We are currently running PanOS8.1.1 have some issues with global protect pre-logon. I have configured pre-logon as per below article.
Problem we have is pre logon works as expected, however when user logged in to the computer, pre logon tunnel getting disconnected and connecting again with user logon.
What we want is prelogon tunnel to be renamed so for user vpn stays connected ater logged in
Hmmm, this sounds possibly like what we saw when we tried to upgrade to 8.1.1 all of our VPN users got dropped and the ones that could reconnect showed as pre-logon instead of their user names and they kept getting the authentication popups from the GP client. we ended up rolling back and have an open case with PA now
expected behavior was:
pre-logon connections is up->user logs into windows->VPN tunnel switches to user authenticated and pre-logon goes away
I had a very similar issue with pre-login (always on) connections, tunnel rename, and RADIUS-based MFA. Our portal login profile only requires username/password, but our gateways require MFA. We also had the "pre-login tunnel rename timeout" set to the default of -1 and users were experiencing all sorts of problems connecting after login.
Setting the pre-login tunnel rename timeout to 0 solved it (since you're requiring MFA during gateway login, there's no point in renaming the tunnel). So users are re-prompted for credentials and the MFA passes correctly.
I don't know if tunnel rename is supposed to work with MFA gateways and pre-login, but intuitively it really should not. PA's guidance seems to be only set the timeout to 0 when using pre-login then on-demand, but with MFA, I don't think the tunnel rename actually works correctly.
@kmuellercm the description of your setup sound like there should be something changed. I would use MFA already for the portal and then use authentication cookies for the gateway in order to ask the users only once for credentials. For security reasons on the gateway you use the sam RADIUS MFA authentication profile for situations where the connection comes directly to the gateway without the portal. At least this way it works for me (I also experimented with the value 0 but this resulted for me in problems because of the tunnel IP chance between prelogon and the usertunnel). In addition to the userlogin to gp I use an user-id agent setup because with the active directory logs the user is known a lot earlier on the firewall than it would be with the gp login which takes place when already the desktop is completely there.
The only thing that really changed was on the client-side (windows 10 upgraded to 20H2), but we couldn't find anything that the client was doing differently.
The portal (from my understanding) authenticates each time the config refreshes, so MFA would prompt the end-user for credentials each time it refreshes. So I just use a RADIUS profile that only requires user/pass and don't issue cookies from the portal.
Ultimately I want to replace this all with SAML-based login and pre-login VPN authentication, but that's a ways off. I just wanted to share a solution that I had to a particular problem I've run across, just in case someone else has a similar configuration and was banging their head against a wall like I was.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!