GlobalProtect: Pre-Login and user cert based auth?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect: Pre-Login and user cert based auth?

L1 Bithead

Hi All,

 

I've successfully configured pre-login and can enter my creds in to the GP client the first time I log in and it works great. Is there a way to use a user certificate for the user auth and avoid any action on the users part for auth?

 

Desired configuration:

1. Pre-login with computer cert issued by my CA

2. When the user logs in, use the user's cert for auth with no config needed from the user's perspective.

 

I'm still digging through the docs, just thought I'd see if anyone had succesfully done this before.

 

Thanks,

Jake

6 REPLIES 6

Cyber Elite
Cyber Elite

I have set up certificates.

Worked well.

In my case I had it not pre-logon but always-on setup so I used user cert.

In your case you probably have to use computer cert.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

Thanks for the reply. I've got the pre-login working with the machine cert. When the user logs in to the computer for the first time they are prompted by GP for creds and then SSO works and it logs in from that point via SSO without interaction. What I'm trying to achieve, if possible, is using a user certificate so the user never has to enter creds in conjunction with pre-login.

 

Thanks,

Jake 

If you want to require both cert and username/password then on portal/gateway config you have to configure Authentication profile in addition to certificate.

Then both are required.

You can also uncheck the box on client config to forbid saving passwords.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks. That's pretty much what I have setup now. It is using the machine cert for the standard pre-login configuration.

 

When a user logs in to the machine for the first time, they have to enter their credentials in to the GP client (using an auth profile for AD) and then it changes from the pre-login context to the user context (and they wont have to log in again neccesarily with SSO). The user certificate populates the username, but they are still required to enter their password. This seems to work until the user changes their password and then they have to enter it again. What I'm trying to acheive is to use user certificates so that the user never has to do anything except log in to windows and all futher auth is handled by certs. Do I not use an auth profile for this? I'll have to keep tinkering.

Why can't you just use AlwaysOn setting where vpn is connected as soon as user logs in and GlobalProtect sees internet connection?

Maybe you can use diferent gateway with diferent settings if it is pre-logon or user authentivated.

Also you might take look if group policy or some script might change GP portal address where diferent settings are configured when user has logged in once.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

As it turns out, I was overcomplicating the setup by having an authentication profile at all. Once I removed it and went with only certificate profiles it worked perfectly as desired. Thanks for your help!

  • 3371 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!