This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Adding MFA to Pre-login GlobalProtect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Adding MFA to Pre-login GlobalProtect

Ahmed_Eissa
L0 Member

‎04-24-2018 03:45 AM - edited ‎04-24-2018 03:59 AM

Global Protect VPN Solution is defined with Pre-login and always-on VPN features.

 

GP.PNG

 

Workflow:

  1. Once machine is booted and before user login, Machine is authenticated based on certificate and identified in logs with (Pre-login) user
  2. Pre-login access is restricted to Mac Management solution and AD.
  3. Once user is logged in, a new tunnel is initiated and authenticated by same certificate with ability to identitfy username in certificate to be added to user-ip mapping table
  4. User group Access rules is created to match only specific user group to access internal resources.

Required: MFA integration With Pre-login

 

My main scope is to add more strong authentication mechanism, as with pre-logon,

Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (Client-Certificate) to access AD servers.

Step2: adding to that Second factor Authentication Factor Credential logins to be able to open the laptop itself.

 

In case of Client-Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).

 

 Proposal A:

  1. If we applied it with pre-login , I think it won’t be suitable as machine is already authenticated and any traffic is blocked except for specific Destinations as AD.
  2. Once users log in , maybe here we can apply Authentication security policy declares for access to internal resource we need MFA.

So with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.

 

So hope it is a good challenge for you to think about 🙂 ....

1 person had this problem.
0 Likes Likes
3 REPLIES 3

Ahmed_Eissa
L0 Member

‎04-24-2018 08:58 AM

any recommendations?

0 Likes Likes

Remo
L7 Applicator
In response to Ahmed_Eissa

‎05-10-2018 10:58 AM

I think there is no real solution for you in this case, except that you disable pre-logon if there isn't enough security for you.

It's probably about the question: do you trust the loginscreens of windows and mac? If not, then change everything to user-logon and there will be no connection to your internal network until the uset is successfully authenticated.

0 Likes Likes

hshawn
L4 Transporter

‎05-10-2018 12:05 PM

TLDR version of this exact question at my organization: Use 2FA on the windows login instead of GP if 2FA is desired in this configuration

0 Likes Likes
  • 3637 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks