Who Me Too'd this topic

Who Me Too'd this topic

L0 Member

GlobalProtect --- Use machine certificate or a user certificate (without specifying Username Field)

Hi,

 

I'm busy setting up GlobalProtect for a client, and already have LDAP authentication working. However the client requires a second factor for the authentication and went with certificates because they have an internal PKI.

 

I've been trying to configure this to use machine certificates, so that only corporate machines would have access. I've followed the guides, and this LIVEcommunity post re-iterates what's I've read.

 

https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-Use-Machince-Certificates-for-Auth...

 

However, when I leave the Username Field blank in the certificate profile, I get failed commits with the following details:

 

GlobalProtect portal(portal name) auth setting is invalid: no username field is configured in certificate profile.
(Module: sslvpn)
GlobalProtect gateway(gateway name) auth setting is invalid: no username field is configured in certificate profile.
(Module: rasmgr)
global-protect-gateway tunnel interface (tunnel name) in vsys (vsys1) parsing failed
(Module: rasmgr)

 

What am I missing here that would cause this error, when all the literature I've been through indicates that I should be able to set the Username Field to "None"? We've even moved to a higher maintenance release on the firewall in case this was a bug. Now running PAN-OS 9.0.7.

 

Any suggestion of where I could or should look for issues will be appreciated.

 

Thanks.

Who Me Too'd this topic