Configuring a Pulse Client Credential Provider Connection for Password or Smart Card Login

If you allow a user to log in with a smart card or with a username/password, then you can have the Pulse Client Credential provider automatically authenticate the user based on the login method. The Pulse Client user sees two different credential provider tiles for the Pulse Client connection, one for smart card authentication and one for username/password authentication. Credential provider tiles that launch a Pulse Client connection include a Pulse Secure logo (see figure below). The Pulse Client connection determines which realm to use through preferred realm settings that you specify as part of the Pulse Client connection preferences. If the connection succeeds, the login type is saved so that, if re-authentication is needed (for example, if the connection times out), the same login type is used.

Before you begin:

•Before you deploy a connection that uses this feature, make sure that you have created all the authentication realms that are required. You need one realm for smart card authentication and a different one for user name/password authentication. Both realms can be mapped to the same role, or you can use different roles. In either case you include a remediation role for endpoints that do not pass Host Checker evaluation. If you use machine authentication for a connection (machine-then-user-at-credprov), you need an authentication realm for the machine.

•Make sure that all of the realms that are used in the Pulse Client connection are included in the sign-in policy.

•The authentication realms on the Pulse Secure server must be configured so that the Preferred Pre-login Smartcard Realm uses certificate authentication and the Preferred Pre-login Password Realm uses username/password authentication.

The following procedure summarizes the steps to create a Pulse Client Connection that uses credential provider authentication, and allows the user to choose either smart card login or username/password login.

1.Click Users > Pulse Secure > Connections and create or select a connection set.

2.Create or edit a connection. For connection type, you can select either "UAC (802.1X)" for a Layer 2 connection or "Connect Secure" or "Policy Secure (L3)" for a Layer 3 connection. The "SRX connection" type does not support credential provider authentication.

3.For the Connection is established option, choose one of the credential configuration options shown in figure below and figure.

The user credentials are used to establish the authenticated Pulse Client connection to the network, log in to the endpoint, and log in to the domain server.

Select User as the mode. Under options, select Connect automatically.

Machine credentials are used to establish the authenticated Pulse Client connection to the network using the specified Machine Connection Preferences or Pre-login Connection Preferences. When the user provides user credentials, the connection is authenticated again.

Select Machine or User as the mode. Under options, select Connect automatically.

4.For Connect Secure or Policy Secure (L3) connections that are set to have the connection established automatically, you can define location awareness rules that enable an endpoint to connect conditionally.

5.For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type "ANY" as the Server certificate DN. To allow only one server certificate, specify the server certificate's full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; [email protected].

6.For the desired connection behavior, set the connection preferences as described in the table below.

If the Pulse Client connection is configured to use a list of Pulse Secure servers, the preferred roles and realms you specify must be applicable to all of those servers.

Pulse Client Credential Provider Login Behavior	Connection is established	User Connection Preferences	Pre-Login Connection Preferences	Machine Connection Preferences
At user login, the user can choose from two credential provider tiles: smart card login or username/password login. The credentials are then used to connect to the network, login to the endpoint, and login to the domain server.	Automatically at user login	Preferred User Realm and Preferred User Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.	Enables Pulse Client credential provider tiles. The realm name appears on each tile. You must specify values for both of the following options: Preferred Pre-login Password Realm: The authentication realm that provides username/password authentication. Preferred Pre-login Smartcard Realm: The authentication realm that provides smartcard authentication.	Not available.
At machine login and at user login, the user can choose from two credential provider tiles: smart card login or username/password login.	Automatically when machine starts. Connection is authenticated again at user login.		Enables Pulse Client credential provider tiles. The realm name appears on each tile. Preferred Pre-login Password Realm: The authentication realm that provides username/password authentication. Preferred Pre-login Smartcard Realm: The authentication realm that provides smartcard authentication.	Preferred Machine Realm and Preferred Machine Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.

Pulse Client Credential Provider Login Behavior

Connection is established

User Connection Preferences

Pre-Login Connection Preferences

Machine Connection Preferences

At user login, the user can choose from two credential provider tiles: smart card login or username/password login.

The credentials are then used to connect to the network, login to the endpoint, and login to the domain server.

Automatically at user login

Preferred User Realm and Preferred User Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.

Enables Pulse Client credential provider tiles. The realm name appears on each tile. You must specify values for both of the following options:

Preferred Pre-login Password Realm: The authentication realm that provides username/password authentication.

Preferred Pre-login Smartcard Realm: The authentication realm that provides smartcard authentication.

Not available.

At machine login and at user login, the user can choose from two credential provider tiles: smart card login or username/password login.

Automatically when machine starts. Connection is authenticated again at user login.

Enables Pulse Client credential provider tiles. The realm name appears on each tile.

Preferred Pre-login Password Realm: The authentication realm that provides username/password authentication.

Preferred Pre-login Smartcard Realm: The authentication realm that provides smartcard authentication.

Preferred Machine Realm and Preferred Machine Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.