Good Day Everyone,

Just joined up, can't wait to dive into the forums and put my shiny new FCNSP to the test. 

Here's what I'm trying to do:

Device:  Domain-Join Surface Pro 3 -> External/Unknown Internet Access

I want to have the FortiClient create a VPN connection pre-login (I can use PKI+IPSec) to my FG800, then authenticate when the user logs onto their PC and create the SSL-VPN tunnel and follow the on_connect scripting.

User Opens Computer -> Computer Finds open Wifi (Or windows can prompt pre-login) -> User uses 2-factor credential to login -> User is presented with corporate software and shared resources.  All while avoiding cached credentials.

In other words, regardless of their internet source, they have a seamless login experience whether at home, or at an overpriced conference about conferences.  This should also eliminate the IT frustrations of domain-based administrators (Help Desk, Application assistance, Business Analysts etc) not being able to connect to the computers.

As usual, the shiny new, barely supported devices are for the uber VIPs.  Most likely will be a couple hundred technician-hours into a fancy trunk-borne conversation piece while golfing or having home delivery from some fancy ultra-expensive vegan butcher shop.

Either way - has anyone gotten a pre-login authentication working?  Can it handle Hotel prompt screens?  Can I then use my Radius authentication (I.e. 2FA) for the domain credentials over the FC SSL-VPN tunnel?

It seems like I need to mash the forticlient login capabilities with my 2FA login capabilities.  Someone has to have pulled this off before.  Or do you manually image, cache credentials, push local admins, all to the latest hardware that poor helpdesk veterans struggle to keep up with?

Cheers.

Abe

ITSec