Hi, can someone tell me the benefits of Always On VPN if you always need to log into the VPN (and with MFA if configured)? Doesn’t seem very ‘Always On’ to me.
- Also for those who have implemented Always ON VPN what has been the biggest downside of it?
Also, with pre-login, you can configure the VPN + wifi selection before logging into Windows right? Can you also configure using MFA with prelogin VPN before logging into Windows?
- Also for those who have implemented Pre-login VPN what has been the biggest downside of it?
Pre-logon uses machine certificates to authenticate the computer to the VPN so it can access services on the network before the user has logged in. You create security policies to restrict what a the machine can access by using the pre-logon “user” in the security policy. Once you log in to the computer it reconnects as the user.
Always on immediately connects the user to the VPN after they log into the computer. It is not able to connect to prior to the user login.
The benefit of pre-logon is that the device connects to the domain and internal management tools even when the user isn’t logged in. So if a user changes their password or their account is locked and the only access to the domain is via the VPN, those changes won’t be reflected on the device until the log in.
We tried all three, on-demand VPN with MFA, always-on and prelogon.
The problem we ran into with the first two was the random MFA prompts after someone was logged of for x number of hours and the cookie timer ran out. This causes a bunch of false reports because people didn’t expect or respond to a prompt at 8pm or 3am (12 hours after the first login). Additionally, dealing with expired passwords over con required the machine to be brought back on-site or for someone to remote to machine and log into bob as them, then switch user to keep the vpn active while doing the auth.
Ultimately we landed on prelogon with machine certs and sso and cookies for the con, but MFa at windows login/Lock Screen. This allowed for the AD connection for password changes, SCCM, and full traffic visibility as long as the pc had internet, with it without a user logged on
Pre-logon is performed using machine (cert) auth. This requires a working enterprise PKI environment/policy. Any user based auth such as Always On rebuilds the connection under the user context where MFA can be used.
When combined with prevent Signout and prevent Disable GP and/or with Disable/Whitelisted network access when disconnected, Always On ensures consistency for Internet and corporate traffic with that of an on-prem user (assuming you full tunnel).
These are not Paloalto specific questions, Paloalto has just implemented industry standard elements that people use to manage their IT. Pre-logon VPN is a Pre-logon VPN, you use it if you know why you use it, usually meaning that you are seeking to comply with given requirements. User-logon VPN is a user-logon VPN and again you use it where needed and as needed. The two are not mutually exclusive, you don’t need to compare them and differentiate between them.
Don’t try to do it backwards, don’t build your IT based on what you see in the configuration options. Start with what you want to accomplish and once you have it very clear and well defined, implement accordingly.
This is a bizzare rant. You want MFA yet no user interaction? Is this the new brain implant MFA where it detects your intent to log in?
For your other point thousands of ppl do this without issue. Configure SSO properly and it will work (Other then users periodically getting MFA prompts based on your OKTA policy). Your user should not be being prompted for creds each time.
If you still can’t figure out the SSO problem then cheat and configure super long cookie settings for both portal/gateway
SSO will work regardless of pre-logon (as was mentioned above this part uses certs and migrates the session to the user/MFA after login.
What’s the purpose of being a dick? I’m trying to learn and figure out option…and asking for help.
I don’t belive Okta doesn’t sso with palo alto…which is why our users are getting asked for passwords. How are people getting this to work with Azure ad? Are you using global protect in Azure enterprise apps?
As /u/studawgg said, it doesn’t have to. Either it can use SSO or it could use cookies to limit the number of times it needs to ask or it could use user certificates. It all depends on how it is set up.
you could setup authentication with user certificates (not machine) then have an MFA challenge when users try to access protected resources. Using that with prelogin will ensure that your users are always connected and protected by your security profile groups without even thinking about connecting to the VPN.
You can also connect the Cloud Identity Engine to okta to build out your policies based on user/group. I’ve done this with okta and the users loved it.