03-08-2022 07:05 PM
My customer switched from a cloud URL filter to PAN-OS on-prem. For remote users to be filtered, they must be connected to the network in this case via GP. To force those endpoints to always be protected, the VPN must be always-on and ideally users prevented from disabling the client. Without pre-login or cert auth, the endpoint is unprotected until VPN is established. If the user fails to authenticate, the VPN fails and the endpoint is unprotected, so machine-cert based pre-login is mandatory.
Customer also wants to auth users in AzureAD (via SAML) before allowing access to the network, and use the same portal & gateway for external users/devices with limited network access. Ideally pre-logon with machine cert followed by SAML should achieve this, but I can't get it working without requiring the machine cert for all devices incl. external. Those devices should _not_ hold a trusted machine cert and key, otherwise an external device could match a HIP profile for corporate/internal devices and be allowed additional access.
The ideal process...
Pre-login & GP gateway predefined in reg, machine cert installed
GP authenticates machine to gateway using machine cert pre-login, network access is restricted (user cannot bypass URL filtering controls)
User logs into device
GP re-authenticates user to portal/gateway using SAML
Portal uses presence of machine cert for config selection, sets always-on
User/device combo gets privileged network access
GP authenticates user to portal/gateway using SAML
Portal uses absence of machine cert for config selection, sets on-demand
User/device combo gets restricted network access
SAML auth profile for AzureAD
Cert profile with root & issuing CA
Portal referencing auth & cert profiles for client auth (Allow Authentication with User Credentials OR Client Certificate = Yes, because we want to allow endpoints without the cert to login)
1st portal config using same cert profile for config selection criteria & setting connect method always-on (currently testing without pre-login) & tamper protection (don't allow users to disable/uninstall)
2nd portal config with connect method on-demand, only gets matched if machine cert not present and allows external users to disable/uninstall
Gateway referencing auth & cert profiles for client auth (Allow Authentication with User Credentials OR Client Certificate = Yes, because we want to allow endpoints without the cert to login)
On commit, we get a warning that "no username field is configured in certificate profile ", I assume that's because we are using the OR option, and portal/gateway needs to be able to extract a username from a cert if it's either/or? From what we can see the effective result is AND, and only internal devices can connect - external devices are presented with the usual "valid client certificate is required" message as if both the cert and user auth are required. Internal clients are first authenticated by the certificate and subsequently SAML as there's no user associated with the certificate (I assume this is pre-login state?). When we set the Username field in the cert profile, external devices can login (using SAML) however internal device users are not re-authenticated, and I'm assuming this is because the OR operator is working and some ID was extracted from the cert (machine CN). Unfortunately those internal users don't match policy based on group membership because their identity was already extracted from the client cert (machine CN).
IF it was possible for the machine cert to be used for pre-login (no Username field in the cert profile) while also allowing external devices to authenticate without the cert (GP auth OR option) this should work the way we need, ensuring those corporate machines are always connected (pre-login) while allowing external devices to connect on-demand (without the machine cert). Why it's breaking is because PAN-OS needs the Username field defined int he cert profile to support cert OR user creds.
I think all these requirements lead to mutual exclusion without spinning up a new portal & gateway combo per site to support the external users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!