How to Configure GlobalProtect Portal with Client Cert Authentication and Certificate Profile

How to Configure GlobalProtect Portal with Client Cert Authentication and Certificate Profile

104185
Created On 09/25/18 17:41 PM - Last Modified 09/23/21 17:34 PM


Symptom

This document describes the steps to configure GlobalProtect with a client certificate profile when using a client certificate for authentication with or without other authentication methods. The example applied in this document is done with self-signed certificates, but it can also be done with an internal CA store. Refer to the TechDocs GlobalProtect admin guide for basic GlobalProtect configuration: GlobalProtect Administrator's Guide (Note: please choose your version from the drop down on the left side of the page)



Resolution

 

1. Go to Device > Certificates

User-added image

The screenshot above shows the following:

    • The self-signed Certificate "Root-CA" that will be used to sign the following:
      • Server Certificate used for the the connections to the GlobalProtect Portal and Gateway.
      • Client Certificate used to import on the clients when you want to use a Client Certificate for Authentication as well or alone.
    • The Server Cert signed by the Root-CA with the Subject name which matches the address IP that the client will query for the GlobalProtect Portal and Gateway connections.
      • Note: FQDN will be used for Common name instead of IP if listing FQDN in the configuration for Gateway addresses. Certificate CN name and address the client queries should be the same.
    • The Client Cert also signed by the Root-CA with the Common Name Client Certificate.
      • Note: The client cert name does not matter here as long as it gets imported into the host machines correctly and is signed by the Root-CA.

 

2. Go to Device > Certificate Profile

Click Add and add the Root-CA in the profile. Click OK to save.

User-added image

 

3. Go to Network Tab > GlobalProtect Portal

    1. Click on your Portal Configuration and add the Certificate Profile to the GlobalProtect Portal
      Note: You can optionally have an Authentication Profile in your configuration. This will only work when the certificate profile has the username configured. The commit will fail if GlobalProtect is configured with just a certificate profile as authentication, where the username in the profile is "none".
      User-added image
    2. Click on Client Configuration tab in the Portal configuration and make sure to list the Root-CA under the Trusted Root Section.
      User-added image

4. Go to Network > GlobalProtect Gateway

  1. Click on your Gateway Configuration
  2. Add the Certificate Profile to the Gateway
    Note: You can optionally have an Authentication Profile in your configuration.
    User-added image

5. Go to Device > Certificates

    • Export the Root-CA as PEM without key
    • Export the Server Certificate as PEM without key
    • Export the Client Cert as PKCS12 with key

6. Commit your changes

 

On your computer:

Note: If using a Third Party Certificate source, importing the Root CA will not be necessary as it should already be trusted.

  1. Open the Console Certificate Store by pressing the Start Menu and typing "mmc".
    mmc console.PNG
  2. Click File and click on Add/Remove Snap-in and click on Certificates
    snap in cert.PNG
  3. Click on add to move Certificates over to snap-in and click finish
    "My user account" is for one account. If there will be multiple other accounts on the computer that will be using the GlobalProtect select "Computer account".
    snap in user.PNG
  4. Press OK to finish this step
    snap in finish.PNG
    • Certificates should now be seen under the Console Root folder.
  5. Click on the left arrow next to Certificates to have the folders display the Certificate stores for the User account
    Snap in cert finish.PNG
  6. Click the left arrow next to the Trusted Root Certificates folder to see the Certificates Folder for Trusted Root Certificates
    Trusted Root.PNG
  7. Right Click the Trusted Root Certificates  > Certificate folder and click import
    1. The import Wizard will start. Click Next.
      import wizard.PNG
    2. Click Browse and find the Root-CA. You may have to change the File type to see the file.
      Browse find.PNG
    3. Open the file and click on Next through the end of the wizard. The Root will now be seen in the Trusted Root Certificates.
      Root in Stoer.PNG
  8. Import the Client Certificate into the Personal > Certificates folder by right-clicking the Certificates folder under the Personal folder and then clicking All Tasks > Import
    Note: Since the Client Certificate is in PKCS12 format with Private Key, the wizard will ask for the password used when you exported it.   
    Personal folder.PNG
    PKCS12 password.PNG
  9. Follow the Import Wizard again to complete the import of the Client Certificate into the Personal folder.
    Client Cert Store.PNG
  10. Go to the Web Broswer and go to your Portal to download the GlobalProtect Client
    When prompted, choose the client certificate that should be used. This is necessary for the Portal authentication to succeed. Once the certificate is chosen, the Portal page will load.
    Note: The following example is for IE, but Firefox and Chrome will have similar prompts
    Client Cert choice.PNG

 

On the portal page if another Authentication method is configured, you will see the username and password fields
7.png

If the authentication profile is set to none and the user's client certificate is valid, the user will be allowed access to the portal and will not need to authenticate again.

Note: This will only work when the certificate profile has the username configured. The commit will fail if GlobalProtect is configured with just a certificate profile as authentication, where the username in the profile is "none".

8.png

 

owner: glasater



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language