my customer wants to use Globalprotect for on demand login with a MFA radius server.
Everything fine - configured is and it works.
Now, we want to use Globalprotect as an internal UserID source.
So every GP-Client needs to do Userlogon SSO when connected to internal network (should be completely transparent to the users). But only on demand, the users should decide to connect to GP-Portal to initiate a VPN connection to external gateway.
Because we cannot expect from the endusers, to choose this GP-Portal for VPN connect, and the other one for internal GW connection, we need to use only one portal for this need.
Is that possible? How to configure it? Auth Sequence with first SSO, second RADIUS? How to do User-Logon SSO when connected interanl and only on demand when connected to external ?
Well, we want to user internal Globalprotect to get more resilient UserID information and to prevent policiy-mismatches, when the users aren't spamming any Kerberors tickets - so internal Globalprotect with mode "User Login" and Kerberos SSO would be the way to go.
But the same users/devices should be allowed to do internet stuff when beeing external and they should decide when to use VPN, so this is a thing for "on demand" mode.
We cannot expect, that the users will be happy with using different portals - that must work transparently.
I can't think of a solution to this.
almost... as you can have regional gateways for different auths depending on your location and you could have 2 portals, one internal and one external and let your DNS point you to the correct one..
but even then, you will need to manually connect to the internal portal to get the setting put back to always on...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!