Pre-logon than switch to On-Demand

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pre-logon than switch to On-Demand

L0 Member

Hi all,

 

I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.

 

pre-logon works as expected and the on-demand authentication with SAML using CIE.

 

I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.

 

Kind Regards,

Maxim 

1 accepted solution

Accepted Solutions

L2 Linker

@Maximt wrote:

Hi all,

 

I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.

 

pre-logon works as expected and the on-demand authentication with SAML using CIE.

 

I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.

 

Kind Regards,

Maxim 


Hello @Maximt , I understand you are looking to confirm if there is a way to configure pre-login and always-on  when user connects to the workstation so the global protect automatically recognize the user log-on to the workstation with SAML. 

 

Yes, this is possible today. To be able to achieve this, you need to setup two configuration profiles using the app agent. In the first configuration’s 
User/User Group, select the pre-logon filter. With pre-logon, the portal first authenticates the endpoint (not the user) to set up a connection even though the pre-logon parameter is associated with the user. Subsequently, the portal authenticates the user when he or she logs in. After the portal authenticates the user, it deploys the second configuration. In this case, User/User Group is any.

 

As a best practice, enable SSO in the second configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used. Check the Step 9 on this documentation for guidance on how to go about it: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs...


GlobalProtect pre-logon get connect to the gateway while the system is still booting up or is at the Ctrl+Alt+Del screen, that is, before a user logs in to the machine. Pre-logon will also kick in once a user logs off that machine. Since there is no user associated at these times, the gateway will see this connection coming from a generic username called 'pre-logon'. Once the user logs on to the machine, the tunnel gets renamed (in Windows) from the 'pre-logon' user to the actual 'user' who logged in. In the case of MAC, the tunnel is re-established with the actual user who logged in.

 

I hope you find this helpful. 

 

Thank you. 

Vickynet

View solution in original post

1 REPLY 1

L2 Linker

@Maximt wrote:

Hi all,

 

I have configured prisma access GlobalProtect to authenticate pre-logon with computer certificate and than switch to on-demand.

 

pre-logon works as expected and the on-demand authentication with SAML using CIE.

 

I was wondering if there is option to configure pre-logon and always-on so when user connects to the station GlobalProtect will automatically start authentication with SAML and connect to the gateway.

 

Kind Regards,

Maxim 


Hello @Maximt , I understand you are looking to confirm if there is a way to configure pre-login and always-on  when user connects to the workstation so the global protect automatically recognize the user log-on to the workstation with SAML. 

 

Yes, this is possible today. To be able to achieve this, you need to setup two configuration profiles using the app agent. In the first configuration’s 
User/User Group, select the pre-logon filter. With pre-logon, the portal first authenticates the endpoint (not the user) to set up a connection even though the pre-logon parameter is associated with the user. Subsequently, the portal authenticates the user when he or she logs in. After the portal authenticates the user, it deploys the second configuration. In this case, User/User Group is any.

 

As a best practice, enable SSO in the second configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used. Check the Step 9 on this documentation for guidance on how to go about it: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs...


GlobalProtect pre-logon get connect to the gateway while the system is still booting up or is at the Ctrl+Alt+Del screen, that is, before a user logs in to the machine. Pre-logon will also kick in once a user logs off that machine. Since there is no user associated at these times, the gateway will see this connection coming from a generic username called 'pre-logon'. Once the user logs on to the machine, the tunnel gets renamed (in Windows) from the 'pre-logon' user to the actual 'user' who logged in. In the case of MAC, the tunnel is re-established with the actual user who logged in.

 

I hope you find this helpful. 

 

Thank you. 

Vickynet

  • 1 accepted solution
  • 748 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!