11-13-2020 06:50 AM
There is a Smart Card solution that uses pkcs#11 and middlware that provides OS communication to the card. Is there a way to use this certificate from the card for GlobalProtect authentication?
GP is looking for a cert in a specific location, but it is not possible to extract it from the Smart Card and import for GP (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMaCAO).
Is this supported at all? If so, is there any information available?
12-30-2020 07:48 AM
I am having the same issue on CentOS 7 using pcsc, Coolkey, and sometimes OpenSC. GP agent is looking in a specific directory for pfx and dat files I believe, but I cannot get a p12 cert exported from my smart card to import. I would like GP to use my smart card for credentials. Any success regarding this issue, if it is even supported?
09-08-2021 11:56 AM - edited 09-08-2021 11:57 AM
I'm also having issue with smartcard authentication on Red Hat Enterprise Linux (RHEL) 7. I can successfully connect to Cisco VPN using OpenConnect client and smartcard, but I haven't been able to successfully connect to GlobalProtect VPN yet using same client and smartcard. It appears my client certificate is not being successfully provided to the GP VPN server. Below is a log of what I see when I try to login:
[user@mycomputer ~]$ sudo openconnect vpn.fakeglobalprotectserverurl.com:443 --usergroup=gateway --protocol=gp -vvvv --dump-http-traffic -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert'
[sudo] password for user:
POST https://vpn.fakeglobalprotectserverurl.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 123.456.789.012:443
Connected to 123.456.789.012:443
Using PKCS#11 certificate pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert
Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private
PIN required for FAKE.NAME.Q.1234567890
Enter PIN:
Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;object=Certificate%20for%20PIV%20Authentication;type=private
Trying PKCS#11 key URL pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private
Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=[redacted];token=FAKE.NAME.Q.1234567890;id=%01;type=private
Using client certificate 'FAKE.NAME.Q.1234567890'
Got no issuer from PKCS#11
SSL negotiation with vpn.fakeglobalprotectserverurl.com
Connected to HTTPS on vpn.fakeglobalprotectserverurl.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
> POST /ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: vpn.fakeglobalprotectserverurl.com
> User-Agent: PAN GlobalProtect
>
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 08 Sep 2021 18:20:47 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 539
Connection: keep-alive
ETag: "1234567890fakeetag"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly
Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly
Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly
Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly
Set-Cookie: PHPSESSID=1234567890fakeid; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (539)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Error</status>
< <ccusername></ccusername>
< <autosubmit></autosubmit>
< <msg>Valid client certificate is required</msg>
< <newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
< <license>yes</license>
< <authentication-message></authentication-message>
< <username-label></username-label>
< <password-label></password-label>
< <panos-version>1</panos-version>
< <saml-default-browser>yes</saml-default-browser><region>US</region>
< </prelogin-response>
Valid client certificate is required
Failed to obtain WebVPN cookie
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
