Machine and User Authentication through a Pulse Client Connection for Ivanti Connect Secure
Pulse Client supports certificate authentication for establishing Layer 2 and Layer 3 connections. On Windows endpoints, Pulse Client connection accesses client certificates located in the Local Computer personal certificate store to provide machine authentication or user certificates located in a user’s personal certificate store or a smart card for user authentication. A Pulse Client connection can access certificates from only one location. For information on machine authentication, see Machine Authentication for Ivanti Connect Secure Overview.
You can create a Pulse Client connection that verifies the identity of both the machine and the user before establishing a connection. There are two options for configuring this dual authentication connection. Both options employ user authentication against a Local System, Active Directory, or ACE server for user authentication and certificate authentication to verify the machine. Both options also use a Pulse Client connection option. The option, Select client certificate from machine certificate store, is part of the User Connection Preferences of a Pulse Client connection.
Option 1: Use an additional authentication server for a realm:
•Create a Pulse Client connection for the target Ivanti server. The connection type can be Policy Secure (802.1X) or Connect Secure or Policy Secure (L3). The Connection is established option is typically set to manually by the user or automatically at user login.
•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store. This option enables the Pulse Client connection to perform the machine authentication as part of the connection attempt.
•Create a realm sign in policy that authenticates to a certificate server. When Pulse Client provides the certificate to the server, it uses the certificate from the Local Computer certificate store, which authenticates the machine. If the certificate store holds more than one valid certificate for the connection, Pulse Client opens a dialog box that prompts the user to select a certificate.
•Create a secondary authentication server for the realm. The secondary server can be a Local System, Active Directory, or RSA ACE server. When the machine authentication is successful, the user is prompted to provide authentication credentials for the secondary authentication server.
Option 2 — Use realm authentication to authenticate the user and a certificate restriction on the realm to authenticate the machine.
•Create a Pulse Client connection for the target Ivanti server. The connection type can be Policy Secure (802.1X) or Connect Secure or Policy Secure (L3). The Connection is established option is typically set to manually by the user or automatically at user login.
•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store.
•Create a sign-in policy on Ivanti Connect Secure that specifies a user realm. The realm authentication server can be a System Local, Active Directory, or RSA ACE server.
•Configure a certificate restriction on the realm to enable Ivanti Connect Secure to request a client certificate. Be sure to enable the option labeled only allow users with a client-side certificate signed by Trusted Client CAs to sign in.