Connect client at boot time

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Connect client at boot time

L3 Networker

Or

The Further Adventures of a Networking Neophyte

PA-200

Software Version: 6.0.1

GlobalProtect Agent 2.0.4

Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center.  They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot.

I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot.  I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect.

I'm searching, and will continue to look, but .. is it even possible?

9 REPLIES 9

L5 Sessionator

Hi Bdunbar,

Solution that you are looking for is pre-logon. It will take domain credentials and establish tunnel before users gets to windows desktop. Please refer to following documents for explanation :

GlobalProtect Administrator's Guide 6.0 (English)

Hope this helps. Thank you.

L5 Sessionator

bdunbar

Did you check the pre-logon feature available in globalprotect: GlobalProtect Administrator's Guide 6.0 (English)

I think that might be feature you are looking into

Hope it helps !

Thank you!

L6 Presenter

Hi Bdunbar,

You may want to try pre-login option for GP.

Regards,

Hardik Shah

bdunbar


Just wanted to add this document to the thread. It gives a step by step configuration assistance to set up pre-logon with self signed certificate on the PAN firewall.

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

Hope this is helpful to you.

Thanks

I've setup and having some minor issues.  What log files on the PAN-200 should I be looking at?

I will suggest first checking the global protect PanGP Agent logs and then move to the firewall.

There are multiple logs to check on the firewall depending on what you see in agent logs:

less mp-log authd.log

show log system direction equal backward subtype equal globalprotect

less webserver-log sslvpn-access.log

less webserver-log sslvpn-error.log

less mp-log sslvpn.log

less mp-log rasmgr.log

Hope it helps !

Hi Bdunbar,

You can focus on following logs,  sslvpn.log and ramgr.log are most important.

sslvpn.log, rasmgr.log, authd.log, sslvpn-access.log, sslvpn-error.log  

Regards,

HArdik Shah

We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set.  After lunch I'll see about getting the clients logged in at boot.

The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it.

I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.

  • 4776 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!