Connect client at boot time

Reply
L3 Networker

Connect client at boot time

Or

The Further Adventures of a Networking Neophyte

PA-200

Software Version: 6.0.1

GlobalProtect Agent 2.0.4

Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center.  They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot.

I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot.  I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect.

I'm searching, and will continue to look, but .. is it even possible?

L5 Sessionator

Re: Connect client at boot time

Hi Bdunbar,

Solution that you are looking for is pre-logon. It will take domain credentials and establish tunnel before users gets to windows desktop. Please refer to following documents for explanation :

GlobalProtect Administrator's Guide 6.0 (English)

Hope this helps. Thank you.

Highlighted
bat
L5 Sessionator

Re: Connect client at boot time

bdunbar

Did you check the pre-logon feature available in globalprotect: GlobalProtect Administrator's Guide 6.0 (English)

I think that might be feature you are looking into

Hope it helps !

L3 Networker

Re: Connect client at boot time

Thank you!

L6 Presenter

Re: Connect client at boot time

Hi Bdunbar,

You may want to try pre-login option for GP.

Regards,

Hardik Shah

L4 Transporter

Re: Connect client at boot time

bdunbar


Just wanted to add this document to the thread. It gives a step by step configuration assistance to set up pre-logon with self signed certificate on the PAN firewall.

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

Hope this is helpful to you.

Thanks

L3 Networker

Re: Connect client at boot time

I've setup and having some minor issues.  What log files on the PAN-200 should I be looking at?

bat
L5 Sessionator

Re: Connect client at boot time

I will suggest first checking the global protect PanGP Agent logs and then move to the firewall.

There are multiple logs to check on the firewall depending on what you see in agent logs:

less mp-log authd.log

show log system direction equal backward subtype equal globalprotect

less webserver-log sslvpn-access.log

less webserver-log sslvpn-error.log

less mp-log sslvpn.log

less mp-log rasmgr.log

Hope it helps !

L6 Presenter

Re: Connect client at boot time

Hi Bdunbar,

You can focus on following logs,  sslvpn.log and ramgr.log are most important.

sslvpn.log, rasmgr.log, authd.log, sslvpn-access.log, sslvpn-error.log  

Regards,

HArdik Shah

L3 Networker

Re: Connect client at boot time

We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set.  After lunch I'll see about getting the clients logged in at boot.

The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it.

I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!