Configuring Ivanti Policy Secure for Session Bridging

Configuring Mac OS X Native Supplicant for Ivanti Policy Secure 802.1X Authentication

This section details the procedure for configuring native Mac OS X supplicant for Ivanti Policy Secure 802.1X authentication.

Requirements:

Apple Mac OS X endpoint
iPhone Configuration utility
Client certificate must be installed on Mac OS X endpoint

Configuring MAC OS X Native Supplicant

Authentication to a Ivanti Policy Secure 802.1X server in MAC OS X endpoints is achieved using Apple Configurator. This tool allows you to easily create, maintain, and install configuration profiles, track and install provisioning profiles, and capture device information including console logs.

The latest MAC OS X endpoints can be configured using Apple Configurator 2 tool.

Configuring 802.1x profile

You can create various profiles (TTLS/PAP, TTLS/MS-CHAP-V2, and PEAP/MS-CHAP-V2) required for Ivanti Policy Secure 802.1x authentication using Apple Configurator. The generated configuration profiles can be exported to a Mac OS X endpoint. To create profiles, install the profiles (by double clicking on the exported files) on their OS X endpoints and that will provision Layer 2 access when connected to 802.1x enabled switch port.

Configuring 802.1x profiles -PEAP applies only for General and Wi-Fi settings. If the authentication server is Certificate Auth Server, use EAP-PEAP/EAP-TLS.

Configuring PEAP Authentication Profile

To configure PEAP, perform the following:

On the iPhone configuration utility (IPCU) navigate to Configuration Profiles tab.
On configuration Profiles page, select General and enter the required values.
Select Wi-Fi and enter the required values. Ensure TLS/PEAP are selected under Accepted EAP types.

Once the profile is successfully imported, you see the below screen shot.

Configuring Ivanti Policy Secure

To configure Ivanti Policy Secure for guest wireless authentication:

Select System > Configuration > Certificates > Trusted Client CAs. Install the certificate from the CA that Ivanti Policy Secure is using for trusted Client CAs.
Select Authentication > Auth.Servers. The Authentication Servers screen appears. Use the Default Certificate Authentication Server.
Select Users > User Realms, Click Cert Auth realm available by default to view the settings. Under Servers, Select the Certificate Authentication server.
Create Role Mapping rules to associate with the roles.
Selecting Authentication > Signing In > Sign-In Policies. Associate the default Cert Auth authentication protocol set with the realm.
Select Endpoint Policy > Network Access > Location Group. Select the default */certauth/ sign-in policy.
Configure the RADIUS client. Ensure that the default Cert Auth location group and Support Disconnect Messages and Support CoA Messages options are enabled.
Configure the RADIUS return attributes for Guest Wired policy. Select Endpoint Policy > Network Access > RADIUS Return Attribute Policies. Click New Policy. Under RADIUS Attributes tab, select the check box for Return Attribute.The RADIUS return attributes are required for MAB authentication initially when the user connects to the SSID (where the redirection happens) and then the session is bridged after the user authenticates.