Re: Host certificate authentication

fran1942 · ‎02-01-2019

Hello, I have a general concept question please.

My client computers all have Active Directory issued machine certificates. I want to authenticate Pulse client users based on these certificates.

I see that in the Pulse server you have to define an authentication server of type 'Certificate Server'. What is this 'Certificate Server' ? Is is referring to Pulse itself.

My intention was authenticate my client machine AD issued certificates against my Windows NPS Radius server. is this possible ?

zanyterp · ‎02-01-2019

If you are using the Pulse client, yes, you should be able to do that by enabling the option to get the client certificate from machine store in the Pulse connection definition.
The certificate server is a server instance on the appliance that allows you to configure how to create the username from the certificate. The user, or machine, certificates are checked based on the trusted client CAs installed at System>Configuration>Certificates>Trusted Client CAs

fran1942 · ‎02-01-2019

Thank you.

1. To confirm it is not possible to use a third party radius server to verify user certificates ?

2. What happens if a certificate is revoked by Active Directory i.e. can Pulse make revoked certificate checks each time it authenticates a client certificate ?

zanyterp · ‎02-02-2019

1: Yes, RADIUS cannot be used to validate certificates. You need to upload the CA chain of your issuer to confirm what machine certificates you want to trust against

2: If you have configured OCSP or CRL checking _and_ you have enforcement enabled, the user will not be allowed to login. If you do not have OCSP or CRL checking enabled, or enforced, they will be allowed to login