Palo Alto Networks Knowledgebase: GlobalProtect Dual Factor Authentication with Client Certificate for Windows

GlobalProtect Dual Factor Authentication with Client Certificate for Windows

2325
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
GlobalProtect GlobalProtect cloud service
Resolution

The portal has IP address of 192.168.16.18

Topology.png

Following are the additional step that has to be done for configuring DUAL factor authentication. Client will provide password and Certificate to authenticate himself with portal and/or gateway. In this example firewall is used to create root CA certificate, Client Certificate.

 

1) Create a Root CA certificate on Firewall

 

Root.png

2. Create one certificate on PA one for GP

GP.png

 

3. Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user. The CN of the certificate must match the FQDN or IP that you are using for GP. The client must present a unique client certificate that identifies the end user in order to connect to GlobalProtect. All client can use share same certificate or can have their own individual certificate.

 

Client.png

 

 

3. Create a Certification profile for Client authentication and call the root CA.

 

If the certificate profile does not specify a username field (that is, the Username Field it is set to None), the client certificate does not need to have a username. In this case, the client must provide the username when authenticating against the authentication profile.

 

If the certificate profile specifies a username field, the certificate that the client presents must contain a username in the corresponding field. For example, if the certificate profile specifies that the username field is subject, the certificate presented by the client must contain a value in the common-name field or authentication will fail. In addition, when the username field is required, the value from the username field of the certificate will automatically be populated as the username when the user attempts to enter credentials

 

Certificate Profile.png

4. Call that certificate profile under portal and gateway configuration

 

Portal.png

Gateway.png

 

5. Install the certificate on the client machine. If the certificate is not installed following error message will be seen:

 

Invalid Certificate.png



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcBCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language