GlobalProtect Portal authentication by certificate fails with "Valid client certificate is required"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Portal authentication by certificate fails with "Valid client certificate is required"

L5 Sessionator

I have been trying for some time to get a mutli-stage GP login working in an always-on VPN. Going from an existing user/pass login to both the Portal and Gateway (with third party MFA over radius, cookies to prevent dual auth request), to a certificate login to the Portal (for automatic login/updates of GP client configs and immediate internal host detection) and user/pass on the Gateway.

 

It seems that when the Portal and Gateway are on the same IP, the Gateway SSL/TLS Profile and Client Authentication settings override the Portal configuration settings. Can anyone confirm this? I can't find it documented anywhere.

 

Example config:

GP -> Portals -> [VPN_ISP1_Portal] -> Authentication:

        SSL/TLS Profile = [PublicCert_1]

        Client authentication = Certificate Profile -> [VPN_Client_Certs]

GP -> Gateways -> [VPN_ISP1_Gateway] -> Authentication:

        SSL/TLS Profile = [PublicCert_2]

        Client authentication = user/pass profile

 

Browse to the Portal/Gateway IP (or try to connect with GP client) and get a page with "Valid client certificate is required" error, page is signed with PublicCert_2. If you delete the Gateway (or presumably move it to to a different IP - not tested yet), the you get a successful certificate authentication against the Portal and the webpage is signed by PublicCert_1.

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!