cancel
Showing results for 
Search instead for 
Did you mean: 

Always ON VPN + machine authentication + secondary user authentication

ssimartim
Occasional Contributor

Always ON VPN + machine authentication + secondary user authentication

Hi team,

 

I’m trying the following configuration, ¿is it possible? I don't know if there is any incompatibilty.

 

Always ON VPN + machine authentication + secondary user authentication (LDAP)

Which I want is that our laptops establish the vpn connection during startup based on machine authentication (when the user haven’t login in windows yet). When the user logins in Windows, the vpn connection (created by machine)  is replaced with a vpn based on user credentials. As these docs explain:

https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Machine_and_User_Authent...

https://docs.pulsesecure.net/WebHelp/PDC/9.0R1/Content/PDC_AdminGuide_9.0R1/Pulse_Connection_is_Esta... -> Figure 66 and Figure 68

I could not get it to work. Analyzing logs I can see the PSA checks the certificate, the primary authentication is successful, and then PSA try to validate user/pass, but the user hadn’t login yet, failling. The first VPN connection based only on machine authentication doesn’t establish. When the user logins in windows, then the VPN is established.

 

2021-02-03 14:10:06 - ive - [10.16.0.30] Default Network::user(REALM_XXX)[] - Login failed using auth server Local_auth_server (Local Authentication). Reason: Failed -->>  For testing purposes I'm using local auth

2021-02-03 14:10:06 - ive - [10.16.0.30] Default Network::user(REALM_XXX)[] - Secondary authentication failed for host/host.dom/Local_auth_server from 10.16.0.30

2021-02-03 14:10:06 - ive - [10.16.0.30] Default Network::user(REALM_XXX)[] - Password realm restrictions successfully passed for user/REALM_XXX , with certificate 'Certificate'

2021-02-03 14:10:06 - ive - [10.16.0.30] Default Network::user(REALM_XXX)[] - Primary authentication successful for user/AUTHSERV_Cert_Ministerio from 10.16.0.30

 

Thanks

2 REPLIES 2
zanyterp
Moderator

Re: Always ON VPN + machine authentication + secondary user authentication

yes, that is correct, you cannot use secondary auth with machine authentication
you will need to have a machine realm and a user realm defined in the connection set
r@yElr3y
Moderator

Re: Always ON VPN + machine authentication + secondary user authentication

@ssimartim As mentioned by @zanyterp , you have to create separate realms for machine & user tunnels. machine realm should be having only cert type auth server set.

PCS Expert
Pulse Connect Secure Certified Expert