Global protect authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect authentication

L0 Member

Hello Team,

I have one question with GP remote access

Current, I have a global protect remote access VPN running on production

global protect client > when clients connect to publish address gateway on PA 

client require to have as below requirement in order to get success to connect VPN

1- have a valid user/pwd 

2- have a valid certificate installed on the laptop  (certificate generated by PA FW)

 

New requirement:

I want to specific user or group when connecting to global protect without check the certificate 

and other groups still keep and required to check a valid user/PWD plus a certificate in order to connect remote VPN 

 

Can Palo alto do with the requirements above? if can is here have any document link to do this?

 

Appreciated for reply 

2 REPLIES 2

L3 Networker

Hello,

 

I believe you could use device checks as a config selection criteria which would match a certificate to a GP config. See 'Device Checks' > 'Certificate Profile' here:

GlobalProtect Portals Agent Config Selection Criteria Tab (paloaltonetworks.com)

 

So you could have it like this for example:

 

Config 1:

  • Group cn=no_cert matches this config
  • No Device Check

 

Config 2:

  • Group cn=cert_needed matches this config
  • Device check cert profile

 

Users in group no_cert would match config 1 whether they have a cert or not.

Users in group cert_needed would match config 2, but only if they have a cert. Users without a cert won't match this config, and if you have no other configs they can match, they can't connect due to no config found.

 

There is a caveat. Auth override cookies don't work with this config, which will be seen upon commit:

Authentication Override and Config Seletcion Criteria -> Device Checks/Custom Checks are both configured, Authentication Override will be disabled.

 

You can then remove the cert profile from the authentication tab if pre-logon is not needed. If it's needed, you need to set the Allow Authentication with User Credentials OR Client Certificate  option to Yes (User Credentials OR Client Certificate Required). This is would allow the pre-logon user to auth with certificate, but the user can bypass it if they have valid credentials and cert will be checked using the config selection criteria mentioned above.

 

2nd possible option is to use no cert profile on the Portal, and then have 2 gateways configured - 1 with a cert profile and 1 without it. Use config selection criteria to direct users in certain groups to either gateway 1 which needs a cert, or 2 which doesn't.

 

- DM

Sr. Technical Support Engineer, Strata

Hi. Have the same task and already configured everything like you described:

- agent config for specific AD group

- cert profile (root+intermidiate) attached to the certificate profile under device checks of respective config

- machine cert on endpoint

All works fine without enabled certificate profile under device checks. When enable it - "You are not authorized to connect to GlobalProtect Portal" in the GP client and error 26 "Failed to get client configuration". Struggling few days already, don't know what else it is possible to do/check...

  • 1600 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!