Who Me Too'd this topic

Global Protect VPN Solution is defined with Pre-login and always-on VPN features.

Workflow:

1. Once machine is booted and before user login, Machine is authenticated based on certificate and identified in logs with (Pre-login) user
2. Pre-login access is restricted to Mac Management solution and AD.
3. Once user is logged in, a new tunnel is initiated and authenticated by same certificate with ability to identitfy username in certificate to be added to user-ip mapping table
4. User group Access rules is created to match only specific user group to access internal resources.

Required: MFA integration With Pre-login

My main scope is to add more strong authentication mechanism, as with pre-logon,

Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (Client-Certificate) to access AD servers.

Step2: adding to that Second factor Authentication Factor Credential logins to be able to open the laptop itself.

In case of Client-Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).

 Proposal A:

1. If we applied it with pre-login , I think it won’t be suitable as machine is already authenticated and any traffic is blocked except for specific Destinations as AD.
2. Once users log in , maybe here we can apply Authentication security policy declares for access to internal resource we need MFA.

So with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.

So hope it is a good challenge for you to think about 🙂 ....