cancel
Showing results for 
Search instead for 
Did you mean: 

Pulse Secure Client Always On + MFA User Authentication?

New Contributor

Pulse Secure Client Always On + MFA User Authentication?

Hello all,

I have configured Pulse Secure Client to create an always on VPN connection using machine authentication which is working well enough. What I'd like to do is then have the end user be able to further authenticate using a RADIUS-backed authentication realm to be able to expand network access rights.

I thought the option might be 'Enable pre-desktop login (Credential provider)' but that requires the Machine OR User authentication option and that then requires a user certificate which I don't have, nor want to use.

Any ideas?
7 REPLIES 7
Moderator
Moderator

Re: Pulse Secure Client Always On + MFA User Authentication?

Hi bradk,

Enabling Pre-Desktop login (credential Provider) works when you selected USER or MACHINE/USER option however that does not need any user certificate to authenticate.

Authentication method is determined by the realm(s) which are associated with your sign-in URL so as per your setup, you're already using a machine realm to support machine authentication, now all you need is to create a new realm with RADIUS authentication and corresponding role mappings and input the realm and role details in preferred realm set and roles.

https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Pulse Secure Connection Realm.htm?Highlight=machine or user authentication



Credential Provider is a integration feature of pulse client that is used to pass the domain credentials which the user provided during the windows logon and use the same credentials to authenticate the VPN connection.

https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Credential Provider Authentication.htm?Highlight=credential provider

I Hope it Helps you.

Thanks,
Ray.
Pulse Connect Secure Certified Expert
Highlighted
New Contributor

Re: Pulse Secure Client Always On + MFA User Authentication?

Hi Ray,

Thank you for the response. I think I had it incorrectly configured then, as I put the Certificate Server for the authentication on the sign in page policy. You are saying the sign-in should have the RADIUS server for authentication, correct?

I'm trying this and now it is immediately failing authentication. it looks like it's trying to authenticate as host instead of prompting for credentials.

At some point I had it configured so it was prompting for credentials, but if it failed (or I hit cancel), then the entire connection failed. I need it to be always connected via machine cert and then have the option of logging on interactively with user credentials, always falling back to the always on mode. I must be missing something somewhere.
Moderator
Moderator

Re: Pulse Secure Client Always On + MFA User Authentication?

Hi bradk,

You got it right, All you need to do is in the sign-in page policy map the sign-in URL with two realms ( One Realm which holds certificate server for machine authentication and Another Realm holds the RADIUS Server for user authentication)

For example,

Bradk-CERT-Realm >>> Certificate Authentication Server to authenticate Machines using Machine Certificates

Bradk-RADIUS-Realm >>> RADIUS server to authenticate Users using user credentials (With correct Role mappings)

In the VPN Connections page select MACHINE/USER option from the drop-down list. You will see this,

Machine Connection Preferences:

Preferred Machine Realm: Bradk-CERT-Realm

User Connection Preferences:

Preferred User Realm: Bradk-RADIUS-Realm


Save Changes and Push the configuration to the pulse client either through browser session or Pre-config method (JAMUI Command)

[ FYI, You can do machine authentication using Machine Acoount if the Machine is Domain-Joined (Active Directory). To achieve this all your need is to create a AD Authentication server with realm and map this realm in the Preferred Machine Realm option. Thats it. ]

In the background, Whenever the machine boots it will automatically authenticates using the machine certificate/account and when the user attempts to sign-in to that machine ( As soon as the user triggers the login page to appear), the machine tunnel will be teared down and user tunnel will be formed, if the credentials provided by the user is valid.


Thanks,
Ray.

Pulse Connect Secure Certified Expert
Moderator
Moderator

Re: Pulse Secure Client Always On + MFA User Authentication?

Hi Bradk,

Sorry I forgot to mention this, as you said "At some point I had it configured so it was prompting for credentials, but if it failed (or I hit cancel), then the entire connection failed. I need it to be always connected via machine cert and then have the option of logging on interactively with user credentials, always falling back to the always on mode. I must be missing something somewhere."

You were are not missing anything, This is how it works; if the user tried to authenticate the existing machine tunnel will be teared down. From that point, only user tunnel can be formed. There is no fallback mechanism that facilitates to bring back the machine tunnel if the user authentication fails.

Thanks,
Ray.
Pulse Connect Secure Certified Expert
New Contributor

Re: Pulse Secure Client Always On + MFA User Authentication?

Hello,

We are facing similar challenge but use LDAP based authentication agains Windows AD instead of Radius. The machine tunnel works as expected, but when the user tries to logon using Credential Provider (after pressing CTRL-ALT-DEL), the domain is prepended to the username when using samAccountName as username (so username becomes "\"). And the LDAP authentication fails...
When using UserPrincipalName as username, it is prepended with a backslash when sending to LDAP server, which also fails (so username becomes "\")

How can I prevent that these characters are prepended to the username before sending to LDAP?

Regards,

Marco
Moderator
Moderator

Re: Pulse Secure Client Always On + MFA User Authentication?

Hi mwarnier,

I think your users are trying to authenticate from a domain-joined (AD) machine using credential provider, you will be sending the username in \ format to AD to authenticate and the same will cached by the credential provider. While users are authenticating the exact format will be provided as username by credential provider however the LDAP Server only looks for attribute which you configured such as samaccountname or userprincipalname, this is the reason it's failing.

As a workaround, try editing any attribute for eg. "comment" and enter the value as "DOMAIN\USERNAME" then change the attribute as "comment=" in your LDAP server. It will work! I tried this in my lab. However it's not feasible if you're having huge number of customers. So, If possible, use AD auth server.

Thanks,
Ray.

Pulse Connect Secure Certified Expert
Moderator

Re: Pulse Secure Client Always On + MFA User Authentication?

Unfortunately, LDAP is not supported for credential provider; what you are seeing is what is expected
I would recommend reaching out to your account team and let them know you would like to have this investigated with the product team as an enhancement to the product