Current, I have a global protect remote access VPN running on production
global protect client > when clients connect to publish address gateway on PA
client require to have as below requirement in order to get success to connect VPN
1- have a valid user/pwd
2- have a valid certificate installed on the laptop (certificate generated by PA FW)
New requirement:
I want to specific user or group when connecting to global protect without check the certificate
and other groups still keep and required to check a valid user/PWD plus a certificate in order to connect remote VPN
Can Palo alto do with the requirements above? if can is here have any document link to do this?
Appreciated for reply
08-06-2022 11:50 AM
Hello,
I believe you could use device checks as a config selection criteria which would match a certificate to a GP config. See 'Device Checks' > 'Certificate Profile' here:
GlobalProtect Portals Agent Config Selection Criteria Tab (paloaltonetworks.com)
So you could have it like this for example:
Config 1:
Config 2:
Users in group no_cert would match config 1 whether they have a cert or not.
Users in group cert_needed would match config 2, but only if they have a cert. Users without a cert won't match this config, and if you have no other configs they can match, they can't connect due to no config found.
There is a caveat. Auth override cookies don't work with this config, which will be seen upon commit:
Authentication Override and Config Seletcion Criteria -> Device Checks/Custom Checks are both configured, Authentication Override will be disabled.
You can then remove the cert profile from the authentication tab if pre-logon is not needed. If it's needed, you need to set the Allow Authentication with User Credentials OR Client Certificate option to Yes (User Credentials OR Client Certificate Required). This is would allow the pre-logon user to auth with certificate, but the user can bypass it if they have valid credentials and cert will be checked using the config selection criteria mentioned above.
2nd possible option is to use no cert profile on the Portal, and then have 2 gateways configured - 1 with a cert profile and 1 without it. Use config selection criteria to direct users in certain groups to either gateway 1 which needs a cert, or 2 which doesn't.
- DM
02-20-2024 05:30 AM
Hi. Have the same task and already configured everything like you described:
- agent config for specific AD group
- cert profile (root+intermidiate) attached to the certificate profile under device checks of respective config
- machine cert on endpoint
All works fine without enabled certificate profile under device checks. When enable it - "You are not authorized to connect to GlobalProtect Portal" in the GP client and error 26 "Failed to get client configuration". Struggling few days already, don't know what else it is possible to do/check...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
