Ex: RE: Globalprotect and Shibboleth
Steve Herrera
sherrera at fsmail.bradley.edu
Thu Jun 9 18:53:37 UTC 2022
Yes please. It looks as though others have run into the same issue I have
and found alternative methods to get around it. If your network guy could
let the rest of use know how he imported it, I think it would help a lot of
people.
On Thu, Jun 9, 2022 at 1:49 PM Paul B. Henson <henson at cpp.edu> wrote:
> > From: Steven Teixeira
> > Sent: Thursday, June 9, 2022 9:05 AM
> >
> > So first off, get ready for some pain and suffering when it comes to PAN.
>
> Ah, the joy of PAN; not VPN related, but I always love it when it
> misclassifies something as a "threat" and things mysteriously stop working
> because some of their packets get quietly dropped on the floor and not
> delivered <sigh>.
>
> > You’re getting that error because PAN requires that the “Subject Type=CA”
> > basic restraint be included in the self-signed certificate. Shibboleth
> doesn’t
> > generate a self-signed certificate at install time with this constraint.
>
> We are using SAML auth for our PAN VPN, and I don't recall having to do
> that. It was an annoying process going back and forth with the network guy
> setting it up, but in the end it accepted our usual metadata including the
> default self signed certificate the IDP generated once upon a time when I
> originally installed it.
>
> It's been a while, but I remember vaguely they had to configure it
> differently than they initially tried. But we definitely did not have to do
> anything weird on the shibboleth side with the certificate. I wouldn't of
> done that, PAN would have had to fix their crap or we wouldn't have done
> SAML.
>
> I could ask our network guy how he configured it if you want, but his
> recollection is probably going to be about as vague as mine 8--/. I'll poke
> him and see.
>
>
> --
> Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst | henson at cpp.edu
> California State Polytechnic University | Pomona CA 91768
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220609/d516d355/attachment.htm>
More information about the users
mailing list