Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to force user credentials with valid client certificate whe... - Knowledge Base - Palo Alto Networks

How to force user credentials with valid client certificate when User Credentials OR Client Certificate authentication are allowed?

12474
Created On 04/21/21 23:49 PM - Last Modified 04/23/24 01:55 AM


Objective


There may be scenarios where you would like certain group of GlobalProtect users to be prompted for user credentials though a valid client certificate is installed on their machines.

Environment


  • PAN-OS 9.0 and above
  • Palo Alto Firewall with GlobalProtect Configured
  • LDAP authentication and Certificate profile with Username Field configured on both GlobalProtect Portal and Gateway
  • Allow Authentication with User Credentials OR Client Certificate set to Yes


Procedure


  • GlobalProtect portal or gateway authentication can be segregated based on Client OS only.

GlobalProtect_Authentication
 
  • When Allow Authentication with User Credentials OR Client Certificate option set to Yes as shown above, it is mandatory to have Username Field set in the certificate profile to create a GP mapping after successful client certificate authentication.

Certficate_Profile
  • With above option, GlobalProtect would first authenticate using client certificate and if it fails, it would then prompt the user for credentials. In order to force user credential prompt for certain users, kindly select a field that is empty under Username Field. Even though the client certificate is signed by the CA certificate referenced in the certificate profile, the client certificate authentication will fail as username cannot be extracted. User would then be prompted for user credentials.


Additional Information


The Username Field restriction has been removed from PAN-OS 9.1.11 and 10.0.8 to accommodate certain scenarios. Please note that pure client certificate-based authentication will not be successful if username cannot be extracted from the client certificate.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM0ICAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language