How To Configure GlobalProtect App 5.0 on Apple iOS 12 to use Client certificate for authentication.
Objective
Configure GlobalProtect App 5.0 on Apple iOS 12 to use Client certificate for authentication.
Environment
- GlobalProtect VPN client 5.0 on Apple iOS.
- iPhone with iOS Version 12 has been used in the document.
- The procedure applies to the previous versions of iOS as well.
- Apple Configurator 2 has been used in this document to deploy the Client Certificate to the iPhone.
Procedure
Client/Server Certificate Requirements:
There are minimum cert requirements for Client Cert Auth to work with GP client 5.0 on Apple iPhone/iPad.
For simplicity, the firewall's certificate will be called as "Server Cert" in this document.
Note: The same certificate requirements apply to all implementation for GlobalProtect where Client Cert authentication is needed.
Client Certificate:
The Client certificate issued should have the Extended key usage "clientAuth"
Server Certificate :
Server Certificate will need the Extended key usage "Server Authentication ( 1.3.6.1.5.5.7.3.1 )"The URL used for the gateway connection should be present as SAN field on the Server Certificate.
Configuration :
1. Once the certificates with all the above requirements are obtained, then install the Server certificate on the firewall.
Note: In this case, the same CA server is used to issue the Client and the Server Certificate.
If they are two different CA servers, then install both the CA server certificates on the PA firewall and mark them as "Trusted Root CA certificate".
2. Then install the server certificate that was issued for the Portal and Gateway by this CA.
3. Configure a SSL/TLS profile for Server Certificate.
4. Point the Portal and Gateway configuration to use this SSL/TLS Service Profile.
5. Create a Certificate Profile for the Client Certificate authentication.
Configure this Certificate profile under Authentication Section of Portal and Gateway configuration.
Client Certificate Deployment to iPhone/iPad
1. Install "Apple configurator 2" on the MAC and create a New Profile.File > New Profile
Add the Root CA cert and the client's Identity cert to the new Profile under "Certificates" Section.
- Make sure all intermediate certificates of the Server Certificate are also added.
- Add the Passphrase for the Client Certificate so that the certificate can be installed along with the key.
- The Client certificate will need to be ".p12" format.
2. Under "VPN" section select "Custom SSL" as Connection Type and User Authentication as "Certificate".
3. Under Credential select the Client Cert to be used from the dropdown.
Fill up the rest of the required fields.
Save this Profile and push it to the iPhone/iPad using the Add icon on the configurator
4. The Profile can be viewed on the iPhone/iPad by going to Settings > General > Profile.
Once the Profile is installed on the phone, the CA root certificate of the server has to be trusted explicitly.
To do this on the phone, go to Settings > General > About > Certificate Trust Settings.
Enable the "ENABLE FULL TRUST DOR ROOT CERTIFICATES" option for all the relevant Root CA and Intermediate CA certificates.
The above process is explained in this link.
https://support.apple.com/en-us/HT204477
Initiate the connection to the portal from the GlobalProtect client 5.0 on iPhone and it should be successful.
Additional Information
Please refer the below link for complete GlobalProtect Portal and Gateway configuration.
BASIC GLOBALPROTECT CONFIGURATION WITH USER-LOGON
Apple Configurator 2:
How to install Client Certificate in iOS 12.x using Apple Configurator 2