Machine and User Authentication Through a Pulse Client Connection for Pulse Policy Secure

Pulse Client supports certificate authentication for establishing Layer 2 and Layer 3 connections. On Windows endpoints, a Pulse Client connection accesses client certificates located in the Local Computer personal certificate store to provide machine authentication, or user certificates located in a user's personal certificate store or on a smart card for user authentication. A Pulse Client connection can access certificates from only one location. For information on machine authentication, see Machine Authentication for Pulse Policy Secure Overview.

You can create a Pulse Client connection that uses System Local, Active Directory, or RSA ACE server authentication to verify the user and a certificate to verify machine identity before establishing a connection. To do so, you must first enable an option for the Pulse Client connection that allows the connection to check the client certificates located in the Local Computer personal certificate store. The option, Select client certificate from machine certificate store, is part of the User Connection Preferences of a Pulse Client connection. User authentication is accomplished through realm authentication. Machine authentication is accomplished as part of a realm certificate restriction, because the Pulse Client connection uses the machine certificate. If the certificate store holds more than one valid certificate for the connection, Pulse Client opens a dialog box that prompts the user to select a certificate.

The following list summarizes the steps to configure a Pulse Client connection on a Windows endpoint that authenticates both the user and the machine. For detailed procedures on how to perform each configuration task, see the links at Machine and User Authentication Through a Pulse Client Connection for Pulse Policy Secure.

•Install a machine authentication certificate in the Local Computer personal certificate store of the Windows endpoint and configure the Pulse Secure server certificate server.

•Create a Pulse Client connection for the target Pulse Secure server. The connection type can be UAC (802.1X) or Connect Secure or Policy Secure (L3). The Connection is established option is typically set to Manually by the user or Automatically at user login.

•In the User Connection Preferences section of the connection properties, click the check box labeled Select client certificate from machine certificate store. This option enables the Pulse Client connection to perform the machine authentication as part of the Pulse Client connection attempt.

•Create a sign-in policy on the Pulse Secure server that specifies a user realm. The realm authentication server can be a System Local, Active Directory, or RSA ACE server.

•Configure a certificate restriction on the realm to enable the Pulse Secure server to request a client certificate. Be sure to enable the option labeled Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. Because the Pulse Client connection is configured to use the machine certificate, the user authentication takes place by means of the realm certificate restriction.