GlobalProtect Client Certificate Authentication

Configuring client authentication via user specific certificates

Configuration Overview

Configure SCEP
Configure Certificate Profile
Update authentication on the Portal
Update authentication on the Gateway

SCEP

Create SCEP - Navigate to Device > Certificate Management > SCEP

Under One Time Password (Challenge)

Select > Dynamic
Server URL > Point to your AD (Example: http://IP_ADDRESS/certsrv/mscep_admin/)
Define a Username and Password to authenticate to your AD

Under Configuration

Server URL > Point to your AD (Example: http://IP_ADDRESS/certsrv/mscep/)
CA-IDENT > Identifier Name (Descriptive name for your CA)
Subject > CN=$USERNAME (I selected username so that when certificates are generated the username will be found in the Common Name or CN)
Subject Alternative Name Type > None

Define Cryptographic Settings

Number of Bits & Digest for CSR

CA Certificate Fingerprint > To find what your CA fingerprint is navigate to your AD certsrv. This time we are going to add mscep_admin. (Example:Example: http://IP_ADDRESS/certsrv/mscep_admin/)

Certificate Profile

Create Certificate Profile - Navigate to Device > Certificate Management > Certificate Profile > Add.

Define a profile name like GP-Client-Cert.

Username Field > Select Subject (Again this will use the users' username to define the common name for their specific user certificate).

CA Certificates > Define your CA certificates that are signed or trusted by your CA.

You can also configure the blocking of sessions based on certificate status. However, for this example, I have left them blank.

Portal

Re-configure Portal - Navigate to Network > GlobalProtect > Portal

Under Authentication

Add your Certificate Profile we created previously
Ensure that "Allow Authentication with User Credentials OR Client Certificate" is set to: Yes
- If set to Yes, GP will prompt for credentials or authenticate via a certificate if identified
- If set to No, GP will require a client certificate AND client credentials

Under Agent - Select your existing agent configuration

Once in your agent configuration on the Authentication tab:

Define Client Certificate > Select SCEP and select the SCEP Profile you created
Agent - Select agent config > Authentication > Client Certificate > SCEP > {SCEP_Profile}

Gateway

Re-configure Gateway - Navigate to Network > GlobalProtect > Gateway > Select existing Gateway.

You will need to do the following for every gateway you would like to use client certificate authentication.

Under Authentication

Add your Certificate Profile we created previously
Ensure that "Allow Authentication with User Credentials OR Client Certificate" is set to: Yes
- If set to Yes, GP will prompt for credentials or authenticate via a certificate if identified
- If set to No, GP will require a client certificate AND client credentials

Lastly, Commit and Push your changes.

Testing & Validation

Now when the user connects to the portal, the portal will also serve a certificate (If one has not already been generated for that user). This certificate will be stored on the users machine and will be used for authentication to both the Portal and Gateway if configured.

We can validate this by checking the user's Personal Certificate.

We can see a certificate has been generated for our user jperalta. We can then validate GP logs to ensure that the user is authenticating with a certificate.

The logs will show a different user as I had two users I was using for testing but we can still see that the user was authenticated via Certificate to both the Portal and Gateway

Finally, we can check our AD server and validate it issued the certificates using the SCEP profile we created.

Additional Resources

PreviousGlobalProtect Deployment NextSD-WAN Basic Bare-Bone Configuration

Last updated 2 months ago

GlobalProtect Client Certificate Authentication

Configuring client authentication via user specific certificates

Configuration Overview

Configure SCEP
Configure Certificate Profile
Update authentication on the Portal
Update authentication on the Gateway

SCEP

Create SCEP - Navigate to Device > Certificate Management > SCEP

Under One Time Password (Challenge)

Select > Dynamic
Server URL > Point to your AD (Example: http://IP_ADDRESS/certsrv/mscep_admin/)
Define a Username and Password to authenticate to your AD

Under Configuration

Server URL > Point to your AD (Example: http://IP_ADDRESS/certsrv/mscep/)
CA-IDENT > Identifier Name (Descriptive name for your CA)
Subject > CN=$USERNAME (I selected username so that when certificates are generated the username will be found in the Common Name or CN)
Subject Alternative Name Type > None

Define Cryptographic Settings

Number of Bits & Digest for CSR

CA Certificate Fingerprint > To find what your CA fingerprint is navigate to your AD certsrv. This time we are going to add mscep_admin. (Example:Example: http://IP_ADDRESS/certsrv/mscep_admin/)

Certificate Profile

Create Certificate Profile - Navigate to Device > Certificate Management > Certificate Profile > Add.

Define a profile name like GP-Client-Cert.

Username Field > Select Subject (Again this will use the users' username to define the common name for their specific user certificate).

CA Certificates > Define your CA certificates that are signed or trusted by your CA.

You can also configure the blocking of sessions based on certificate status. However, for this example, I have left them blank.

Portal

Re-configure Portal - Navigate to Network > GlobalProtect > Portal

Under Authentication

Add your Certificate Profile we created previously
Ensure that "Allow Authentication with User Credentials OR Client Certificate" is set to: Yes
- If set to Yes, GP will prompt for credentials or authenticate via a certificate if identified
- If set to No, GP will require a client certificate AND client credentials

Under Agent - Select your existing agent configuration

Once in your agent configuration on the Authentication tab:

Define Client Certificate > Select SCEP and select the SCEP Profile you created
Agent - Select agent config > Authentication > Client Certificate > SCEP > {SCEP_Profile}

Gateway

Re-configure Gateway - Navigate to Network > GlobalProtect > Gateway > Select existing Gateway.

You will need to do the following for every gateway you would like to use client certificate authentication.

Under Authentication

Add your Certificate Profile we created previously
Ensure that "Allow Authentication with User Credentials OR Client Certificate" is set to: Yes
- If set to Yes, GP will prompt for credentials or authenticate via a certificate if identified
- If set to No, GP will require a client certificate AND client credentials

Lastly, Commit and Push your changes.

Testing & Validation

We can validate this by checking the user's Personal Certificate.

We can see a certificate has been generated for our user jperalta. We can then validate GP logs to ensure that the user is authenticating with a certificate.

The logs will show a different user as I had two users I was using for testing but we can still see that the user was authenticated via Certificate to both the Portal and Gateway

Finally, we can check our AD server and validate it issued the certificates using the SCEP profile we created.

Additional Resources

PreviousGlobalProtect Deployment NextSD-WAN Basic Bare-Bone Configuration

Last updated 2 months ago