I'm trying to setup a GlobalProtect On-Demand environment. The portal uses an LDAP server profile for authentication and has been validated to be working fine. I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile. My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store). I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment. So far I've not been successful to get certificate profile. I'm greeted by the "Required client certificate not found" error. I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc. FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile. I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode. What certificate fields or options did you use? What certificate profile options did you leverage? Any interesting scenarios you ran in your deployment?
... View more