How To Configure Globalprotect App 5.0 on Apple iOS 12 to use Client certificate for authentication.

How To Configure Globalprotect App 5.0 on Apple iOS 12 to use Client certificate for authentication.

17413
Created On 03/27/19 09:43 AM - Last Updated 04/30/19 19:03 PM


Objective
Configure Globalprotect App 5.0 on Apple iOS 12 to use Client certificate for authentication.

Environment
  • Globalprotect VPN client 5.0 on Apple iOS.
  • iPhone with iOS Version 12 has been used in the document. 
  • The procedure applies to the previous versions of iOS as well. 
  • Apple Configurator 2 has been used in this document to deploy the Client Certificate to the iPhone. 

 



Procedure

Client/Server Certificate Requirements:

There are minimum cert requirements for Client Cert Auth to work with GP client 5.0 on Apple iPhone/iPad.
For simplicity, the firewall's certificate will be called as "Server Cert" in this document.
Note: The same certificate requirements apply to all implementation for Globalprotect where Client Cert authentication is needed.

Client Certificate:

The Client certificate issued should have the Extended key usage "clientAuth"
User-added image

The Subject CN on the Client Certificate cannot be empty.
 
User-added image

Server Certificate : 

Server Certificate will need the Extended key usage "Server Authentication ( 1.3.6.1.5.5.7.3.1 )"
User-added image
The URL used for the gateway connection should be present as SAN field on the Server Certificate. 
 
User-added image

Configuration :

1. Once the certificates with all the above requirements are obtained, then install the Server certificate on the firewall.
    Note: In this case, the same CA server is used to issue the Client and the Server Certificate.
    If they are two different CA servers, then install both the CA server certificates on the PA firewall and mark them as "Trusted Root CA certificate".

User-added image


2. Then install the server certificate that was issued for the Portal and Gateway by this CA. 

User-added image


3. Configure a SSL/TLS profile for Server Certificate. 

User-added image


4. Point the Portal and Gateway configuration to use this SSL/TLS Service Profile. 

User-added image

User-added image


5. Create a Certificate Profile for the Client Certificate authentication. 

User-added image

6. Make sure both Root and Intermediate certificates are added to the certificate profile in case there are Intermediate CA certificates present. 
    Configure this Certificate profile under Authentication Section of Portal and Gateway configuration.
 
User-added image

Client Certificate Deployment to iPhone/iPad

1. Install "Apple configurator 2" on the MAC and create a New Profile. 
     File > New Profile
     Add the Root CA cert and the client's Identity cert to the new Profile under "Certificates" Section. 
  • Make sure all intermediate certificates of the Server Certificate are also added.
  • Add the Passphrase for the Client Certificate so that the certificate can be installed along with the key. 
  • The Client certificate will need to be ".p12" format.
User-added image
User-added image

2. Under "VPN" section select "Custom SSL" as Connection Type and User Authentication as "Certificate".
 
User-added image
User-added image

3. Under Credential select the Client Cert to be used from the dropdown. 
    Fill up the rest of the required fields. 
    Save this Profile and push it to the iPhone/iPad using the Add icon on the configurator 
 
User-added image

4. The Profile can be viewed on the iPhone/iPad by going to Settings > General > Profile.
    Once the Profile is installed on the phone, the CA root certificate of the server has to be trusted explicitly.
    To do this on the phone, go to Settings > General > About > Certificate Trust Settings. 
    Enable the "ENABLE FULL TRUST DOR ROOT CERTIFICATES" option for all the relevant  Root CA and Intermediate CA certificates. 
 
User-added image

The above process is explained in this link. 
https://support.apple.com/en-us/HT204477

Initiate the connection to the portal from the Globalprotect client 5.0 on iPhone and it should be successful. 


Additional Information
Please refer the below link for complete Globalprotect Portal and Gateway configuration. 
BASIC GLOBALPROTECT CONFIGURATION WITH USER-LOGON

Apple Configurator 2:
https://docs.paloaltonetworks.com/globalprotect/5-0/globalprotect-app-new-features/new-features-released-in-gp-agent-5_0/globalprotect-app-for-ios-user-experience-enhancements/authentication-changes
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSUCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments