Mixed Authentication Method Support for Certificates or User Credentials

A single GlobalProtect portal or gateway can now support multiple combinations of authentication methods with user credentials and/or client certificates.
Software Support
: PAN-OS® 9.0 and later releases
A single GlobalProtect portal or gateway can now support multiple combinations of authentication methods with user credentials and/or client certificates. You can define whether user credentials and client certificates are required for portal or gateway authentication within each client authentication configuration. For example, you can configure Windows and macOS users to authenticate to a portal or gateway using both their Active Directory (AD) user credentials and a client certificate. On the same portal or gateway, you can then configure Android or iOS users to authenticate using either their AD user credentials or a client certificate.
Use the following steps to configure a GlobalProtect portal or gateway to authenticate users with user credentials and/or client certificates:
  1. (
    Optional
    ) To enable users to authenticate to a GlobalProtect portal or gateway using a client certificate, configure a certificate profile.
    The portal or gateway uses this certificate profile to match the client certificate sent by the GlobalProtect app. For a successful match, the client certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the client certificate matches based on only the configured CA certificate.
  2. (
    Optional
    ) To enable users to authenticate to a GlobalProtect portal or gateway using their user credentials, configure an authentication profile.
    The authentication profile defines the authentication service that validates user credentials when end users connect to GlobalProtect.
    • From your client authentication configuration (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Authentication
      <client-authentication-config>
      ), you can specify whether users can authenticate to the portal or gateway using credentials and/or client certificates by selecting one of the following options:
      • To require users to authenticate to the portal or gateway using both user credentials AND a client certificate, set the
        Allow Authentication with User Credentials OR Client Certificate
        option to
        No (User Credentials AND Client Certificate Required)
        (default).
        allow-auth-with-credentials-and-cert.png
      • To allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, set the
        Allow Authentication with User Credentials OR Client Certificate
        option to
        Yes (User Credentials OR Client Certificate Required)
        .
        When you set this option to
        Yes
        , the portal or gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the portal or gateway using his or her user credentials.
        allow-auth-with-credentials-or-cert.png
    • From your client authentication configuration (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Authentication
      <client-authentication-config>
      ), you can enable users to authenticate to the portal or gateway using credentials by selecting the
      Authentication Profile
      that you configured in Step 2.
      • If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both the
        Authentication Profile
        and Certificate Profile are required.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select a Certificate Profile for user authentication, the
        Authentication Profile
        is optional.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, but you do not select a Certificate Profile for user authentication (or you set the
        Certificate Profile
        to
        None
        ), the
        Authentication Profile
        is required.
    • From your portal authentication configuration (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Authentication
      ), you can enable users to authenticate to the portal or gateway using a client certificate by selecting the
      Certificate Profile
      that you configured in Step 1. The portal uses this certificate profile to match the client certificate on connecting endpoints. A valid client certificate must be pre-deployed on all endpoints.
      • If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both the
        Certificate Profile
        and Authentication Profile are required.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select an Authentication Profile for user authentication, the
        Certificate Profile
        is optional.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you do not select an Authentication Profile for user authentication, the
        Certificate Profile
        is required.
      • If you do not configure any Authentication Profiles that match a specific OS, the
        Certificate Profile
        is required.
        If you allow users to authenticate to the portal using either user credentials OR a client certificate, do not select a
        Certificate Profile
        with the
        Username Field
        set to
        None
        .
        gateway-authentication-config.png
  3. Save the portal or gateway configuration.
    1. Click
      OK
      .
    2. Commit
      your changes.

Recommended For You