Configuring User-After-Desktop Machine Authentication for a Ivanti Secure Access Client Connection

When a Ivanti Secure Access Client connection is configured for user-after-desktop machine authentication, the connection is established using machine credentials when no user is logged in. After user login, the machine connection is disconnected. Once the user logs out, user connection is disconnected and machine connection is reestablished.

To enable a Ivanti Secure Access Client connection for user-after-desktop machine authentication:

1.Click Users > Ivanti > Connections, and then create or select a connection set.

2.Create or edit a connection. For the connection type, you can select either UAC (802.1X) for a Layer 2 connection or Connect Secure or Policy Secure (L3) for a Layer 3 connection.

3.Under Connection is established, for mode, select Machine or User.

Machine credentials are used to connect to the Ivanti server when the endpoint is started, before a user logs in. When a user logs in, the machine authentication connection is dropped, and the user login is used instead. When the user logs out, the machine connection is reestablished.

4.Select the Connect automatically check box.

5.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow only one server certificate, specify the server certificate's full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

6.Specify Realm and Role Preferences to suppress realm or role selection dialogs during the login process for both machine and user logins:

•Preferred Machine Realm: Specify the realm that this connection uses when establishing the machine connection. The connection ignores any other realm that is available for the specific login credentials.

•Preferred Machine Role Set: Specify the role or the name of a rule for the role set that this connection uses when establishing the machine connection. The role or rule name used must be a member of the preferred machine realm.

•Preferred User Realm: Specify the realm that for this connection that is used when a user logs into the endpoint. The connection ignores any other realm that is available for the user's login credentials.

•Preferred User Role Set: Specify the preferred role or the name of the rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.

If the Ivanti Secure Access Client connection is configured to use a list of Ivanti servers, the preferred roles and realms you specify must be applicable to all of those servers.