Configuring Machine-Then-User-at-Credprov Credential Provider Authentication for a Pulse Client Connection

With a machine-then-user-at-credprov connection, Pulse Client establishes the connection using machine credentials when no user is logged in. When a user clicks a login tile and provides user credentials, the machine connection is disconnected, and a new connection is established. When the user logs out, the user connection is disconnected, and the machine connection is reestablished. In one typical machine-then-user-at-credprov implementation, the machine connection and the user connection are mapped to different VLANs.

To enable machine-then-user-at-credprov credential provider support for a Pulse Client connection:

1.Create a Pulse Client connection set for the role (Users > Pulse Secure > Connections), and then create a new Pulse Client connection. You can select either a Layer 3 connection type, Connect Secure or Policy Secure (L3), or a Layer 2 connection type, Policy Secure (802.1X).

2.In the Connection is established section, select "Machine or User" for the mode.

3.Under Options, select the Connect automatically check box.

4.In the Connection is established section, select one of the following options:

5.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow only one server certificate, specify the server certificate's full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

6.Specify "Realm and Role Preferences" to suppress realm or role selection dialogs during the login process for both machine and user logins:

•Preferred Machine Realm: Specify the realm that this connection uses when establishing the machine connection. The connection ignores any other realm that is available for the specific login credentials.

•Preferred Machine Role Set: Specify the role or the name of the rule for the role set that this connection uses when establishing the machine connection. The role or rule name used must be a member of the preferred machine realm.

•Preferred User Realm: Specify the realm that for this connection that is used when a user logs in to the endpoint. The connection ignores any other realm that is available for the user's login credentials.

The following options enable you to allow the user to log in using a smart card or a password:

•Preferred Smartcard Logon Realm: Preferred realm to be used when user logs in with a smart card.

•Preferred Password Logon Realm: Preferred realm to be used when user logs in with a password.

Be sure that the authentication realms you specify exist, and that they support the appropriate login credential option.

•Preferred User Role Set: Specify the preferred role or the name of rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.

If the Pulse Client connection is configured to use a list of Pulse Secure servers, the preferred roles and realms you specify must be applicable to all of those servers.

7.Optionally, specify pre-login preferences:

•Pre-login maximum delay: The time period (in seconds) that a Windows client waits for an 802.1X connection to succeed during the login attempt. The range is 1 to 120 seconds.

•Pre-login user based virtual LAN: If you are using VLANs for the machine login, you can enable this check box to allow the system to make the VLAN change.

8.Click Save Changes, and then distribute the Pulse Client connection to Pulse Client endpoints.