How to configure seamless authentication for iOS devices using Always-On connect method?

How to configure seamless authentication for iOS devices using Always-On connect method?

8775
Created On 10/11/22 00:54 AM - Last Modified 04/22/24 07:21 AM


Objective


When the Always-On connect method is deployed for iOS devices, seamless authentication can only be successful with certificate-based authentication. When an iOS device is locked, access to the certificate store is blocked. If GlobalProtect is configured with the Always-On connect method and there is a secondary authentication method that requires user-interaction, like SAML, then GlobalProtect on the iOS device will get stuck in a Connecting state.

This article provides the guidance on configuring the certificate-based authentication for iOS devices.

Environment


  • On-prem firewalls
  • Panorama managed Prisma Access
  • GlobalProtect app version 5.2 and above
  • Always-On connect method
  • iOS version 15 and above

Procedure


  1. In an environment with multiple client OS systems, segregation of the authentication options within GlobalProtect portal or gateway is necessary
  2. This can be configured by navigating to following paths for portal and gateway
    1. On-prem firewall
      1. Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > Authentication 
      2. Network > GlobalProtect > Gateways > <gateway-config> > Authentication
    2. Panorama managed Prisma Access
      1. Network > GlobalProtect > Portals > <portal-config> > Authentication under "Mobile_User_Template" template
      2. Network > GlobalProtect > Gateways > <gateway-config> > Authentication under "Mobile_User_Template" template
  3. In order to force only certificate-based authentication for iOS devices (please refer to this link for this configuration), configuration in below screenshots for both the portal and gateway is recommended
  4. When there is no entry for a specified OS (iOS in this case) or any OS, certificate-based authentication would be the only mode of authentication
On-prem firewall:
Authentication option for all OS clients, except iOS clients for on-prem firewall

Panorama managed Prisma Access:
Authentication option for all OS clients, except iOS clients for Prisma firewall​​​​

Additional Information


  • SAML authentication is not supported for iOS devices using Always-On connect method (please refer to this link for more details)
  • In order to use authentication profile with certificate-based authentication for iOS devices using Always-On connect method, other authentication types like LDAP, Radius, TACACS+ etc. can be used
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wln6CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language