GlobalProtect Client Certificate Authentication- PAN-OS 10.0.6

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey what's up guys welcome to mb tech talker my name is matt in this video i'm going to show you how to configure global protect to use client certificate authentication in three easy steps this lab is a continuation of my global tech portal and gateway configuration video so don't forget to watch that video first and if you want to know how to automatically issue client certificates using windows server certificate services and active directory check out that video too all the links are in the description below if you guys would like to see more content like this on my channel there are a few simple things you can do right now you can hit the thumbs up on the video you can smash that subscribe button and push that bell icon for notifications and don't forget guys leave comments on all my videos i really appreciate the feedback it would be great for all of us if we discuss the topics further this way we can create a community based on the content that i'm creating on my channel so that all being said let's geek it up in the lab there are only a few steps we need to follow to get this working step 1 create the certificate profile step 2 configure the global tech portal and gateway to use the certificate profile step 3 test from a windows 10 machine using the global protect app when certificate authentication is enforced we need to understand some important facts the user must present a valid client certificate that identifies them to the global protect portal or gateway the portal or gateway verifies that the client certificate is valid and checks to see if the client holds the private key of the certificate by using the certificate verify message exchange during the ssl handshake additionally checking that the client certificate is signed by the certificate authority specified in the issue field of the certificate and in the certificate itself the portal gateway uses a certificate profile to determine whether the user that sent the certificate is the user to which the certificate was issued okay so step one of the lab we're going to go to the device tab and then underneath certificate management we're going to click on certificate profile i'm going to add a new profile i'm going to name it client insert profile and then in the username field there's a drop down and we're going to select subject so this will instruct the portal or gateway to check the subject field of the client certificate typically the username corresponds to the common name in the subject field of the certificate so in this lab i'll be configuring client certificate authentication as the only means of authentication which means the certificate that the user presents must contain the username in one of their certificate fields so in the ca certificates area we're going to click add and we need to include one or more certificates that was used to sign the client's certificate so i'm going to choose the root ca here and that's all we need to get this working these settings down here are optional and for really optimizing the search checking criteria so we can just click ok so moving on to step two we need to go to the network tab and then underneath global tech we're going to start with portals and then i'm going to click on my mbtech portal i'm going to go to the authentication tab as you can see i already have client authentication configured using a ldap authentication profile i'm going to delete this because i just want to demonstrate client certificate authentication however if you want you can use both authentication methods and test it out let me know in the comments how you test it and what you saw so now in the certificate profile i'm going to select the certificate profile that we created a moment ago so that was called client search profile and then we can click ok now it's just a case of repeating the same configuration steps in the gateway so let's go over to gateways and then we're just going to click on mbtech gateway and we're just going to do exactly the same here so go into the auth authentication tab we're gonna check the box delete this ldap profile and then in the certificate profile i'm gonna change this to client search profile click okay then click commit [Music] and it's really just that simple so we're on to the final step this is where we do some testing but before we head over to the client let's check the global tech logs so we're going to go to the monitor tab and then here on the left we're going to choose global protect so if you haven't been following my other global tech videos the latest lab was all about pre-log on authentication and this is currently how my file is configured so because i haven't logged in as sec admin one the source user is currently pre-log on which you can see here in the logs so now let's go over to the windows 10 client so i'm going to log in as sec admin 1 and if we wait for globalprotect to pop up and you can see here we've already connected and we didn't even need to enter a username and password so that means the client authentication must be working but we can verify this back on the firewall and check the global tech logs but before we do that let's check to see if we have a client certificate so if we do control and r and open up mmc then we can add and remove a snap in and then we're going to select certificates add and we're just going to leave it at user account and click finish and then okay you just expand the certificate for the current user and personal and then click on certificates here you can see the sec admin one cert that was issued by my lab root ca pre double click on it to open it up and down here here it says you have a private key that corresponds to this certificate so as i said earlier in the video the portal or gateway verifies that the client certificate is valid and checks to see if the client holds the private key of the certificate by using the certificate verify message exchanged during the ssl handshake next if we open up the details tab and we click on the subject field we can see the username is is the common name and same we have configured the portal and the gateway to use client authentication only the certificate must contain the username in one of the certificate fields now that we have confirmed the certificate contains the correct information we can go back over to the firewall and we can verify that the authentication was actually done by the client certificate okay so back on the firewall i'm on the monitor tab and i'm looking at the global tech logs now if you remember we already had a tunnel established using pre-log on so that's why we're seeing the pre-log on in the source user but as soon as we logged on as sec admin we were able to authenticate using the certificate the client certificate and which then renamed the source user to sec admin one and the great thing here is we didn't even need to use the username or password for the authentication so that has been a successful little lab um that's it for today's video i hope you enjoyed it and uh yeah i'll see you on the next one okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks [Music]

Info

Channel: MB Tech Talker

Views: 605

Rating: undefined out of 5

Keywords:

Id: OmY3WYNJkgw

Channel Id: undefined

Length: 9min 4sec (544 seconds)

Published: Fri Oct 01 2021