topic Re: Connect client at boot time in General Topics

Connect client at boot time

bdunbar — Tue, 07 Oct 2014 19:15:34 GMT

The Further Adventures of a Networking Neophyte

PA-200

Software Version: 6.0.1

GlobalProtect Agent 2.0.4

Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center. They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot.

I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot. I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect.

I'm searching, and will continue to look, but .. is it even possible?

Re: Connect client at boot time

ssharma — Tue, 07 Oct 2014 19:19:16 GMT

Hi Bdunbar,

Solution that you are looking for is pre-logon. It will take domain credentials and establish tunnel before users gets to windows desktop. Please refer to following documents for explanation :

GlobalProtect Administrator's Guide 6.0 (English)

Hope this helps. Thank you.

Re: Connect client at boot time

bat — Tue, 07 Oct 2014 19:20:15 GMT

bdunbar

Did you check the pre-logon feature available in globalprotect: GlobalProtect Administrator's Guide 6.0 (English)

I think that might be feature you are looking into

Hope it helps !

Re: Connect client at boot time

bdunbar — Tue, 07 Oct 2014 19:21:01 GMT

Thank you!

Re: Connect client at boot time

hshah — Tue, 07 Oct 2014 19:21:32 GMT

Hi Bdunbar,

You may want to try pre-login option for GP.

Regards,

Hardik Shah

Re: Connect client at boot time

tshiv — Tue, 07 Oct 2014 22:05:15 GMT

bdunbar

Just wanted to add this document to the thread. It gives a step by step configuration assistance to set up pre-logon with self signed certificate on the PAN firewall.

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

Hope this is helpful to you.

Thanks

Re: Connect client at boot time

bdunbar — Wed, 08 Oct 2014 14:43:13 GMT

I've setup and having some minor issues. What log files on the PAN-200 should I be looking at?

Re: Connect client at boot time

bat — Wed, 08 Oct 2014 17:04:58 GMT

I will suggest first checking the global protect PanGP Agent logs and then move to the firewall.

There are multiple logs to check on the firewall depending on what you see in agent logs:

less mp-log authd.log

show log system direction equal backward subtype equal globalprotect

less webserver-log sslvpn-access.log

less webserver-log sslvpn-error.log

less mp-log sslvpn.log

less mp-log rasmgr.log

Hope it helps !

Re: Connect client at boot time

hshah — Wed, 08 Oct 2014 17:17:15 GMT

Hi Bdunbar,

You can focus on following logs, sslvpn.log and ramgr.log are most important.

sslvpn.log, rasmgr.log, authd.log, sslvpn-access.log, sslvpn-error.log

Regards,

HArdik Shah

Re: Connect client at boot time

bdunbar — Wed, 08 Oct 2014 17:23:54 GMT

We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set. After lunch I'll see about getting the clients logged in at boot.

The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it.

I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.