Machine and User Authentication Through a Ivanti Secure Access Client Connection for Ivanti Policy Secure

Ivanti Secure Access Client supports certificate authentication for establishing Layer 2 and Layer 3 connections. On Windows endpoints, a Ivanti Secure Access Client connection accesses client certificates located in the Local Computer personal certificate store to provide machine authentication, or user certificates located in a user's personal certificate store or on a smart card for user authentication. A Ivanti Secure Access Client connection can access certificates from only one location. For information on machine authentication, see Machine Authentication for Ivanti Policy Secure Overview.

You can create a Ivanti Secure Access Client connection that uses System Local, Active Directory, or RSA ACE server authentication to verify the user and a certificate to verify machine identity before establishing a connection. To do so, you must first enable an option for the Ivanti Secure Access Client connection that allows the connection to check the client certificates located in the Local Computer personal certificate store. The option, Select client certificate from machine certificate store, is part of the User Connection Preferences of a Ivanti Secure Access Client connection. User authentication is accomplished through realm authentication. Machine authentication is accomplished as part of a realm certificate restriction, because the Ivanti Secure Access Client connection uses the machine certificate. If the certificate store holds more than one valid certificate for the connection, Ivanti Secure Access Client opens a dialog box that prompts the user to select a certificate.

The following list summarizes the steps to configure a Ivanti Secure Access Client connection on a Windows endpoint that authenticates both the user and the machine. For detailed procedures on how to perform each configuration task, see the links at Machine and User Authentication Through a Ivanti Secure Access Client Connection for Ivanti Policy Secure.

•Install a machine authentication certificate in the Local Computer personal certificate store of the Windows endpoint and configure the Ivanti server certificate server.

•Create a Ivanti Secure Access Client connection for the target Ivanti server. The connection type can be UAC (802.1X) or Connect Secure or Policy Secure (L3). The Connection is established option is typically set to Manually by the user or Automatically at user login.

•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store. This option enables the Ivanti Secure Access Client connection to perform the machine authentication as part of the Ivanti Secure Access Client connection attempt.

•Create a sign-in policy on the Ivanti server that specifies a user realm. The realm authentication server can be a System Local, Active Directory, or RSA ACE server.

•Configure a certificate restriction on the realm to enable the Ivanti server to request a client certificate. Be sure to enable the option labeled Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. Because the Ivanti Secure Access Client connection is configured to use the machine certificate, the user authentication takes place by means of the realm certificate restriction.