topic ADSSP Integration for Cached PW Update in General Topics

ADSSP Integration for Cached PW Update

mcarter_ssllc — Fri, 21 Dec 2018 17:02:10 GMT

Wondering if anyone has successfully integrated ADSSP Cached Credential Updating with PAN VPN and GlobalProtect client.

Have tried to find command line references for the GP client but am coming up blank.

ADSSP needs to call the VPN connection during a password reset so that it can update cached credentials for a remote user.

Re: ADSSP Integration for Cached PW Update

csanchez — Wed, 09 Jan 2019 03:10:23 GMT

I am working on this same issue. Any luck?

Re: ADSSP Integration for Cached PW Update

mcarter_ssllc — Fri, 11 Jan 2019 21:37:47 GMT

So far, no.

In my testing with ManageEngine devs, we have not been able to find a command that will initiate a user connection.

ManageEngine concluded GP doesnt support command line mode

My fallback is to set up PAN Pre-Logon which is of course a certificate based session, and will turn cached credential updating into a two-step process for remote users. One to initiate the pre-logon VPN, and two to complete the password change with the GINA client. The user should then be able to logon and switch the GP client to a user session.

I would think pre-logon could be automated via CLI since there is no user info involved. Perhaps someone will have an answer for that.

There is an OpenConnect client user build floating around that supports command line session initiation with PAN-OS, however I cannot install unofficial clients on our machines so it doesnt help my use case.