Just to be upfront, I have my configuration working for the most part but I'm interested to hear if there's not a better/safer/quicker way of bending GlobalProtect to my needs. Please feel free to chime in with ideas, opinions or suggestions! Only as much detail as you feel is necessary but I'm happy to hear what you're thinking
Globalprotect prelogon scenario with 2 level of post logon access
TFA is not in play but may be in the future.
Most of the config is based in this article: here
Again. I'm not stuck (currently). Just wanted to hear your opinions. Appreciate any feedback.
Sounds like an ok setup but it really depends on your corporate security policies.
for us, PKI is a must but not acceptable without some form of hard drive encryption protected by a PIN.
this has nothing to do with certificate exposure but just an additional protection as you are currently relying on a password only policy if device is stolen.
we do not use pre-login as users are unable to join wifi until they auth on the device.
not sure about the 3rd option in your process section, why would they need to re-connect to obtain different policies.
if you move to 2FA then you may need to look at authentication overide especially if using OTP.
All of the above will not be everyones cup of tea but works well for us and we need to adhere to strict corp policies.
Yeah I definitelty understand everyone's requirements, setup, etc are different. We too are required to use HD encryption as well. We liked the promise of prelogon so users can change passwords, login for the first time, etc. With all the other requirements in the scenario, it just has gotten overly conviluted IMO. I like your question about whether the users need to reconnect to refresh their policies because it makes things easier for the users as well. My experience says that the simplier the config, the easier it is to support and secure so anything that can pare things down, I'm for.
Really appreciate your two cents on this one!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!