User-id with GP client certificate authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-id with GP client certificate authentication

L1 Bithead

Hi,

I have questions regarding user-id operation with GP client certificate authentication only for iOS/Android devices.

 

Current state:

  • We have GlobalProtect portal and external gateway on the same firewall with SAML authentication for mobile devices - iOS (on-demand, but enforcement to use VPN is achieved with proxy file) and Chrombook (always-on)
  • IHD (Internal Host Detection) is not used hence mobile devices are always tunnelled to the external gateway even they are on the internal network.

 

Target state:

  • Reconfigure GlobalProtect with a unique client certificate profile for authentication without other authentication methods. (Remove SAML authentication)
  • Configure Certificate profile with username field of Subject (common-name)
  • Change App connection method to always-on for iOS devices.
  • Enable IHD(Internal Host Detection) to make clients on internal network won’t be tunnelled.
  • Create new GP internal gateway without establishing a VPN tunnel to the firewall  to collect user-id information

 

Questions:

1) For devices on the internal network, is an internal GlobalProtect gateway required to report User-ID information to the firewall?

 

2) If we switch to client certificate-only authentication (no user credentials), will the GlobalProtect gateways still report User-ID mappings?
I assume the gateways extract the username from the certificate’s Subject (e.g., CN), so this should still work — can you confirm?

 

3) For accurate User-ID mapping, should we use user certificates rather than machine certificates?

Machine certificates contain the device name or host FQDN in the subject. So I assume firewall may end up mapping the IP to a device name, not the user which is not expected.

 

Thanks

1 accepted solution

Accepted Solutions

L1 Bithead

1) Yes

2) You'll need an internal gateway

3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.

View solution in original post

1 REPLY 1

L1 Bithead

1) Yes

2) You'll need an internal gateway

3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.

  • 1 accepted solution
  • 333 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!