How to use "Certificate OR User Credential" in a way to force Pre-Logon to use the certificate and Users to use User-Credential

How to use "Certificate OR User Credential" in a way to force Pre-Logon to use the certificate and Users to use User-Credential

3418
Created On 01/30/24 14:26 PM - Last Modified 01/13/25 21:33 PM


Objective


  • To authenticate users using User Credential (LDAP, SAML...), and certificate profile for the Pre-Logon user.
  • This can be helpful if you would like to deploy Pre-logon but not all users have the certificate yet.
  • To do so, we will force the certificate authentication for users to fail which will let GP failover to the User-Credential method (LDAP, SAML...).

Environment


  • Strata: PAN-OS: 9.0 and higher.
  • Prisma Access: 2.0 and higher.
  • Global Protect: 5.0 and higher.

Procedure


  1. Select "Yes (User Credentials OR Client Certificate Required)" for Allow Authentication with User Credentials OR Client Certificate under the portal and the gateway config:

image.png

 

  1. For such a config, we cannot keep the "Username Field" under the certificate profile as None:

image.png

  1. For a successful Pre-Logon authentication, the certificate (+ the private key) should be installed in the computer Certificate Store of the machine:

image.png

  • To force GP to use User Credential after a successful Pre-Logon auth, we need to force the certificate authentication to fail for users. To do so, there are two ways:

    A: Look into the wrong Certificate Store:

    Ensure that the certificate is only installed in the machine store for a successful pre-logon auth, and for the user auth, we will look into the wrong certificate store (User Store), hence, GP will not find the certificate and will failover to User Credential:
    • If you have only one portal agent config for both pre-logon and users, you must set the Client Certificate Store Lookup to "User":

      image.png

 

    • If you have two portal agent configs one for pre-logon and one for users, you must set the Client Certificate Store Lookup to "User" for both profiles:

      image.png

 

B: Look for a wrong Username Field in the Certificate:

    • If you have the certificate in both stores, and you cannot apply (A), you can configure the certificate profile with a Username Field value that's not available in the certificate, for example, "Subject Alternative Name" "Email" or Principal Name:

      image.png
    • For Pre-Logon, GP will ignore the Username Field configured under the certificate profile, hence, the auth will succeed. For User auth, GP will look for the value of the "Username Field" in the certificate, if it's available or not, if not, GP will failover to User Credential.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WstCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail