topic Re: Pre-Logon without Windows credentials in General Topics

Pre-Logon without Windows credentials

Hithead — Fri, 18 Oct 2013 08:44:18 GMT

Hello,

I want to test the pre-logon feature of GlobalProtect in our environment.

Our clients are using two factor authentication (eToken) for the windows login. So they don't know their windows credentials.

We have already installed machine certificates on our clients and the authentication with this certificate works with GlobalProtect. Also when using Windows login without eToken, it works with SSO and LDAP auth.

But now, i have to get it working for the eToken-Users:

After the user logs into Windows with his eToken (two factor) he always gets prompt to enter the password of his eToken and the authentication fails.

Is there a way to configure Pre-Logon for Two-Factor-Auth-Users? GlobalProtect requires an username in the configuration; either in the certificate profile - (currently set to none) or selecting an secondary authentication profile - (currently set to LDAP).

Or is GlobalProtect Pre-Logon feature not optimized for this way of authentication? Or can we just use the machine certificate without any username or user authentication?

Re: Pre-Logon without Windows credentials

Hithead — Mon, 04 Nov 2013 10:46:30 GMT

any idea?

Re: Pre-Logon without Windows credentials

dieter_b — Mon, 04 Nov 2013 12:46:39 GMT

I don't know eToken. But your users do have a Windows account, right ? Even if they don't know...

Should work with SSO, but I guess GP needs to login manually once with the user login to get the client config file. Maybe you can deploy the client config file in another way...

Re: Pre-Logon without Windows credentials

Hithead — Tue, 05 Nov 2013 10:12:26 GMT

our clients only have the PIN from their Token for the two factor authentication and not the windows password. So they are not able to authenticate via LDAP. So GP with LDAP Authentication wouldn't work.

Re: Pre-Logon without Windows credentials

Hithead — Tue, 05 Nov 2013 10:13:53 GMT

(May GP can authenticate without User-Authentication. Only with machine-certificate. Doesn't matter which user logins in....)

Re: Pre-Logon without Windows credentials

Gregoux — Tue, 05 Nov 2013 10:36:02 GMT

Hi I think tthat you can't use the etoken as second factor authentication method with prelogon method.

but you could use the client certificate as second factor method. but you need to use windows credential with prelogon it' a mandatory.

regard's

Re: Pre-Logon without Windows credentials

Hithead — Tue, 05 Nov 2013 12:12:43 GMT

Sadly not. Because I can only choose certificates with a private key. And we imported our CA - certificate without the key.

But anyway, I have to specify, where GP/PA can find the user information(/name) of the remote client.

So I guess, we can forget the pre-logon feature with our token clients. But I will request it as a feature request.