- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-29-2025 09:38 PM
Hi,
I have questions regarding user-id operation with GP client certificate authentication only for iOS/Android devices.
Current state:
Target state:
Questions:
1) For devices on the internal network, is an internal GlobalProtect gateway required to report User-ID information to the firewall?
2) If we switch to client certificate-only authentication (no user credentials), will the GlobalProtect gateways still report User-ID mappings?
I assume the gateways extract the username from the certificate’s Subject (e.g., CN), so this should still work — can you confirm?
3) For accurate User-ID mapping, should we use user certificates rather than machine certificates?
Machine certificates contain the device name or host FQDN in the subject. So I assume firewall may end up mapping the IP to a device name, not the user which is not expected.
Thanks
08-05-2025 05:35 AM
1) Yes
2) You'll need an internal gateway
3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.
08-05-2025 05:35 AM
1) Yes
2) You'll need an internal gateway
3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!