Global Protect VPN Solution is defined with Pre-login and always-on VPN features.
Required: MFA integration With Pre-login
My main scope is to add more strong authentication mechanism, as with pre-logon,
Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (Client-Certificate) to access AD servers.
Step2: adding to that Second factor Authentication Factor Credential logins to be able to open the laptop itself.
In case of Client-Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).
So with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.
So hope it is a good challenge for you to think about :) ....
I think there is no real solution for you in this case, except that you disable pre-logon if there isn't enough security for you.
It's probably about the question: do you trust the loginscreens of windows and mac? If not, then change everything to user-logon and there will be no connection to your internal network until the uset is successfully authenticated.
TLDR version of this exact question at my organization: Use 2FA on the windows login instead of GP if 2FA is desired in this configuration
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!