This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

Go to solution
DelvinC
L2 Linker

‎01-22-2021 11:24 AM

I'm trying to setup a GlobalProtect On-Demand environment.

The portal uses an LDAP server profile for authentication and has been validated to be working fine.

I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile.

My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store).

I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment.

So far I've not been successful to get certificate profile.

I'm greeted by the "Required client certificate not found" error.

I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc.

FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile.

 

I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode.

  1. What certificate fields or options did you use?
  2. What certificate profile options did you leverage?
  3. Any interesting scenarios you ran in your deployment?
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
DelvinC
L2 Linker

‎01-28-2021 03:27 PM

Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.

 

Here is what I learned during my deployment and troubleshooting:

  • When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.
  • "Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:              2021-01-28 15_14_52-Clipboard.png                        
  • After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!

Hope someone else finds this useful when they run into a similar fit!

 

 

View solution in original post

6 REPLIES 6

Go to solution
MP18
Cyber Elite
Cyber Elite

‎01-22-2021 01:37 PM

@DelvinC 

 

We are using the Prelogon and then on demand  for GP.

We are using Machine cert for Client Authentication using prelogon and then on demand.

 

We do have our Internal PKI server.

We have imported the Intermediate cert from the PC to the PA.

PA already has Root CA.

 

!>Our cert profile has Root and Intermediate certs.

2>For Cert for VPN it has CN field.

3>You need to make sure cert which you have on PC make sure import its Root and Intermediate to the PA.

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

Go to solution
DelvinC
L2 Linker
In response to MP18

‎01-22-2021 01:47 PM

@MP18  Thanks for your response.

 

I've had success in the past deploying machine certificates for authentication. But, this time I'm specifically trying to get user certificate authentication to work with just the on-demand mode.

 

During my research, I came across the PAN KB article (Basic GlobalProtect Configuration with Pre-logon)  that hints that this is possible.

 

DelvinC_0-1611352025876.png

 

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to DelvinC

‎01-22-2021 02:31 PM

Yes as per that link it is possible.

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
DelvinC
L2 Linker

‎01-28-2021 03:27 PM

Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.

 

Here is what I learned during my deployment and troubleshooting:

  • When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile.
  • "Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:              2021-01-28 15_14_52-Clipboard.png                        
  • After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm!

Hope someone else finds this useful when they run into a similar fit!

 

 

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to DelvinC

‎01-30-2021 10:35 PM

 

@DelvinC 

 

Thanks for updating the Community.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
n.willemkotze
L0 Member
In response to DelvinC

‎09-12-2024 09:57 AM

thank you, very useful to know

0 Likes Likes
  • 1 accepted solution
  • 4734 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks