This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect Portal Client Certificate Authentication - Cert not found

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Portal Client Certificate Authentication - Cert not found

Chirah_Rana
L1 Bithead

‎06-14-2023 12:32 PM

I am trying to setup Global Protect Portal authentication using Client Certificate Authentication instead of radius. I generated CA and self signed cert on the palo. Configured Client Cert profile and attached it to Portal -> Authentication (removed Radius auth) and selected Client Cert profile. Also downloaded and installed the Cert and root CA to laptop in Personal cert store. 

 

But when i attempt the GP Connection I keep getting "a valid client certificate is required for authentication".  When i switch back to radius it works fine. Confirmed the cert is installed properly as well as the CA in store. 

 

GP version 5.2.13

<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
<authentication-message></authentication-message>

(P6180-T10460)Debug(8440): 06/08/23 13:51:30:278 Set portal status to valid client cert needed.
(P6180-T10460)Debug(8450): 06/08/23 13:51:30:278 portal status is Client Cert Required.
(P6180-T10460)Debug(7685): 06/08/23 13:51:30:278 Portal required client certificate is not found.
(P6180-T10456)Debug(2513): 06/08/23 13:51:30:278 Setting debug level to 5

 

i followed the config from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0

 

 

0 Likes Likes
7 REPLIES 7

Mick_Ball
L7 Applicator

‎06-15-2023 05:50 AM

what setting do you have in the certificate profile as you will need to set a username field...

MickBall_0-1686833392114.png

also... try to https://<yourportaladdress>      and see if the certificate is accepted via your browser...

0 Likes Likes

Chirah_Rana
L1 Bithead
In response to Mick_Ball

‎06-15-2023 07:28 AM

For Cert Proifle, I have username Field set to subject. for SSL/TLS - we are using different Certification. for Client auth i generated a local ROOT CA and Client Cert on PA and exported to laptop. 

 

Chirah_Rana_1-1686839318218.png

 

Chirah_Rana_0-1686839255553.png

 

Mick_Ball
L7 Applicator
In response to Chirah_Rana

‎06-15-2023 07:37 AM

OK thatt sounds good but where did you put the user certificate, is it in the users personal store.  perhaps run certmanager for users to see if the certificate is in here

MickBall_0-1686839864952.png

 

0 Likes Likes

Chirah_Rana
L1 Bithead
In response to Mick_Ball

‎06-15-2023 07:53 AM

I confirmed the cert was install in Personal folder of user as shown in your sceenshot. I also added Root CA in trust Root CA.. it seems the Global protect Agent is not able to locate the cert for some reason. because it says cent found. not invalid cert or any other issue.

0 Likes Likes

Mick_Ball
L7 Applicator
In response to Chirah_Rana

‎06-16-2023 02:20 AM

How did you export the user cert, did you use PKCS12 with password???

0 Likes Likes

Chirah_Rana
L1 Bithead
In response to Mick_Ball

‎06-16-2023 06:04 AM

yes that is correct. pkc12 with password. it imports sucessfully. also added the root ca in trust ca in store. 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎06-16-2023 07:51 AM

Hi @Chirah_Rana ,

 

Your configuration should work.  I have done this many times.

 

One thing you can do to test is to push the certificate to the client by configuring the Agent tab in the portal.  Change the client certificate to Local, and specify the certificate that you created on the NGFW (not the CA).

 

TomYoung_0-1686926829984.png

 

The portal will then install the certificate on the client.  This solution is not permanent because it defeats the purpose of requiring the client certificate.  But, you can see if it works and try to find out what changed on your Windows machine.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 3517 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks