How to Configure GlobalProtect Portal with Client Cert Authentication and Certificate Profile
Symptom
This document describes the steps to configure GlobalProtect with a client certificate profile when using a client certificate for authentication with or without other authentication methods. The example applied in this document is done with self-signed certificates, but it can also be done with an internal CA store. Refer to the TechDocs GlobalProtect admin guide for basic GlobalProtect configuration: GlobalProtect Administrator's Guide (Note: please choose your version from the drop down on the left side of the page)
Resolution
1. Go to Device > Certificates
The screenshot above shows the following:
-
- The self-signed Certificate "Root-CA" that will be used to sign the following:
- Server Certificate used for the the connections to the GlobalProtect Portal and Gateway.
- Client Certificate used to import on the clients when you want to use a Client Certificate for Authentication as well or alone.
- The Server Cert signed by the Root-CA with the Subject name which matches the address IP that the client will query for the GlobalProtect Portal and Gateway connections.
- Note: FQDN will be used for Common name instead of IP if listing FQDN in the configuration for Gateway addresses. Certificate CN name and address the client queries should be the same.
- The Client Cert also signed by the Root-CA with the Common Name Client Certificate.
- Note: The client cert name does not matter here as long as it gets imported into the host machines correctly and is signed by the Root-CA.
- The self-signed Certificate "Root-CA" that will be used to sign the following:
2. Go to Device > Certificate Profile
Click Add and add the Root-CA in the profile. Click OK to save.
3. Go to Network Tab > GlobalProtect Portal
-
- Click on your Portal Configuration and add the Certificate Profile to the GlobalProtect Portal
Note: You can optionally have an Authentication Profile in your configuration. This will only work when the certificate profile has the username configured. The commit will fail if GlobalProtect is configured with just a certificate profile as authentication, where the username in the profile is "none".
- Click on Client Configuration tab in the Portal configuration and make sure to list the Root-CA under the Trusted Root Section.
- Click on your Portal Configuration and add the Certificate Profile to the GlobalProtect Portal
4. Go to Network > GlobalProtect Gateway
- Click on your Gateway Configuration
- Add the Certificate Profile to the Gateway
Note: You can optionally have an Authentication Profile in your configuration.
5. Go to Device > Certificates
-
- Export the Root-CA as PEM without key
- Export the Server Certificate as PEM without key
- Export the Client Cert as PKCS12 with key
6. Commit your changes
On your computer:
Note: If using a Third Party Certificate source, importing the Root CA will not be necessary as it should already be trusted.
- Open the Console Certificate Store by pressing the Start Menu and typing "mmc".
- Click File and click on Add/Remove Snap-in and click on Certificates
- Click on add to move Certificates over to snap-in and click finish
"My user account" is for one account. If there will be multiple other accounts on the computer that will be using the GlobalProtect select "Computer account".
- Press OK to finish this step
- Certificates should now be seen under the Console Root folder.
- Click on the left arrow next to Certificates to have the folders display the Certificate stores for the User account
- Click the left arrow next to the Trusted Root Certificates folder to see the Certificates Folder for Trusted Root Certificates
- Right Click the Trusted Root Certificates > Certificate folder and click import
- The import Wizard will start. Click Next.
- Click Browse and find the Root-CA. You may have to change the File type to see the file.
- Open the file and click on Next through the end of the wizard. The Root will now be seen in the Trusted Root Certificates.
- The import Wizard will start. Click Next.
- Import the Client Certificate into the Personal > Certificates folder by right-clicking the Certificates folder under the Personal folder and then clicking All Tasks > Import
Note: Since the Client Certificate is in PKCS12 format with Private Key, the wizard will ask for the password used when you exported it.
- Follow the Import Wizard again to complete the import of the Client Certificate into the Personal folder.
- Go to the Web Broswer and go to your Portal to download the GlobalProtect Client
When prompted, choose the client certificate that should be used. This is necessary for the Portal authentication to succeed. Once the certificate is chosen, the Portal page will load.
Note: The following example is for IE, but Firefox and Chrome will have similar prompts
On the portal page if another Authentication method is configured, you will see the username and password fields
If the authentication profile is set to none and the user's client certificate is valid, the user will be allowed access to the portal and will not need to authenticate again.
Note: This will only work when the certificate profile has the username configured. The commit will fail if GlobalProtect is configured with just a certificate profile as authentication, where the username in the profile is "none".
owner: glasater