08-30-2023 02:23 AM
we are planning to configure certificate check HIP object and authentication based on that. we are not getting any clear picture in online or palo alto portal. please help up to provide resource...
08-30-2023 05:48 AM
Hi @ngd-netsec ,
You can configure GlobalProtect to authenticate the client with a certificate and/or username/password. You do not have to configure HIP checks. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0
You can also Google "globalprotect client certificate authentication" and you will find more docs and videos.
I have configured GP certificate authentication for a few of my customers, and it is easy once you get the hang of it.
Thanks,
Tom
09-03-2023 06:08 PM - edited 09-03-2023 06:08 PM
Hey @TomYoung,
When you configure CBA for customers, do you use a second factor i.e., SAML/MFA? or CBA is the only factor?
09-03-2023 07:14 PM
Hi @FranklinV ,
Under the Client Authentication config, you can choose certificate only or certificate and username/password. The username/password can reference many Authentication Profile types including SAML. MFA can be built into many authentication methods.
Thanks,
Tom
09-03-2023 08:00 PM
@TomYoung thanks! I am familiar with this setting. Was just curious to know if others are okay with a single factor (CBA only).
BTW - would you know if when CBA and username/password are configured with SAML (+built in MFA) as the second factor, would users receive the SAML prompt for the second factor (username/password) or the MFA prompt?
As an example: First factor is certificate, Second factor MFA (no username/password).
09-04-2023 02:35 AM
Hi @FranklinV ,
Got it! I understand your question now. I do not configure Certificate Based Authentication only. It is recommended to use 2FA for GlobalProtect (RA VPN) because if you use one factor and it is compromised, then threats have access to your network. RA VPN is a commonly exploited means of gaining access.
With regard to SAML+MFA without a u/p prompt, I know the portal can be configured to accept authentication cookies, but I have never configured it or seen it on the 1st login. GP also can use HW/SW tokens, although I have not seen a lot of documentation on it.
Another possibility is to use RADIUS/EAP-TLS and have the RADIUS server extract the username from the certificate and communicate with the MFA software.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
