https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/213956#M62204 <P>I think there is no real solution for you in this case, except that you disable pre-logon if there isn't enough security for you.</P><P>It's probably about the question: do you trust the loginscreens of windows and mac? If not, then change everything to user-logon and there will be no connection to your internal network until the uset is successfully authenticated.</P> Thu, 10 May 2018 17:58:16 GMT Remo 2018-05-10T17:58:16Z https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/211501#M61699 <P><FONT color="#003366">Global Protect VPN Solution is defined with Pre-login and always-on VPN features.</FONT></P><P>&nbsp;</P><P><FONT color="#003366"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GP.PNG" style="width: 628px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14845i4C4BB5C985AE8936/image-dimensions/628x250/is-moderation-mode/true?v=v2" width="628" height="250" role="button" title="GP.PNG" alt="GP.PNG" /></span></STRONG></FONT></P><P>&nbsp;</P><P><FONT color="#003366"><STRONG>Workflow</STRONG>:</FONT></P><OL><LI><FONT color="#003366">Once machine is booted and before user login, Machine is authenticated based on certificate and identified in logs with (Pre-login) user</FONT></LI><LI><FONT color="#003366">Pre-login access is restricted to Mac Management solution and AD.</FONT></LI><LI><FONT color="#003366">Once user is logged in, a new tunnel is initiated and authenticated by same certificate with ability to identitfy username in certificate to be added to user-ip mapping table</FONT></LI><LI><FONT color="#003366">User group Access rules is created to match only specific user group to access internal resources.</FONT></LI></OL><P><FONT color="#993300"><STRONG>Required</STRONG>: MFA integration With Pre-login<BR /></FONT></P><P>&nbsp;</P><P><FONT color="#008000">My main scope is to add more strong authentication mechanism, as with pre-logon,</FONT></P><P><FONT color="#008000">Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (<STRONG>Client-Certificate</STRONG>) to access AD servers.</FONT></P><P><FONT color="#008000">Step2: adding to that Second factor Authentication Factor <STRONG>Credential logins</STRONG> to be able to open the laptop itself.</FONT></P><P>&nbsp;</P><P><FONT color="#008000">In case of Client-</FONT><FONT color="#008000">Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).</FONT></P><P>&nbsp;</P><P>&nbsp;<FONT color="#003366"><STRONG>Proposal A</STRONG>:</FONT></P><OL><LI><FONT color="#003366">If we applied it with pre-login , I think it won’t be suitable as machine is already authenticated and any traffic is blocked except for specific Destinations as AD.</FONT></LI><LI><FONT color="#003366">Once users log in , maybe here we can apply Authentication security policy declares for access to internal resource we need MFA.</FONT></LI></OL><P><FONT color="#008000">So </FONT><FONT color="#008000">with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.</FONT></P><P>&nbsp;</P><P><FONT color="#008000">So hope it is a good challenge for you to think about <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> .... </FONT></P> Tue, 24 Apr 2018 10:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/211501#M61699 Ahmed_Eissa 2018-04-24T10:59:27Z https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/211546#M61713 <P>any recommendations?</P> Tue, 24 Apr 2018 15:58:03 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/211546#M61713 Ahmed_Eissa 2018-04-24T15:58:03Z https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/213956#M62204 <P>I think there is no real solution for you in this case, except that you disable pre-logon if there isn't enough security for you.</P><P>It's probably about the question: do you trust the loginscreens of windows and mac? If not, then change everything to user-logon and there will be no connection to your internal network until the uset is successfully authenticated.</P> Thu, 10 May 2018 17:58:16 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/213956#M62204 Remo 2018-05-10T17:58:16Z https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/213960#M62205 <P>TLDR version of this exact question at my organization: Use 2FA on the windows login instead of GP if 2FA is desired in this configuration</P> Thu, 10 May 2018 19:05:29 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-mfa-to-pre-login-globalprotect/m-p/213960#M62205 hshawn 2018-05-10T19:05:29Z