We are currently using GlobalProtect with an auth profile that uses LDAP and DUO proxy. We now want to expand this setup with needing a machine certificate to be allowed to log on to portal/gateway so only company owned computers can log in.
We created a new CA and machine certificate on our PA-820, then chose this new CA in a new cert profile with "Username field" set to "None". We then added this new cert profile to the authentication tab on both our GP Portal and our GP Gateway.
On the machine we have tested this new setup we have installed the created CA cert without private key in the "Trusted root certificates" store and the machine cert with private key signed by this CA in the "Personal" store under computer certificates. The portal config > agent > app settings says "look for client certificate" in "Machine".
When we navigate to the portal website it says "Valid client certificate is required" and does not prompt us to use authenticate us with our installed certificate. However when we log onto the VPN with the GP app it does not require any certificate. It works for users both with and without the certificate installed...
Any thoughts on why we can't get this to work as expected?
I remember running into this a few years ago, but I don't remember exactly what caused it. The issue with the web portal might be due to the web browser looking only in the user certificate store. You could try putting the client cert you put in the machine store in the user store as well. As to why the cert profile is not enforced on the connection from the GP agent, I'm not sure what to suggest here other than to make sure you actually committed the changes on firewall, or committed/pushed from Panorama.
does the certificate have a cn= in the subject field. i'm sure that although you set the cert profile to none, the GP client will still look for this within the machine cert to class as valid.
I also have machine based cert configured with SAML and it works fine.
My machine cert has CN i agree with MickBall your machine cert need to have common name.
Also under Cert Profile you need to have your Root CA and Intermediate cert.
Thanks for the input folks, it pointed me in the right direction. My certificates have CN's so that was not the issue.
I had to change the portal setting to look for the certificate in the user store, not the machine store and install my CA and Machine cert in the user store. Not sure if this applies to all browsers but at least Chrome would not show the machine certificates when trying to access the portal website.
My issue with the gateway working even after applying the cert profile was we had authentication cookie override...
However my "issue" now is that I need to install both CA and machine cert in user's store for the portal website to work, but for the app/gateway I need both certs in the machine store or it says valid cert not found when connecting to the gateway. Is there a setting for the app/gateway to look for cert in user store also? I could not find it.
to enable certificate authenication all you need to do is just to choose a certificate profile in Portal and/or Gateway - Authentication Tab, settings.
and put the "Allow Authentication with User Credentials OR Client Certificate" to NO in Client Authentication entry.
the Client Certificate should be installed on local user account.
try reinstalling Globalprotect before testing these Config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!