Mixed Authentication Method Support for Certificates or User Credentials

A single GlobalProtect portal or gateway can now support multiple combinations of authentication methods with user credentials and/or client certificates.
Software Support: PAN-OS® 9.0 and later releases
A single GlobalProtect portal or gateway can now support multiple combinations of authentication methods with user credentials and/or client certificates. You can define whether user credentials and client certificates are required for portal or gateway authentication within each client authentication configuration. For example, you can configure Windows and macOS users to authenticate to a portal or gateway using both their Active Directory (AD) user credentials and a client certificate. On the same portal or gateway, you can then configure Android or iOS users to authenticate using either their AD user credentials or a client certificate.
Use the following steps to configure a GlobalProtect portal or gateway to authenticate users with user credentials and/or client certificates:
  1. (Optional) To enable users to authenticate to a GlobalProtect portal or gateway using a client certificate, configure a certificate profile.
    The portal or gateway uses this certificate profile to match the client certificate sent by the GlobalProtect app. For a successful match, the client certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the client certificate matches based on only the configured CA certificate.
  2. (Optional) To enable users to authenticate to a GlobalProtect portal or gateway using their user credentials, configure an authentication profile.
    The authentication profile defines the authentication service that validates user credentials when end users connect to GlobalProtect.
  3. Set up access to a GlobalProtect portal or configure a GlobalProtect gateway.
  4. Specify how the portal or gateway authenticates users.
    • From your client authentication configuration (NetworkGlobalProtectPortals<portal-config>Authentication<client-authentication-config>), you can specify whether users can authenticate to the portal or gateway using credentials and/or client certificates by selecting one of the following options:
      • To require users to authenticate to the portal or gateway using both user credentials AND a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to No (User Credentials AND Client Certificate Required) (default).
        allow-auth-with-credentials-and-cert.png
      • To allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, set the Allow Authentication with User Credentials OR Client Certificate option to Yes (User Credentials OR Client Certificate Required).
        When you set this option to Yes, the portal or gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the portal or gateway using his or her user credentials.
        allow-auth-with-credentials-or-cert.png
    • From your client authentication configuration (NetworkGlobalProtectPortals<portal-config>Authentication<client-authentication-config>), you can enable users to authenticate to the portal or gateway using credentials by selecting the Authentication Profile that you configured in Step 2.
      • If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both the Authentication Profile and Certificate Profile are required.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select a Certificate Profile for user authentication, the Authentication Profile is optional.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, but you do not select a Certificate Profile for user authentication (or you set the Certificate Profile to None), the Authentication Profile is required.
    • From your portal authentication configuration (NetworkGlobalProtectPortals<portal-config>Authentication), you can enable users to authenticate to the portal or gateway using a client certificate by selecting the Certificate Profile that you configured in Step 1. The portal uses this certificate profile to match the client certificate on connecting endpoints. A valid client certificate must be pre-deployed on all endpoints.
      • If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both the Certificate Profile and Authentication Profile are required.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select an Authentication Profile for user authentication, the Certificate Profile is optional.
      • If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you do not select an Authentication Profile for user authentication, the Certificate Profile is required.
      • If you do not configure any Authentication Profiles that match a specific OS, the Certificate Profile is required.
        If you allow users to authenticate to the portal using either user credentials OR a client certificate, do not select a Certificate Profile with the Username Field set to None.
        gateway-authentication-config.png
  5. Save the portal or gateway configuration.
    1. Click OK.
    2. Commit your changes.

Related Documentation