Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

GlobalProtect Administrator’s Guide 19

Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication

Set Up Client Certificate Authentication

With client certificate authentication, the agent/app must present a client certificate in order to connect to the

GlobalProtect portal and/or gateway. The following workflow shows how to set up this configuration. For more

information, see About GlobalProtect User Authentication. For an example configuration, see Remote Access

VPN (Certificate Profile).

Step 2 Create an authentication profile.

The authentication profile specifies which

server profile to use to authenticate users.

You can attach an authentication profile

to a portal or gateway configuration.

Best Practices:

• To enable users to connect and change

their own expired passwords without

administrative intervention, consider

using the pre-logon connect method.

See Remote Access VPN with

Pre-Logon for details.

• If users allow their passwords to

expire, you may assign a temporary

LDAP password to enable them to log

in to the VPN. In this case, the

temporary password may be used to

authenticate to the portal, but the

gateway login may fail because the

same temporary password cannot be

re-used. To prevent this, set the

Authentication Modifier in the portal

configuration (

Network >

GlobalProtect > Portal

) to Cookie

authentication for config refresh

enable the agent to use a cookie to

authenticate to the portal and the

temporary password to authenticate

the gateway.

1. Select

Device > Authentication Profile and click Add. a new

profile.

2. Enter a

Name for the profile and then select the Authentication

type (

LDAP, Kerberos, or RADIUS).

3. Select the

Server Profile you created in Step 1.

4. (LDAP AD) Enter

sAMAccountName as the Login Attribute.

5. (LDAP) Set the

Password Expiry Warning, which indicates the

number of days before password expiration that users will be

notified. By default, users will be notified seven days prior to

password expiration. Because users must change their

passwords before they expire to ensure continued access to the

VPN, make sure you provide a notification period that is

adequate for your user base.

6. Click

OK.

Step 3 Save the configuration. Click

Commit.

Set Up External User Authentication (Continued)