GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

L2 Linker

I'm trying to setup a GlobalProtect On-Demand environment.

The portal uses an LDAP server profile for authentication and has been validated to be working fine.

I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile.

My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store).

I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment.

So far I've not been successful to get certificate profile.

I'm greeted by the "Required client certificate not found" error.

I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc.

FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile.

 

I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode.

  1. What certificate fields or options did you use?
  2. What certificate profile options did you leverage?
  3. Any interesting scenarios you ran in your deployment?
1 accepted solution

Accepted Solutions

L2 Linker

Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.

 

Here is what I learned during my deployment and troubleshooting:

  • When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.
  • "Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:              2021-01-28 15_14_52-Clipboard.png                        
  • After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!

Hope someone else finds this useful when they run into a similar fit!

 

 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@DelvinC 

 

We are using the Prelogon and then on demand  for GP.

We are using Machine cert for Client Authentication using prelogon and then on demand.

 

We do have our Internal PKI server.

We have imported the Intermediate cert from the PC to the PA.

PA already has Root CA.

 

!>Our cert profile has Root and Intermediate certs.

2>For Cert for VPN it has CN field.

3>You need to make sure cert which you have on PC make sure import its Root and Intermediate to the PA.

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

@MP18  Thanks for your response.

 

I've had success in the past deploying machine certificates for authentication. But, this time I'm specifically trying to get user certificate authentication to work with just the on-demand mode.

 

During my research, I came across the PAN KB article (Basic GlobalProtect Configuration with Pre-logon)  that hints that this is possible.

 

DelvinC_0-1611352025876.png

 

Yes as per that link it is possible.

MP

Help the community: Like helpful comments and mark solutions.

L2 Linker

Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.

 

Here is what I learned during my deployment and troubleshooting:

  • When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.
  • "Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:              2021-01-28 15_14_52-Clipboard.png                        
  • After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!

Hope someone else finds this useful when they run into a similar fit!

 

 

 

@DelvinC 

 

Thanks for updating the Community.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

thank you, very useful to know

  • 1 accepted solution
  • 4735 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!