GlobalProtect Gateway Authentication Tab

  • NetworkGlobalProtectGateways<gateway-config>Authentication
Select the Authentication tab to identify the SSL/TLS service profile and to configure the details of client authentication. You can add multiple client authentication configurations.
GlobalProtect Gateway Authentication Settings
SSL/TLS Service Profile
Select an SSL/TLS service profile for securing this GlobalProtect gateway. For details about the contents of a service profile, see Device > Certificate Management > SSL/TLS Service Profile.
Client Authentication Area
Enter a unique name to identify this configuration.
By default, the configuration applies to all endpoints. You can refine the list of endpoints by OS (Android, Chrome, iOS, Linux, Mac, Windows, or WindowsUWP), by Satellite devices, or by third-party IPSec VPN clients (X-Auth).
The OS is the main differentiator between multiple configurations. If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile.
Order the configurations from most specific at the top of the list to most general at the bottom.
Authentication Profile
Choose an authentication profile or sequence from the drop-down to authenticate access to the gateway. Refer to Device > Authentication Profile.
For client authentication, ensure that the Authentication Profile uses RADIUS or SAML with two-factor authentication. If you don’t use RADIUS or SAML, then you need to configure a Certificate profile in addition to an Authentication Profile.
Username Label
Specify a custom username label for GlobalProtect gateway login. For example, Username (only) or Email Address (username@domain).
Password Label
Specify a custom password label for GlobalProtect gateway login. For example, Password (Turkish) or Passcode (for two-factor, token-based authentication).
Authentication Message
To help end users know what credentials they should use for logging into this gateway, you can enter a message or keep the default message. The message can have a maximum of 256 characters.
Allow Authentication with User Credentials OR Client Certificate
If you select No, users must authenticate to the gateway using both user credentials and client certificates. If you select Yes, users can authenticate to the gateway using either user credentials or client certificates.
Certificate Profile
Certificate Profile
(Optional) Select the Certificate Profile the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials OR Client Certificate option to No, you must select a Certificate Profile. If you set the Allow Authentication with User Credentials OR Client Certificate option to Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS.

Related Documentation