Credential Provider Authentication for Ivanti Connect Secure

The Ivanti credential provider integration enables connectivity to a network that is required for the user to log on to the Windows domain. For example, the domain controller might reside behind a firewall and the endpoint uses credential provider login to connect to Ivanti Connect Secure prior to domain login. Ivanti integrates with Microsoft credential providers to enable password-based login and smart card login. A credential provider interface appears as a tile on a Windows (Vista or later) login screen.

You enable Ivanti credential provider support on a Pulse/Ivanti connection. After the connection has been downloaded to the endpoint through the normal Pulse/Ivanti distribution methods, a Ivanti logon tile appears on the endpoint's desktop. When the user initiates the logon process, Pulse/Ivanti establishes the connection.

Ivanti supports the following credential provider types:

•user-at-credprov - The connection is established before the user login using credentials collected at the selected credential tile, which provides single-sign-on functionality. The connection is maintained as an active connection on the user's desktop.

•machine-then-user-at-credprov - The connection is established using machine credentials when no user is logged in. When a user clicks a logon tile and provides user credentials, the machine connection is disconnected, and a new connection is established. When the user logs off, the user connection is disconnected, and the machine connection is reestablished. In one typical machine-then-user-at-cred prov implementation, the machine connection and the user connection are mapped to different VLANs.

Ivanti credential provider support usage notes:

•If the endpoint includes more than one Pulse/Ivanti Layer 2 connection, Windows determines which connection to use:

1.If a network cable is attached to the endpoint, Layer 2 wired connections are attempted, and then wireless connections. If there are more than one wireless network available, the order is determined by the scan list specified as a Ivanti connection option.

2.After all Layer 2 options are attempted, Ivanti runs location awareness rules to find one or more eligible Layer 3 connections that are configured for credential provider login. If more than one Layer 3 connection is found, Ivanti prompts the user to select a connection. A user can cancel the network connection attempt by clicking the cancel button.

3.After Ivanti evaluates all configured connection options, Pulse returns control to Windows, which enables the user login operation.

•For connections that use user credentials, the Pulse/Ivanti connection may be configured so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt. For connections that use machine credentials, Ivanti prompts cause the connection to fail because there is no interface to allow a response to the prompts. You can suppress any potential realm and role choice by specifying a preferred realm and role for the connection.

•Ivanti upgrade notifications and actions are disabled during credential provider login and postponed until the user connection is established. Host Checker remediation notifications are displayed.

•To allow users to log in using either a smart card or a password, you can create different authentication realms for each use case and then specify a preferred smart card logon realm and a preferred password logon realm as part of the connection properties.

To enable user-at-credprov credential provider support for a Pulse connection:

1.Create a Pulse/Ivanti connection set for the role (Users > Pulse > Connections), and then create a new Pulse connection. You can select Connect Secure or Policy Secure (L3), Policy Secure (802.1X), or SRX for the connection type.

2.In the Connection is established section, select one of the following options:

•Automatically at user login - The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server. The Pulse/Ivanti connection may be configured so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt.

•Automatically when the machine starts. Connection is authenticated again at user login - Machine credentials are used to establish the authenticated Pulse/Ivanti connection to the network when the endpoint is started. When a user clicks the login tile and provides user credentials, the connection is authenticated again, and the original connection is dropped. When the user logs off, the user connection is ended and the machine connection is established again. In one typical use case, the machine credentials provide access to one VLAN and the user credentials provide access to a different VLAN. Be sure that the Pulse/Ivanti connection does not result in Pulse/Ivanti prompts, for example, prompts for realm or role selection or a server certificate trust prompt, because the machine credential login does not present an interface to respond to the prompts.

3.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type Any as the Server certificate DN. To allow only one server certificate, specify the server certificate's full DN for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

4.Specify Realm and Role Preferences to suppress realm or role selection dialogs during the logon process:

•Preferred User Realm - Specify the realm that for this connection. The connection ignores any other realm available for the specific logon credentials

The following options enable you to allow the user to log in using a smart card or a password:

•Preferred Smartcard Logon Realm - Preferred realm to be used when user logs in with a smart card.

•Preferred Password Logon Realm - Preferred realm to be used when user logs in with a password.

Be sure that the authentication realms you specify exist, and that they support the appropriate login credential option.

•Preferred User Role Set - Specify the preferred role or the name of rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.

To enable machine-then-user-at-credprov credential provider support for a Pulse/Ivanti connection:

1.Create a Pulse connection set for the role (Users > Pulse > Connections), and then create a new Pulse connection. You can select Connect Secure or Policy Secure (L3), Policy Secure (802.1X), or SRX for the connection type.

2.In the Connection is established section, select one of the following options:

•Automatically at user login - The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server. The Pulse connection may be configured so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt.

•Automatically when the machine starts. Connection is authenticated again at user login - Machine credentials are used to establish the authenticated Pulse connection to the network when the endpoint is started. When a user clicks the login tile and provides user credentials, the connection is authenticated again, and the original connection is dropped. When the user logs off, the user connection is ended, and the machine connection is established again. In one typical use case, the machine credentials provide access to one VLAN and the user credentials provide access to a different VLAN. Be sure that the Pulse connection does not result in Pulse prompts, for example, prompts for realm or role selection or a server certificate trust prompt, because the machine credential login does not present an interface to respond to the prompts.

4.Specify Realm and Role Preferences to suppress realm or role selection dialogs during the logon process for both machine logon and user logon:

•Preferred Machine Realm - Specify the realm that this connection uses when establishing the machine connection. The connection ignores any other realm available for the specific logon credentials

•Preferred Machine Role Set - Specify the role or the name of rule for the role set that this connection uses when establishing the machine connection. The role or rule name used must be a member of the preferred machine realm.

•Preferred User Realm - Specify the realm that for this connection that is used when a user logs onto the endpoint. The connection ignores any other realm available for the user's logon credentials.

5.Optionally specify pre-login preferences:

•Pre-login maximum delay - The time period (seconds) that a Windows client waits for an 802.1x connection to succeed during the login attempt. The range 1 to 120 seconds.

•Pre-login user based virtual LAN - If you are using VLANs for the machine login and the user login, you can enable this check box to allow the system to make the VLAN change.

6.Click Save Changes and then distribute the Pulse connection to Pulse client endpoints.

The Pulse/Ivanti tile appears on the login page the next time the end users log in.

The user account must exist on both the Windows PC and on Connect Secure with the same login name.

Check the user logs for credential provider log-in information.