Solved: Re: Manage VPN PULSE SECURE CONNECT with RADIUS

Pulse_elo · ‎03-05-2019

Hi,

Currently, I am setting up a new vpn pulse secure connect and I would like to manage it with my radius, here is what I did:
- Authentication > Authentication Servers > New > RADIUS Server
Name: MyRADIUS
RADIUS Server : My IP Radius server
Authentication Port: 1812
Shared secret: ******** 
Accounting port : 1813

After on Administrators > Admin Realms > New 

Name : Administraors by radius
Authentication: MyRADIUS
Directory/Attribute: Same as above
Accounting: MyRADIUS

After on Authentication > Signing In > Sign-in Policies
Administrator URLs
*/admin/

I added in "User picks from a list of authentication realms" --> MyRadius

What do you think? My radius is a freeradius, my issue is in freeradius, I already modified my file client.conf?

[email protected] · ‎03-14-2019

Auth control option can be under Authentication servers page. You can either set it to Global or auth server level.

Post making the above changes, you will be presented with the port selection option. Auth control feature was introduced on 9.0R3 code and will be present on 9.0R3 codes and higher.

Pulse Connect Secure Certified Expert

View solution in original post

[email protected] · ‎03-05-2019

From the description, I can see that you have created RADIUS auth instance, admin realm and sign-in URL, however no role mapping was created. Please add the desired admin role under Admin realm >> (realm.name) >> role mapping >> create a rule >> map a role >> save changes. You should be good

Pulse Connect Secure Certified Expert

zanyterp · ‎03-06-2019

In addition to what [email protected] mentioned, please be sure to have a custom RADIUS rule configured for the Access-Challenge to show the login page.

Pulse_elo · ‎03-12-2019

Hi, I already create admin role and map but it doesn't work.

[email protected] · ‎03-12-2019

What is the error message displayed during the authentication attempt?

Pulse Connect Secure Certified Expert

Pulse_elo · ‎03-13-2019

Hi,

Thanks for your answer. This is summary and my log:

1) Create new server Radius with setting

Authentication Servers > Radius Server > New Server...

Auth Servers > MyRadius > Settings

Name : MyRadius
RADIUS Server : 10.60.78.248
Authentication Port : 1812
Shared Secret : ********
Accounting : 1813

Custom RADIUS Rules

Name : Rule Radius

If received Radius Response Packet...

Response Packet Type : Access Challenge

Attribute criteria :

Radius Attribute : Reply-Message (18)

Operand : matches the expression

Value : admin_radius

Then take action...

show user login page with error message

2) Create admin realms

Admin Realms > Administrator Authentication Realms > New...

General
Name : MyRadiusAdmin
Authentication : MyRadius
Directory/Attribute : Same as above
Accounting : MyRadius

Authentication Policy

--> Source IP

Allow users to sign in from any IP address

--> Administrator sign in ports

Internal Port is enabled.
Management Portd is enabled.

Role mapping

--> When users meet these conditions

username is admin_radius

--> assign these roles

.Administrators

--> Rule Name

Rule_RADIUS

Other details :

My RADIUS Server is 10.60.78.248
Management Port is 10.60.78.200

The both are the same network but my Internal port is 10.50.58.1 and my External port is 10.70.48.1

My log for User Access :

Radius Server MyRadius : Login failed for admin_radius because host 10.60.78.248:1812 is unreachable.

I have a question my Radius server must be communicate by Internal port (10.50.58.1) and not management port because I have not open my firewall from RADIUS Server (10.60.78.248).

[email protected] · ‎03-14-2019

Please change the RADIUS rule to "Show Defender Page" when Access-Challenge reply packet was received, you can leave the Reply-Message as empty.

"Traffic Segregation" feature for Admin Network (Admin logins) can be enabled to send AAA traffic using Management port, but it is only supported on Virtual appliances. For Hardware appliances, it will always use internal port.

Pulse Connect Secure Certified Expert

[email protected] · ‎03-14-2019

There is feature called "Auth Control" which was introduced in 9.0R3 code.. will check and update you the details soon.

You would like to send the authentication traffic via Management port, right?.

Pulse Connect Secure Certified Expert

[email protected] · ‎03-14-2019

Auth control option can be under Authentication servers page. You can either set it to Global or auth server level.

Post making the above changes, you will be presented with the port selection option. Auth control feature was introduced on 9.0R3 code and will be present on 9.0R3 codes and higher.

Pulse Connect Secure Certified Expert

Pulse_elo · ‎03-14-2019

Hi, great it works thanks you so much for all.