Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Big_Abe
New Contributor

Windows 8 & Prelogin authentication

Good Day Everyone,

 

Just joined up, can't wait to dive into the forums and put my shiny new FCNSP to the test. 

Here's what I'm trying to do:

Device:  Domain-Join Surface Pro 3 -> External/Unknown Internet Access

 

I want to have the FortiClient create a VPN connection pre-login (I can use PKI+IPSec) to my FG800, then authenticate when the user logs onto their PC and create the SSL-VPN tunnel and follow the on_connect scripting.

 

User Opens Computer -> Computer Finds open Wifi (Or windows can prompt pre-login) -> User uses 2-factor credential to login -> User is presented with corporate software and shared resources.  All while avoiding cached credentials.

 

In other words, regardless of their internet source, they have a seamless login experience whether at home, or at an overpriced conference about conferences.  This should also eliminate the IT frustrations of domain-based administrators (Help Desk, Application assistance, Business Analysts etc) not being able to connect to the computers.

 

As usual, the shiny new, barely supported devices are for the uber VIPs.  Most likely will be a couple hundred technician-hours into a fancy trunk-borne conversation piece while golfing or having home delivery from some fancy ultra-expensive vegan butcher shop.

 

Either way - has anyone gotten a pre-login authentication working?  Can it handle Hotel prompt screens?  Can I then use my Radius authentication (I.e. 2FA) for the domain credentials over the FC SSL-VPN tunnel?

 

It seems like I need to mash the forticlient login capabilities with my 2FA login capabilities.  Someone has to have pulled this off before.  Or do you manually image, cache credentials, push local admins, all to the latest hardware that poor helpdesk veterans struggle to keep up with?

 

Cheers.

Abe

ITSec

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
1 REPLY 1
Chris_Lin_FTNT

Looks like you want to use vpn-before-logon with domain RADIUS two-factor authentication, then run the on-connect script. This should work, but the hotel network pop-up probably won't work, because you won't be able to see the pop-up web page before you logon Windows.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors