This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP Agent Machine Certificate Check

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP Agent Machine Certificate Check

Michael.Martin
L1 Bithead

‎07-27-2023 04:09 PM

Hello,

 

I am trying to find out more information about a GP portal setting called Machine Certificate Check under Portal Configuration / Agent / Agent Config / Config Selection Criteria / Device Checks. I was hoping to use a machine certificate check outside of the authentication tab to allow or disallow machines based on user/user group, but I can't seem to get it to work. I get a "You are not authorized to connect to GlobalProtect Portal" message. If I set the same certificate profile in the authentication tab, it works just fine when the cert is installed in the machine store. GlobalProtect connects as it should.

 

My question is, what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place.

 

PA-220 running 10.2.4

This is a test portal/gateway configuration I am using.

 

Thanks in advance for any input.

 

Michael

3 people had this problem.
Preview file
72 KB
Preview file
45 KB
0 Likes Likes
4 REPLIES 4

Mick_Ball
L7 Applicator

‎08-02-2023 06:06 AM

I would say that the authentication tab just allows you to connect to the gateway... the device check will decide which config within the gateway agent setting you would get once authenticated, if you only have 1 config in the agent it would not really be of any use...

 

For user/group membership you will need to look at Device>User Identification>user mapping.

0 Likes Likes

Merl
L1 Bithead

‎02-19-2024 03:33 AM

Hi, have you managed to solve this issue? Struggling with the same problem...

0 Likes Likes

DKh Al Obaidi
L1 Bithead

‎05-28-2024 12:05 PM

Any idea what is the main idea from the above ( what is the difference between setting it in the authentication tab and setting it as a device check? It is using the same certificate profile and same certificate issued by the CA. I would think it should work set in either place) ?

Dhari
0 Likes Likes

Merl
L1 Bithead
In response to DKh Al Obaidi

‎05-29-2024 02:53 AM

Authentication may be shared for several user groups and with a disabled certificate option. But at the same time you might be needed to have several Agent options with different criteria. My personal case: one GW, single Authentication method without cert, several Agent options for different groups. Some users only need authentication, other users need 2FA with a machine cert.

  • 2077 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks