Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-16-2016 01:00 PM
Hi All,
I've successfully configured pre-login and can enter my creds in to the GP client the first time I log in and it works great. Is there a way to use a user certificate for the user auth and avoid any action on the users part for auth?
Desired configuration:
1. Pre-login with computer cert issued by my CA
2. When the user logs in, use the user's cert for auth with no config needed from the user's perspective.
I'm still digging through the docs, just thought I'd see if anyone had succesfully done this before.
Thanks,
Jake
02-16-2016 01:34 PM
I have set up certificates.
Worked well.
In my case I had it not pre-logon but always-on setup so I used user cert.
In your case you probably have to use computer cert.
02-16-2016 01:43 PM - edited 02-17-2016 06:39 AM
Hi Raido,
Thanks for the reply. I've got the pre-login working with the machine cert. When the user logs in to the computer for the first time they are prompted by GP for creds and then SSO works and it logs in from that point via SSO without interaction. What I'm trying to achieve, if possible, is using a user certificate so the user never has to enter creds in conjunction with pre-login.
Thanks,
Jake
02-17-2016 02:41 AM
If you want to require both cert and username/password then on portal/gateway config you have to configure Authentication profile in addition to certificate.
Then both are required.
You can also uncheck the box on client config to forbid saving passwords.
02-18-2016 01:17 PM - edited 02-18-2016 06:19 PM
Thanks. That's pretty much what I have setup now. It is using the machine cert for the standard pre-login configuration.
When a user logs in to the machine for the first time, they have to enter their credentials in to the GP client (using an auth profile for AD) and then it changes from the pre-login context to the user context (and they wont have to log in again neccesarily with SSO). The user certificate populates the username, but they are still required to enter their password. This seems to work until the user changes their password and then they have to enter it again. What I'm trying to acheive is to use user certificates so that the user never has to do anything except log in to windows and all futher auth is handled by certs. Do I not use an auth profile for this? I'll have to keep tinkering.
02-19-2016 02:42 AM
Why can't you just use AlwaysOn setting where vpn is connected as soon as user logs in and GlobalProtect sees internet connection?
Maybe you can use diferent gateway with diferent settings if it is pre-logon or user authentivated.
Also you might take look if group policy or some script might change GP portal address where diferent settings are configured when user has logged in once.
02-19-2016 12:59 PM
As it turns out, I was overcomplicating the setup by having an authentication profile at all. Once I removed it and went with only certificate profiles it worked perfectly as desired. Thanks for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
