Global Protect Pre-Authentication with public SSL cert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Pre-Authentication with public SSL cert

L4 Transporter

Folks.

My boss wants me to implement "pre-authentication" for my Global protect clients, so that they authenticate against AD before logging on to their laptops when on VPN, and ergo run login scripts, group policies etc.

I have https://live.paloaltonetworks.com/docs/DOC-5229 and read through it, and it describes setting up using self-signed certificates.

I've actually got valid, official CA issues certificates on my Palo Alto's for Global protect (vpn.organisation.org format, from Verisign).

Is there a similar procedure I can use to get pre-authentication working using these real certificates rather than self-signed ones?

Thanks.

9 REPLIES 9

L6 Presenter

Hi Darrent

If you are not interested in "Certificate based" Authentication than, following document is useless.

https://live.paloaltonetworks.com/docs/DOC-5229


In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration.


pre-login.png

Let me know if this helps you.


Regards,

Hardik Shah

L4 Transporter

"Server certificate" can be an official one, no problem with that. Go for it.

L6 Presenter

Hi Darren,

Let us know for additional queries.

Regards,

Hardik Shah

L7 Applicator

This pre-logon certificate is about having a specific client computer based certificate installed not the CA based certificate you have for your global connect portal.

In this scenario you have your internal CA in Active Directory issue computer certificates to your domain computers (which can be done automatically via GPO). Then you install the CA certificate on the PA so it can recognize and authenticate those certificates.  Now you know at login that the computer connecting is a trusted domain asset.

If a domain computer is stolen you then revoke that computers certificate in your Active Directory CA and they can no longer connect.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

hshah wrote:

Hi Darrent

If you are not interested in "Certificate based" Authentication than, following document is useless.

https://live.paloaltonetworks.com/docs/DOC-5229


In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration.


pre-login.png

Let me know if this helps you.


Regards,

Hardik Shah

Hardik.

Is this all I have to change? Is there any requirement for modification on the remote end of the VPN client?

To clarify - if I do this, does this mean that the PC will pre-logon to the VPN prior to the user entering credentials into the Windows 7 login screen and run domain scripts etc?

Sorry if I'm not being clear enough - I can't believe this could be that simple. 🙂

Hello Darrent,

The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs in instead of using cached credentials.

With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either via an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal ushes the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon

client configuration. Then, it will connect to the gateway specified in the configuration and authenticate using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel. When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the user-logon client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user- and group-based policy can be enforced.

FYI.. a reference DOC for more detail information: GlobalProtect Configuration Tech Note   --- page no 50

Hulk.

OK, after reading that, it looks like I can deploy this using the same process I use to get Lync certificates to work - but the document indicates that if I enable pre-login, Global protect will reject login from devices which aren't configured with a certificate?

Is this the case - so if I enable pre-login, users can't connect to the VPN without having a valid machine certificate issued by the internal CA? Even if they have a valid Global Protect access?

Just looking to confirm this one way or another - we have some Mac users who use our VPN where I can't issue certificates (because they're not in the domain, for starters).

Thanks

Hello Darren,

Yes, you are correct. Pre-logon is a feature which will authenticate the user and connect the PC to global protect with pre-installed user certificate before he logs into his machine.

Few related discussion threads for your reference:

Pre-Logon Global Protect

GlobalProtect

Re: Pre-Logon Global Protect

Hope this helps.

Thanks

Hi Darren,

GP configuration is that simple, you do not need to do any changes on cilent end.

Yes, you need a valid certificate in order for it too work.

Regards,

Hardik Shah

  • 4171 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!