09-17-2018 02:43 PM
I have several customers (and my homelab) that leverage user certificates issued from Active Directory Certificate Authorities as a second authentication factor. Since upgrading to the new 5.0 client for iOS, the client errors out on connection to the portal, indicating that the required certificate cannot be found. If I attempt to connect to the same portal via the 4.1 client, it works flawlessly. Upgrading to iOS12 prevents me from using the 4.1 client, and I fear that many of my customers' users will upgrade their own devices to iOS12, not knowing the problems this may cause.
Is anyone else having problems with user certificates and the new 5.0 client?
Thanks!
Mark Rosenecker
09-18-2018 05:13 AM
Hello all,
Can someone detail the steps they took to "reimport" the certificates for an unmanaged iOS device? I reimported the certs I use for Global Protect and I still can't authenticate to my Gateway. I used the same steps to import the certs that I've always used: email the certs to myself; import in this order: CA, Intermediate, Client; trust the CA under Settings>General>About>Certificate Trust Settings. I still get the same error I was getting before:
GlobalProtect gateway user authentication failed. Login from: xxx.xxx.xxx.xxx, Source region: US, User name: , Client OS version: Apple iOS 12.0, Reason: client cert not present, Auth type: profile.
BTW: I use two-factor auth in the form of local username/password and a shared client certificate.
Thanks.
09-18-2018 01:44 PM
Hi @icartwright, yeah, me too....
i have upgraded to ios 12 and gp 5 and removed all certs and re emailed and installed.
GP is stating no client certificate found but when i browse to my portal via safari it accepts the cert.
please update if you manage to resolve.
thanks.
09-18-2018 02:16 PM
Yep, emailing them won't work anymore. Apple removed the ability for VPN applications to access certs that are emailed as a standalone file (.p12, for example). The portal works from Safari because it's not initiating a VPN tunnel, so it can access the keystore.
You can deploy them using Apple Configurator in a .mobileconfig file, which CAN be emailed to be installed.
It's a pain, but it's universal with all VPN apps in iOS 12 (not just GlobalProtect).
09-18-2018 02:26 PM
@gwesson, hi.
many thanks for your reply and information,
not really a pain as all our ipads are sent profiles via the cofigurator.
i was just playing with mine and i usually test cert auth by email.
i can of course still do this via safari but will now ensure that when our ipads are upgraded to V5 a new profile will follow.
once again, many thanks for your time and prompt reply.
09-18-2018 04:45 PM
So, that essentially means that I (and my customers) need to have a Mac or an MDM system, in order to distribute certificates. That totally, utterly sucks.
#HackintoshTime
Thanks again, gwesson! You've been an immeasurable help!
@gwesson wrote:Yep, emailing them won't work anymore. Apple removed the ability for VPN applications to access certs that are emailed as a standalone file (.p12, for example). The portal works from Safari because it's not initiating a VPN tunnel, so it can access the keystore.
You can deploy them using Apple Configurator in a .mobileconfig file, which CAN be emailed to be installed.
It's a pain, but it's universal with all VPN apps in iOS 12 (not just GlobalProtect).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!