Thanks for the input folks, it pointed me in the right direction. My certificates have CN's so that was not the issue. I had to change the portal setting to look for the certificate in the user store, not the machine store and install my CA and Machine cert in the user store. Not sure if this applies to all browsers but at least Chrome would not show the machine certificates when trying to access the portal website. My issue with the gateway working even after applying the cert profile was we had authentication cookie override... However my "issue" now is that I need to install both CA and machine cert in user's store for the portal website to work, but for the app/gateway I need both certs in the machine store or it says valid cert not found when connecting to the gateway. Is there a setting for the app/gateway to look for cert in user store also? I could not find it.
... View more
Hi, We are currently using GlobalProtect with an auth profile that uses LDAP and DUO proxy. We now want to expand this setup with needing a machine certificate to be allowed to log on to portal/gateway so only company owned computers can log in. We created a new CA and machine certificate on our PA-820, then chose this new CA in a new cert profile with "Username field" set to "None". We then added this new cert profile to the authentication tab on both our GP Portal and our GP Gateway. On the machine we have tested this new setup we have installed the created CA cert without private key in the "Trusted root certificates" store and the machine cert with private key signed by this CA in the "Personal" store under computer certificates. The portal config > agent > app settings says "look for client certificate" in "Machine". When we navigate to the portal website it says " Valid client certificate is required" and does not prompt us to use authenticate us with our installed certificate. However when we log onto the VPN with the GP app it does not require any certificate. It works for users both with and without the certificate installed... Any thoughts on why we can't get this to work as expected?
... View more