The GINA component will allow a user to log onto a company system (assuming cached credentials are enabled) by initiating a VPN connection to the network upon logon. This makes the whole process of using a VPN smoother and less prone to user error than using a client, or even webpage authentication, as the end-user is taken through the logon process step by step.
Enabling the GINA
Network Connect will need to be enabled for the realm/role that the user is logging into. I’ve recently blogged about creating a Network Connect policy; this entry can be found here.
- The system used to connect to the company network must be part of the domain
- The system must hold cached credentials for the user logging in
- The system must have a network connection/Internet access at logon
NB. One caveat I’ve found so far is that client side certificate authentication can’t be used with the GINA.
Setup on the Juniper SA
You’ll need to make sure that the Network Connect role policy allows for using the GINA. This can be achieved by following the steps below:
1) Navigate to user roles > **role name** > network connect and tick the box ‘launch NC during windows interactive user logon’
2) Choose the preferred options in regards to how the client should start (i.e. required or optional) – if optional is selected the user will be prompted during logon to activate this feature.
3) Log off/on to the system using a domain profile that has been cached. The connection state is displayed at the top of the GINA window. Enter your credentials here.
N.B The username and password fields are automatically populated using the credentials provided on initial logon. These can be altered (and may need to be in the case of using RSA authentication with/without AD integration).
That’s all there is to it. Very simple to implement and even simpler for the end-user to operate.