Machine and User Authentication through a Ivanti Secure Access Client Connection for Ivanti Connect Secure

Ivanti Secure Access Client supports certificate authentication for establishing Layer 2 and Layer 3 connections. On Windows endpoints, Ivanti Secure Access Client connection accesses client certificates located in the Local Computer personal certificate store to provide machine authentication or user certificates located in a user’s personal certificate store or a smart card for user authentication. A Ivanti Secure Access Client connection can access certificates from only one location. For information on machine authentication, see Machine Authentication for Ivanti Connect Secure Overview.

You can create a Ivanti Secure Access Client connection that verifies the identity of both the machine and the user before establishing a connection. There are two options for configuring this dual authentication connection. Both options employ user authentication against a Local System, Active Directory, or ACE server for user authentication and certificate authentication to verify the machine. Both options also use a Ivanti Secure Access Client connection option. The option, Select client certificate from machine certificate store, is part of the User Connection Preferences of a Ivanti Secure Access Client connection.

Option 1: Use an additional authentication server for a realm:

•Create a Ivanti Secure Access Client connection for the target Ivanti server. The connection type can be Policy Secure (802.1X) or Ivanti Connect Secure or Ivanti Policy Secure (L3). The Connection is established option is typically set to manually by the user or automatically at user login.

•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store. This option enables the Ivanti Secure Access Client connection to perform the machine authentication as part of the connection attempt.

•Create a realm sign in policy that authenticates to a certificate server. When Ivanti Secure Access Client provides the certificate to the server, it uses the certificate from the Local Computer certificate store, which authenticates the machine. If the certificate store holds more than one valid certificate for the connection, Ivanti Secure Access Client opens a dialog box that prompts the user to select a certificate.

•Create a secondary authentication server for the realm. The secondary server can be a Local System, Active Directory, or RSA ACE server. When the machine authentication is successful, the user is prompted to provide authentication credentials for the secondary authentication server.

Option 2 — Use realm authentication to authenticate the user and a certificate restriction on the realm to authenticate the machine.

•Create a Ivanti Secure Access Client connection for the target Ivanti server. The connection type can be Policy Secure (802.1X) or Ivanti Connect Secure or Ivanti Policy Secure (L3). The Connection is established option is typically set to manually by the user or automatically at user login.

•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store.

•Create a sign-in policy on Ivanti Connect Secure that specifies a user realm. The realm authentication server can be a System Local, Active Directory, or RSA ACE server.

•Configure a certificate restriction on the realm to enable Ivanti Connect Secure to request a client certificate. Be sure to enable the option labeled only allow users with a client-side certificate signed by Trusted Client CAs to sign in.