Machine Certificate Check/ Not working for me

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Machine Certificate Check/ Not working for me

L1 Bithead

Goal:

When a user connects to the Globalprotect Portal it will authenticate using the LDAP authentication profile, and check for the presence of a certificate on the device.

 

If the device(in my case I'm only going to use Windows 10 PCs) does not have the certificate, the authentication will fail.

 

What I've done so far:

  • The LDAP authentication profile works as expected. 
  • Created a new RootCA from the firewall, created an IntermediateCA signed by the RootCA, and created a "machinecert" signed by the IntermediateCA
  • Created a Certificate Profile 
    • asiewert_0-1716391538482.png
  • Within the portal configuration authentication tab, I added the newly created certificate profile. Note that the certificate profile only has the rootca and intermediate certs, not the machinecert.
  • Under the portal Agent tab, agent config, the settings for save user credentials are set to No and no cookies are used.
  • asiewert_1-1716391699348.png

     

The problem:

 

  • I can log into globalprotect with or without the certificates installed on my laptop using the settings above. 
  • I may be missing something obvious, or completely misconfigured this for what I want.

I would appreciate some help or guidance on how to correct the config, or change it to meet the goal above. Thank you for your help! Let me know if you guys need further information.

1 accepted solution

Accepted Solutions

This problem was user error, me.

 

I did not realize I had installed the machinecert in the personal certificate store. That's why it kept on connecting even when I removed the certificates from the computer certificate store. Globalprotect is set on default to check both the user and computer certificate stores. Doh!

View solution in original post

3 REPLIES 3

Community Team Member

Hi @asiewert ,

 

Just a quick check, did you by chance "Allow Authentication with User Credentials OR Client Certificate" ?

 

kiwi_1-1716460105323.png

 

 

If you select No, users must authenticate to the gateway using both user credentials and client certificates. If you select Yes, users can authenticate to the gateway using either user credentials or client certificates.

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi @asiewert , 

 

if you are looking to use the client/machine certificate for additional authentication to ldap, where have you installed this client/machine certificate? the client/machine certificate will need to be installed on the device requiring remote access. Then a check will be performed to see if this client certificate has been signed by the CAs in your certificate profile.

 

Try installing the certificate into the "Personal" folder of either the Local Computer or Current User cert store and test authentication again.

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authenti... 

 

https://www.youtube.com/watch?v=TFstISND5PE (details the creation and export of a client certificate with public/private key pair)

 

SirchRettop_0-1716486064937.png

 

This problem was user error, me.

 

I did not realize I had installed the machinecert in the personal certificate store. That's why it kept on connecting even when I removed the certificates from the computer certificate store. Globalprotect is set on default to check both the user and computer certificate stores. Doh!

  • 1 accepted solution
  • 2323 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!