× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

GlobalProtect VPN SmartCard(PIV) authentication on macOS

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: ‎01-31-2017
#1 of 4 1,469

GlobalProtect VPN SmartCard(PIV) authentication on macOS

I'm trying to configure SmartCart(PIV) authentication for our Palo Alto GlobalProtect VPN client on our Mac laptops.  We are currently able to successfully use our PIV readers and SmartCards with Centrify Express to authenticate to different services through the Safari so I know Centrify Express is, at least, installed and configured somehwat correclty. 

 

The issue that we have is that when the GlobalProtect client prompts for a cert to use for authentication, we are never prompted to enter a PIN.  Instead, we are repeatedly prompted to pick which cert on the SmartCard we want to use and after selecting a cert we are prompted again. This process repeats indefinitely until the process is cancled instead of selecting a cert.I know that the system is able to read the SmartCard as the only certs that show are the ones I know to be on the SmartCard but I'm not sure why I do not get prompted to enter a PIN.  I've worked with PaloAlto support which has informed me that they do not make calls for the certs/PIN and that's handled by a 'middle man' which in our case is Centrify.

 

Has anyone had success using Centrify Express for Smart Cards  on their Mac for VPN authentication via a client and not web browser?  More specifically, has anyone been able to configure this for use with Palo Alto's GlobalProtect VPN?  Lastly, is the information Palo Alto support is providing correct regarding 'middle man' handling of certs? 

 

macOS version: 10.12.3

Centrify Express for Smart Card version: 5.3.3

GlobalProtect Client version: 3.1.3-21

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#2 of 4 1,423

Re: GlobalProtect VPN SmartCard(PIV) authentication on macOS

Hi Timdor,

 

Welcome to Centrify and thank you for your inquiry.

 

In reading the configuration from PaloAlto GlobalProtect, it seems that they only provide the way for certificate authentication but not smartcard authentication:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

From the description you mentioned, there are actually 2 issues:

 

1. No PIN prompt when trying to access the vpn

2. Certificate Authentication failure (that's why the prompt will repeatedly show up)

 

Firstly, for the issue regarding (1), this is the process that used to "un-lock" the smartcard to allow the use of the certiicate inside. PaloAlto GlobalProtect seems only support for certificate authentication but not smartcard authentication which means they do not have any module to involve the smartcard process. You could also refer to the below page of Smartcard Express Assistant that we support for those federal, defense and first-responder communities that require smart card authentication for CAC, CAC NG, and PIV smart cards:

 

https://www.centrify.com/express/identity-service/smart-card-download/?_ga=1.101889160.863729100.147...

 

Secondly, for the issue regarding (2), the prompt kept poped up because of the failure of authentication. From the article I mentioned above, you may need to cross check with the configuration to see if it is configured for certificate authentication. For further help regarding the configuration, you will need to reach PaloAlto for help.

 

Hope this helps.

 

Best Regards,

Albert

Participant II
Posts: 2
Registered: ‎01-31-2017
#3 of 4 1,387

Re: GlobalProtect VPN SmartCard(PIV) authentication on macOS

Thanks for the reply however I already am using the Centrify Express for Smart Card software that you linked in the first part of your post.  Using this software I'm able to use my SmartCard for web based authentication but not through the GlobalProtect VPN software.  I do know that Palo Alto does support SmartCard authentication as it works with Windows and we're only having a problem when attempting to connect from our Macs.  As I mentioned before, we are able to use SmartCard authentication when using Safari to connect to a web interface on our firewalls but not through the GlobalProtect VPN software.  

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#4 of 4 1,321

Re: GlobalProtect VPN SmartCard(PIV) authentication on macOS

Hi Timdor,

 

Thanks for getting back to us.

 

As we mentioned in the previous reply, the application itself will be needed to call smartcard module before Centrify can prompt for the PIN and allow users to authenticate using the certificate. Also, please note that the behaviour in Windows and Macs will be different and both OSs all depends on the application itself to call for the authenticaion method. 

 

Could you please check withPaloAlto if they can call any smartcard module that are using native Apple plug-in? For example, opening up the Safari will request a PIN as the page itself (which will require smartcard authentication) will alert Safari to call for smartcard module and then the mac will notify our plug-in so that the PIN prompt will be present.

 

Hope this helps.

 

Best Regards,

Albert