GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

L2 Linker

I'm trying to setup a GlobalProtect On-Demand environment.

The portal uses an LDAP server profile for authentication and has been validated to be working fine.

I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile.

My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store).

I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment.

So far I've not been successful to get certificate profile.

I'm greeted by the "Required client certificate not found" error.

I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc.

FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile.


I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode.

  1. What certificate fields or options did you use?
  2. What certificate profile options did you leverage?
  3. Any interesting scenarios you ran in your deployment?




Thanks for updating the Community.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!