GlobalProtect 5.0 for iOS 12 and User Certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect 5.0 for iOS 12 and User Certificates

L2 Linker

I have several customers (and my homelab) that leverage user certificates issued from Active Directory Certificate Authorities as a second authentication factor.  Since upgrading to the new 5.0 client for iOS, the client errors out on connection to the portal, indicating that the required certificate cannot be found.  If I attempt to connect to the same portal via the 4.1 client, it works flawlessly.  Upgrading to iOS12 prevents me from using the 4.1 client, and I fear that many of my customers' users will upgrade their own devices to iOS12, not knowing the problems this may cause.

 

Is anyone else having problems with user certificates and the new 5.0 client?

 

Thanks!

 

Mark Rosenecker

20 REPLIES 20

Hello everyone,

 

i would like to implement IOS12 and GP 5 App on Apple Devices like it did with the IOS11 + GP Legacy app. In fact we're using AD-Authentication on Portal and AD Athentication as well as Certificate Profiles for the gateway. A machine certificate is deployed to the iOS device (also the Enterprise CA Root Cert). The Certificate Profile allows certificates from this CA.

 

This way was possible up to version 5 and also runs great with our windows machines. Is this a supported way? Do i have to use user certificates? Any experience or guidance?

 

Thanks,

 

Jochen

this will still work but you will need to re send the certificates to the devices via a profile from the apple configurator, this is explained in earlier posts.

Hey MickBall,
 
thanks for your reply.
 
We were able to use machine certs finally, but only when we push them out through AirWatch MDM. Apple Configurator or Mailing-Apps doesn't work (with the same certs).
 
So, we're hopefully done. Good luck everyone else in testing!
 
Regards,
 
Jochen


@APatel wrote:

The steps from @MarkRosenecker above ended up working for me as well.  Initially I skipped the VPN profile steps, but found out that it is needed to make it work.  I am now seeing a new issue.  I have my PA3020 configured to allow saved passwords, however in the new 5.0 app, its prompt me for a password each time i connect.  Anyone else seeing the same behavior?


I am seeing this behavior. It prevents the app from reconnecting once the iPhone is disconnected from the internal network.

L2 Linker

Hello All,

 

I spent some time with this problem.   All of the information here is correct, however there aren't a lot of correct examples of using Apple Configurator to generate a .mobileconfig file to install on iOS if using client certificate authentication.  I have found the following guide gets you almost all the way there (Certificates loaded, and vpn profile, but missing the Provider Bundle ID):

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSUCAY

 

IMPORTANT NOTE, THE ABOVE DOCUMENT SEEMS TO BE MISSING THE FOLLOWING KEY CONFIGURATION:

 

On Apple Configurator, there is a Provider Bundle Identifier that needs to have "app:com.paloaltonetworks.globalprotect.vpn" filled in, otherwise the iOS Global Protect App won't use the profile contents.Screen Shot 2019-08-14 at 8.55.00 AM.png

 

 

Hope this helps.

Something else I've noticed when setting this up, is that the Provider Bundle ID and the Identifier seem to have to match in order for you to successfully install the profile.

 

ANOTHER IMPORTANT NOTE IS THAT FOR THE ACCOUNT FIELD IN THE APPLE CONFIGURATOR, THE NAME NEEDS TO MATCH THE COMMON-NAME ON THE CERTIFICATE.

  • 24540 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!