Mixed Authentication Method Support for Certificates or User Credentials
A single GlobalProtect portal or gateway can now support
multiple combinations of authentication methods with user credentials
and/or client certificates.
Software Support
: PAN-OS® 9.0 and later
releasesA single GlobalProtect portal or gateway can now
support multiple combinations of authentication methods with user
credentials and/or client certificates. You can define whether user
credentials and client certificates are required for portal or gateway
authentication within each client authentication configuration.
For example, you can configure Windows and macOS users to authenticate
to a portal or gateway using both their Active Directory (AD) user
credentials and a client certificate. On the same portal or gateway,
you can then configure Android or iOS users to authenticate using
either their AD user credentials or a client certificate.
Use
the following steps to configure a GlobalProtect portal or gateway
to authenticate users with user credentials and/or client certificates:
- (Optional) To enable users to authenticate to a GlobalProtect portal or gateway using a client certificate, configure a certificate profile.The portal or gateway uses this certificate profile to match the client certificate sent by the GlobalProtect app. For a successful match, the client certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the client certificate matches based on only the configured CA certificate.
- (Optional) To enable users to authenticate to a GlobalProtect portal or gateway using their user credentials, configure an authentication profile.The authentication profile defines the authentication service that validates user credentials when end users connect to GlobalProtect.
- From your client authentication configuration (), you can specify whether users can authenticate to the portal or gateway using credentials and/or client certificates by selecting one of the following options:
- To require users to authenticate to the portal or gateway using both user credentials AND a client certificate, set theAllow Authentication with User Credentials OR Client Certificateoption toNo (User Credentials AND Client Certificate Required)(default).
- To allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, set theAllow Authentication with User Credentials OR Client Certificateoption toYes (User Credentials OR Client Certificate Required).When you set this option toYes, the portal or gateway first checks the endpoint for a client certificate. If the endpoint does not have a client certificate or you do not configure a certificate profile for your client authentication configuration, the endpoint user can then authenticate to the portal or gateway using his or her user credentials.
- From your client authentication configuration (), you can enable users to authenticate to the portal or gateway using credentials by selecting theAuthentication Profilethat you configured in Step 2.
- If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both theAuthentication Profileand Certificate Profile are required.
- If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select a Certificate Profile for user authentication, theAuthentication Profileis optional.
- If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, but you do not select a Certificate Profile for user authentication (or you set theCertificate ProfiletoNone), theAuthentication Profileis required.
- From your portal authentication configuration (), you can enable users to authenticate to the portal or gateway using a client certificate by selecting theCertificate Profilethat you configured in Step 1. The portal uses this certificate profile to match the client certificate on connecting endpoints. A valid client certificate must be pre-deployed on all endpoints.
- If you want to require users to authenticate to the portal or gateway using both user credentials AND a client certificate, both theCertificate Profileand Authentication Profile are required.
- If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you select an Authentication Profile for user authentication, theCertificate Profileis optional.
- If you want to allow users to authenticate to the portal or gateway using either user credentials OR a client certificate, and you do not select an Authentication Profile for user authentication, theCertificate Profileis required.
- If you do not configure any Authentication Profiles that match a specific OS, theCertificate Profileis required.If you allow users to authenticate to the portal using either user credentials OR a client certificate, do not select aCertificate Profilewith theUsername Fieldset toNone.
- Save the portal or gateway configuration.
- ClickOK.
- Commityour changes.
