This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-id with GP client certificate authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-id with GP client certificate authentication

Go to solution
ahwang2929
L1 Bithead

‎07-29-2025 09:38 PM

Hi,

I have questions regarding user-id operation with GP client certificate authentication only for iOS/Android devices.

 

Current state:

  • We have GlobalProtect portal and external gateway on the same firewall with SAML authentication for mobile devices - iOS (on-demand, but enforcement to use VPN is achieved with proxy file) and Chrombook (always-on)
  • IHD (Internal Host Detection) is not used hence mobile devices are always tunnelled to the external gateway even they are on the internal network.

 

Target state:

  • Reconfigure GlobalProtect with a unique client certificate profile for authentication without other authentication methods. (Remove SAML authentication)
  • Configure Certificate profile with username field of Subject (common-name)
  • Change App connection method to always-on for iOS devices.
  • Enable IHD(Internal Host Detection) to make clients on internal network won’t be tunnelled.
  • Create new GP internal gateway without establishing a VPN tunnel to the firewall  to collect user-id information

 

Questions:

1) For devices on the internal network, is an internal GlobalProtect gateway required to report User-ID information to the firewall?

 

2) If we switch to client certificate-only authentication (no user credentials), will the GlobalProtect gateways still report User-ID mappings?
I assume the gateways extract the username from the certificate’s Subject (e.g., CN), so this should still work — can you confirm?

 

3) For accurate User-ID mapping, should we use user certificates rather than machine certificates?

Machine certificates contain the device name or host FQDN in the subject. So I assume firewall may end up mapping the IP to a device name, not the user which is not expected.

 

Thanks

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
sk_display
L1 Bithead

‎08-05-2025 05:35 AM

1) Yes

2) You'll need an internal gateway

3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.

View solution in original post

1 REPLY 1

Go to solution
sk_display
L1 Bithead

‎08-05-2025 05:35 AM

1) Yes

2) You'll need an internal gateway

3) You're correct that the certificate will need a unique user attribute on it. We used the email field in the certificate SAN to populate the email address and extract the userid from there. On the internal gateway, you can select configure the certificate profile to pull that info from the certificate.

  • 1 accepted solution
  • 333 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks