09-10-2014 06:37 PM
Folks.
My boss wants me to implement "pre-authentication" for my Global protect clients, so that they authenticate against AD before logging on to their laptops when on VPN, and ergo run login scripts, group policies etc.
I have https://live.paloaltonetworks.com/docs/DOC-5229 and read through it, and it describes setting up using self-signed certificates.
I've actually got valid, official CA issues certificates on my Palo Alto's for Global protect (vpn.organisation.org format, from Verisign).
Is there a similar procedure I can use to get pre-authentication working using these real certificates rather than self-signed ones?
Thanks.
09-11-2014 05:55 AM
Hi Darrent
If you are not interested in "Certificate based" Authentication than, following document is useless.
https://live.paloaltonetworks.com/docs/DOC-5229
In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration.
Let me know if this helps you.
Regards,
Hardik Shah
09-11-2014 10:26 AM
"Server certificate" can be an official one, no problem with that. Go for it.
09-12-2014 04:37 AM
Hi Darren,
Let us know for additional queries.
Regards,
Hardik Shah
09-14-2014 09:12 AM
This pre-logon certificate is about having a specific client computer based certificate installed not the CA based certificate you have for your global connect portal.
In this scenario you have your internal CA in Active Directory issue computer certificates to your domain computers (which can be done automatically via GPO). Then you install the CA certificate on the PA so it can recognize and authenticate those certificates. Now you know at login that the computer connecting is a trusted domain asset.
If a domain computer is stolen you then revoke that computers certificate in your Active Directory CA and they can no longer connect.
09-14-2014 05:21 PM
hshah wrote:
Hi Darrent
If you are not interested in "Certificate based" Authentication than, following document is useless.
https://live.paloaltonetworks.com/docs/DOC-5229
In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration.
Let me know if this helps you.
Regards,
Hardik Shah
Hardik.
Is this all I have to change? Is there any requirement for modification on the remote end of the VPN client?
To clarify - if I do this, does this mean that the PC will pre-logon to the VPN prior to the user entering credentials into the Windows 7 login screen and run domain scripts etc?
Sorry if I'm not being clear enough - I can't believe this could be that simple. 🙂
09-14-2014 08:20 PM
Hello Darrent,
The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs in instead of using cached credentials.
With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either via an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal ushes the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon
client configuration. Then, it will connect to the gateway specified in the configuration and authenticate using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel. When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the user-logon client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user- and group-based policy can be enforced.
FYI.. a reference DOC for more detail information: GlobalProtect Configuration Tech Note --- page no 50
09-14-2014 08:39 PM
Hulk.
OK, after reading that, it looks like I can deploy this using the same process I use to get Lync certificates to work - but the document indicates that if I enable pre-login, Global protect will reject login from devices which aren't configured with a certificate?
Is this the case - so if I enable pre-login, users can't connect to the VPN without having a valid machine certificate issued by the internal CA? Even if they have a valid Global Protect access?
Just looking to confirm this one way or another - we have some Mac users who use our VPN where I can't issue certificates (because they're not in the domain, for starters).
Thanks
09-14-2014 11:23 PM
Hello Darren,
Yes, you are correct. Pre-logon is a feature which will authenticate the user and connect the PC to global protect with pre-installed user certificate before he logs into his machine.
Few related discussion threads for your reference:
Hope this helps.
Thanks
09-15-2014 04:58 AM
Hi Darren,
GP configuration is that simple, you do not need to do any changes on cilent end.
Yes, you need a valid certificate in order for it too work.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
