GlobalProtect Dual Authentication with User Logon

GlobalProtect Dual Authentication with User Logon

14279
Created On 09/25/18 18:47 PM - Last Modified 03/09/23 04:38 AM


Symptom


This document helps in configuring GP (GlobalProtect ) DUAL authentication with User-logon.

Environment


  • Palo Alto Firewalls
  • PAN-OS 8.1
  • GlobalProtect Dual Authentication with User Logon

Resolution


Note: Users do not have to enter their credentials. Windows credentials will be taken for authentication.

 

Step 1. Get a CA certificate on the Palo Alto Networks firewall or create a CA on the device itself.

 

Root CA

User-added image

 

GP Certificate: This certificate will be forwarded by the portal and gateway to the end hosts.

Certificate_GP.png

 

Step 2. Create a client certificate on the Palo Alto Networks firewall. The root of this certificate should be the CA created in Step 1. This certificate has to be installed on the client systems.

 

User-added image

 

Step 3. Create a certificate profile called the ROOT CA created in Step 1.

 

User-added image

 

Step 4. Create a tunnel interface and assign it a specific zone and virtual router.

 

User-added image

Step 5.  Configure the Authentication profile to authenticate with domain controller.

 

Step 6. Configure Portal. Make sure you select connect method as user-logon and select user single sign-on option.

 

Portal.png

 

Portal_Config_Main.png

 

Portal_Config.png

 

Portal_Gateway.png

 

Step 7. Configure Gateway:

 

Gateway1.pngGateway_2.pngGateway_3.png

 

Step 8.  Log in to the Windows machine with domain credentials, install the client certificate on the machine, and enter only the IP address of the portal.

 

Credentials.png
Panel.png
Connected.png

 

 

 

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQfCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language