Pre-Logon without Windows credentials

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pre-Logon without Windows credentials

L4 Transporter

Hello,

I want to test the pre-logon feature of GlobalProtect in our environment.

Our clients are using two factor authentication (eToken) for the windows login. So they don't know their windows credentials.

We have already installed machine certificates on our clients and the authentication with this certificate works with GlobalProtect. Also when using Windows login without eToken, it works with SSO and LDAP auth.

But now, i have to get it working for the eToken-Users:

After the user logs into Windows with his eToken (two factor) he always gets prompt to enter the password of his eToken and the authentication fails.

Is there a way to configure Pre-Logon for Two-Factor-Auth-Users? GlobalProtect requires an username in the configuration; either in the certificate profile - (currently set to none) or selecting an secondary authentication profile - (currently set to LDAP).

Or is GlobalProtect Pre-Logon feature not optimized for this way of authentication? Or can we just use the machine certificate without any username or user authentication?

6 REPLIES 6

L4 Transporter

any idea?

I don't know eToken. But your users do have a Windows account, right ? Even if they don't know...

Should work with SSO, but I guess GP needs to login manually once with the user login to get the client config file. Maybe you can deploy the client config file in another way...

L4 Transporter

our clients only have the PIN from their Token for the two factor authentication and not the windows password. So they are not able to authenticate via LDAP. So GP with LDAP Authentication wouldn't work.

(May GP can authenticate without User-Authentication. Only with machine-certificate. Doesn't matter which user logins in....)

L4 Transporter

Hi I think tthat you can't use the etoken as second factor authentication method with prelogon method.

but you could use the client certificate as second factor method. but you need to use windows credential with prelogon it' a mandatory.

regard's

L4 Transporter

Sadly not. Because I can only choose certificates with a private key. And we imported our CA - certificate without the key.

But anyway, I have to specify, where GP/PA can find the user information(/name) of the remote client.

So I guess, we can forget the pre-logon feature with our token clients. But I will request it as a feature request.

  • 3517 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!