https://live.paloaltonetworks.com/t5/prisma-access-discussions/pre-logon-than-switch-to-on-demand/m-p/598564#M862 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257295">@Maximt</a>&nbsp;wrote:<BR /> <P>Hi all,</P> <P>&nbsp;</P> <P>I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.</P> <P>&nbsp;</P> <P>pre-logon works as expected and the on-demand authentication with SAML using CIE.</P> <P>&nbsp;</P> <P>I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Maxim&nbsp;</P> <HR /></BLOCKQUOTE> <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257295">@Maximt</a>&nbsp;, I understand you are looking to confirm if there is a way to configure pre-login and always-on&nbsp; when user connects to the workstation so the global protect automatically recognize the user log-on to the workstation with SAML.&nbsp;</P> <P>&nbsp;</P> <P>Yes, this is possible today. To be able to achieve this, you need to setup two configuration profiles using the app agent.&nbsp;In the first configuration’s&nbsp;<BR />User/User Group, select the&nbsp;pre-logon&nbsp;filter. With pre-logon, the portal first authenticates the endpoint (not the user) to set up a connection even though the pre-logon parameter is associated with the user. Subsequently, the portal authenticates the user when he or she logs in. After the portal authenticates the user, it deploys the second configuration. In this case,&nbsp;User/User Group&nbsp;is any.</P> <P>&nbsp;</P> <P>As a best practice, enable SSO in the second configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used. Check the Step 9 on this documentation for guidance on how to go about it: <A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon</A></P> <P><BR />GlobalProtect pre-logon get connect to the gateway while the system is still booting up or is at the Ctrl+Alt+Del screen, that is, before a user logs in to the machine. Pre-logon will also kick in once a user logs off that machine. Since there is no user associated at these times, the gateway will see this connection coming from a generic username called 'pre-logon'. Once the user logs on to the machine, the tunnel gets renamed (in Windows) from the 'pre-logon' user to the actual 'user' who logged in. In the case of MAC, the tunnel is re-established with the actual user who logged in.</P> <P>&nbsp;</P> <P>I hope you find this helpful.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> <P>Vickynet</P> Mon, 23 Sep 2024 17:05:06 GMT Vickynet 2024-09-23T17:05:06Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/pre-logon-than-switch-to-on-demand/m-p/598262#M858 <P>Hi all,</P> <P>&nbsp;</P> <P>I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.</P> <P>&nbsp;</P> <P>pre-logon works as expected and the on-demand authentication with SAML using CIE.</P> <P>&nbsp;</P> <P>I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Maxim&nbsp;</P> Thu, 19 Sep 2024 09:58:47 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/pre-logon-than-switch-to-on-demand/m-p/598262#M858 Maximt 2024-09-19T09:58:47Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/pre-logon-than-switch-to-on-demand/m-p/598564#M862 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257295">@Maximt</a>&nbsp;wrote:<BR /> <P>Hi all,</P> <P>&nbsp;</P> <P>I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.</P> <P>&nbsp;</P> <P>pre-logon works as expected and the on-demand authentication with SAML using CIE.</P> <P>&nbsp;</P> <P>I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Maxim&nbsp;</P> <HR /></BLOCKQUOTE> <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257295">@Maximt</a>&nbsp;, I understand you are looking to confirm if there is a way to configure pre-login and always-on&nbsp; when user connects to the workstation so the global protect automatically recognize the user log-on to the workstation with SAML.&nbsp;</P> <P>&nbsp;</P> <P>Yes, this is possible today. To be able to achieve this, you need to setup two configuration profiles using the app agent.&nbsp;In the first configuration’s&nbsp;<BR />User/User Group, select the&nbsp;pre-logon&nbsp;filter. With pre-logon, the portal first authenticates the endpoint (not the user) to set up a connection even though the pre-logon parameter is associated with the user. Subsequently, the portal authenticates the user when he or she logs in. After the portal authenticates the user, it deploys the second configuration. In this case,&nbsp;User/User Group&nbsp;is any.</P> <P>&nbsp;</P> <P>As a best practice, enable SSO in the second configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used. Check the Step 9 on this documentation for guidance on how to go about it: <A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon</A></P> <P><BR />GlobalProtect pre-logon get connect to the gateway while the system is still booting up or is at the Ctrl+Alt+Del screen, that is, before a user logs in to the machine. Pre-logon will also kick in once a user logs off that machine. Since there is no user associated at these times, the gateway will see this connection coming from a generic username called 'pre-logon'. Once the user logs on to the machine, the tunnel gets renamed (in Windows) from the 'pre-logon' user to the actual 'user' who logged in. In the case of MAC, the tunnel is re-established with the actual user who logged in.</P> <P>&nbsp;</P> <P>I hope you find this helpful.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> <P>Vickynet</P> Mon, 23 Sep 2024 17:05:06 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/pre-logon-than-switch-to-on-demand/m-p/598564#M862 Vickynet 2024-09-23T17:05:06Z