Pre-Logon Machine Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Pre-Logon Machine Certificate

L2 Linker

Hello All,

 

My issue is regarding the Machine Certificate selection in the Global Protect Agent.

Background information:

  • We are using our own internal PKI (Active Directory). Our CA root has been imported and other systems are known to be working fine (i.e. Forward Trust Cert, SSL decryption... based on this Active Directory CA root)
  • Our current implementation of Global Protect is working fine - but pre-logon was not originally configured.
  • Our Active Directory is already configured to auto-enroll a Client certificate (OID Client Authentication (1.3.6.1.5.5.7.3.2)) and a Server certificate (OID Server Authentication (1.3.6.1.5.5.7.3.1)). That was previously  done for some other purposes, but the Client certificate is nothing special with the Subject filed populated with the CN along with the SAN.
  • My goal is to start using the pre-logon logic.

The issue: whatever I am trying, as soon as I enable the pre-logon in the Global Protect Portal's Agent configuration, the GP client on the workstation will prompt to select a certificate. Basically, all certificates signed by our Active Directory CA will show up.

 

I opened a ticket with Palo Alto but after 3 weeks, they are still pointing me to the Docs and KB articles from Palo Alto' site.

 

If I delete all certificates but one, it works fine.

If I select any certificate, it works fine too (which seems logical since they are all signed by the same CA)

I also tried to create a Global Protect centric certificate with a custom OID - and forcing the OID in the GP App configuration. Same result: it just adds to the list of certificates to select. 

 

Rievax_0-1729106990357.png

 

So, it seems Palo Alto support cannot tell "why" it is doing that... Besides "please cross-check all the requirements as the error 'cert usage issue' will be only seen when the client certificate is not meeting the requirements.", I don't feel like they can tell what  the reason behind it is.

 

Any help is welcome! This is driving me crazy because I feel like I checked everything I could but still missing a key information - that apparently was not obvious to me.

 

Thanks for any answers!

 

R.

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

 

Is this before the logon where the machine certificate is used or after initial logon where a client cert is used? When you specify the OID, do you see that key appear in the Windows registry?  (ext-key-usage-oid-for-client-cert <oidValue>) App Behavior Options (paloaltonetworks.com)

 

If the cert you are looking to use is signed by a specific template you can specify this template in the cert profile as well. 

Hello Claw4609,

 

Thanks for the reply.
If I put the OID in the configuration:

Rievax_0-1729112181691.png

It still prompts the certificates... and I do see the following in the HKLM (not the user HKEY):

ext-key-usage-oid-for-client-cert_PL [REG_SZ]
1.3.6.1.4.1.311.21.8.2892726.13712142.5523597.2770613.14610168.103.6471368.12477013

Rievax_1-1729112699690.png

 

I tried to pre-populate "ext-key-usage-oid-for-client-cert" in the registry (HKLM) but that did not help.

Regarding your comment on the "signed by a specific template", I honestly did not try this far since I was at least hoping to make it work with the default Client cert....

did you ever get this resolved? we are having the same issue

life is too short to be a jerk.

Hello cjthorse82,

 

Still in the process of creating my "seamless" migration plan but I believe I found a few answers that applied to my issue.

  1. The certificate must be of type Client Authentication (1.3.6.1.5.5.7.3.2) even if you create a custom one.
    In the later case, you should add your custom OID to the Client Authentication one.
    Rievax_0-1729713266754.png
    The OID you input into the Agent's configuration is only your custom one
    This document helped me: GlobalProtect Machine Certificate Match Using OID - Knowledge Base - Palo Alto Networks
  2. The "subject" of the certificate should be the FQDN of the workstation - and the same one as one of the SAN entries.
  3. To avoid the Chicken / Egg issue grabbing the certificate for the Portal authentication, just add the certificate profile to the Gateway (as in this doc: Remote Access VPN with Pre-Logon)
    There's an HKLM key "ext-key-usage-oid-for-client-cert_PL" that I believe could be used to force the OID for the PreLogon / Portal but I could never find any reference to this on Palo Alto. So I decided not to use this; plus it adds a layer of complexity for the migration process I am looking for...
    Only the gateway's HKLM "ext-key-usage-oid-for-client-cert" is documented on PA. 

Hope that will help you debugging your specific issue!

Cheers.

R.

  • 476 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!