Configuring Machine-Then-User-at-Credprov Credential Provider Authentication for a Ivanti Secure Access Client Connection

With a machine-then-user-at-credprov connection, Ivanti Secure Access Client establishes the connection using machine credentials when no user is logged in. When a user clicks a login tile and provides user credentials, the machine connection is disconnected, and a new connection is established. When the user logs out, the user connection is disconnected, and the machine connection is reestablished. In one typical machine-then-user-at-credprov implementation, the machine connection and the user connection are mapped to different VLANs.

To enable machine-then-user-at-credprov credential provider support for a Ivanti Secure Access Client connection:

1.Create a Ivanti Secure Access Client connection set for the role (Users > Ivanti Secure Access Client > Connections), and then create a new Ivanti Secure Access Client connection. You can select either a Layer 3 connection type, Ivanti Connect Secure or Ivanti Policy Secure (L3), or a Layer 2 connection type, Ivanti Policy Secure (802.1X).

2.In the Connection is established section, select "User or Machine" for the mode.

3.Under Options, select the Connect automatically check box.

4.In the Connection is established section, select one of the following options:

5.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow only one server certificate, specify the server certificate’s full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

6.Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process for both machine and user logins:

•Preferred Machine Realm: Specify the realm that this connection uses when establishing the machine connection. The connection ignores any other realm that is available for the specific login credentials.

•Preferred Machine Role Set: Specify the role or the name of the rule for the role set that this connection uses when establishing the machine connection. The role or rule name used must be a member of the preferred machine realm.

•Preferred User Realm: Specify the realm that for this connection that is used when a user logs in to the endpoint. The connection ignores any other realm that is available for the user’s login credentials.

The following options enable you to allow the user to log in using a smart card or a password:

•Preferred Smartcard Logon Realm: Preferred realm to be used when user logs in with a smart card.

•Preferred Password Logon Realm: Preferred realm to be used when user logs in with a password.

Be sure that the authentication realms you specify exist, and that they support the appropriate login credential option.

•Preferred User Role Set: Specify the preferred role or the name of rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.

If the Ivanti Secure Access Client connection is configured to use a list of Ivanti servers, the preferred roles and realms you specify must be applicable to all of those servers.

7.Optionally, specify pre-login preferences:

•Pre-login maximum delay: The time period (in seconds) that a Windows client waits for an 802.1X connection to succeed during the login attempt. The range is 1 to 120 seconds.

•Pre-login user based virtual LAN: If you are using VLANs for the machine login, you can enable this check box to allow the system to make the VLAN change.

8.Click Save Changes, and then distribute the connection to Ivanti Secure Access Client endpoints.