Global Protect Always On VPN Pre-Logon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Always On VPN Pre-Logon

L1 Bithead

Hi

 

Running into issue with prelogon not working properly. I have pretty much mirrored the configuration from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEYCA0

 

Scenrio - when Laptop is connected to On prem production wifi - Internal host detection with enforece network access ON- when the laptop boots up, before logging in, i see the global protect get connected. once i input my windows credentials and laptop boots. I still have to click the connect button on the agent in order for internal host detection to kick in (sometimes it also asks for username/password). i thought the whole purpose of the prelogon with sso is that it starts all the tunnel process with less user interaction. This is a big nauance if user has to keep clicking connect even when on on prem to detect internal host connection. 

1 REPLY 1

L6 Presenter

Not quite, the purpose of pre-logon is that the PC can connect to the VPN before a user ever logs on (e.g. for remote management/updates/etc.). When the user subsequently logs on to the PC the GlobalProtect client re-authenticates the VPN using the user's credentials.

 

User authentication to the VPN consists of two parts: a connection to the Portal, which delivers the VPN configuration information, and a connection to the Gateway, which is where the encrypted tunnel traffic actually occurs. A separate user authentication to each step is required (though one or the other can be bypassed with various combinations of stored creds and cookies). In order to test internal host detection, the client must first download the configuration from the Portal, which requires an authentication (ignoring for the moment that in some cases the GlobalProtect client will temporarily cache and use a previous config).

 

Since it sounds like you have applied a SSO user authentication to the Portal, try changing the user Portal authentication to use a client certificate instead (and remove any cookie generation to the Gateway). This will allow the GlobalProtect client to automatically connect to the Portal with the user's certificate, without user interaction, when the VPN switches to the user authentication. The client can then automatically download the VPN config and recognize/check for local host detection without prompting the user. Then have the SSO authentication on the Gateway, so if the user need to connect to the VPN (not internally connected) they are prompted for their SSO credentials (and any MFA you may have attached to that).

  • 1857 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!