Hi bradk,
Enabling Pre-Desktop login (credential Provider) works when you selected USER or MACHINE/USER option however that does not need any user certificate to authenticate.
Authentication method is determined by the realm(s) which are associated with your sign-in URL so as per your setup, you're already using a machine realm to support machine authentication, now all you need is to create a new realm with RADIUS authentication and corresponding role mappings and input the realm and role details in preferred realm set and roles.
https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Pulse Secure Connection Realm.htm?Highlight=machine or user authentication
Credential Provider is a integration feature of pulse client that is used to pass the domain credentials which the user provided during the windows logon and use the same credentials to authenticate the VPN connection.
https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Credential Provider Authentication.htm?Highlight=credential provider
I Hope it Helps you.
Thanks,
Ray.
Enabling Pre-Desktop login (credential Provider) works when you selected USER or MACHINE/USER option however that does not need any user certificate to authenticate.
Authentication method is determined by the realm(s) which are associated with your sign-in URL so as per your setup, you're already using a machine realm to support machine authentication, now all you need is to create a new realm with RADIUS authentication and corresponding role mappings and input the realm and role details in preferred realm set and roles.
https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Pulse Secure Connection Realm.htm?Highlight=machine or user authentication
Credential Provider is a integration feature of pulse client that is used to pass the domain credentials which the user provided during the windows logon and use the same credentials to authenticate the VPN connection.
https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Credential Provider Authentication.htm?Highlight=credential provider
I Hope it Helps you.
Thanks,
Ray.
Hi bradk,
You got it right, All you need to do is in the sign-in page policy map the sign-in URL with two realms ( One Realm which holds certificate server for machine authentication and Another Realm holds the RADIUS Server for user authentication)
For example,
Bradk-CERT-Realm >>> Certificate Authentication Server to authenticate Machines using Machine Certificates
Bradk-RADIUS-Realm >>> RADIUS server to authenticate Users using user credentials (With correct Role mappings)
In the VPN Connections page select MACHINE/USER option from the drop-down list. You will see this,
Machine Connection Preferences:
Preferred Machine Realm: Bradk-CERT-Realm
User Connection Preferences:
Preferred User Realm: Bradk-RADIUS-Realm
Save Changes and Push the configuration to the pulse client either through browser session or Pre-config method (JAMUI Command)
[ FYI, You can do machine authentication using Machine Acoount if the Machine is Domain-Joined (Active Directory). To achieve this all your need is to create a AD Authentication server with realm and map this realm in the Preferred Machine Realm option. Thats it. ]
In the background, Whenever the machine boots it will automatically authenticates using the machine certificate/account and when the user attempts to sign-in to that machine ( As soon as the user triggers the login page to appear), the machine tunnel will be teared down and user tunnel will be formed, if the credentials provided by the user is valid.
Thanks,
Ray.
You got it right, All you need to do is in the sign-in page policy map the sign-in URL with two realms ( One Realm which holds certificate server for machine authentication and Another Realm holds the RADIUS Server for user authentication)
For example,
Bradk-CERT-Realm >>> Certificate Authentication Server to authenticate Machines using Machine Certificates
Bradk-RADIUS-Realm >>> RADIUS server to authenticate Users using user credentials (With correct Role mappings)
In the VPN Connections page select MACHINE/USER option from the drop-down list. You will see this,
Machine Connection Preferences:
Preferred Machine Realm: Bradk-CERT-Realm
User Connection Preferences:
Preferred User Realm: Bradk-RADIUS-Realm
Save Changes and Push the configuration to the pulse client either through browser session or Pre-config method (JAMUI Command)
[ FYI, You can do machine authentication using Machine Acoount if the Machine is Domain-Joined (Active Directory). To achieve this all your need is to create a AD Authentication server with realm and map this realm in the Preferred Machine Realm option. Thats it. ]
In the background, Whenever the machine boots it will automatically authenticates using the machine certificate/account and when the user attempts to sign-in to that machine ( As soon as the user triggers the login page to appear), the machine tunnel will be teared down and user tunnel will be formed, if the credentials provided by the user is valid.
Thanks,
Ray.
Hi Bradk,
Sorry I forgot to mention this, as you said "At some point I had it configured so it was prompting for credentials, but if it failed (or I hit cancel), then the entire connection failed. I need it to be always connected via machine cert and then have the option of logging on interactively with user credentials, always falling back to the always on mode. I must be missing something somewhere."
You were are not missing anything, This is how it works; if the user tried to authenticate the existing machine tunnel will be teared down. From that point, only user tunnel can be formed. There is no fallback mechanism that facilitates to bring back the machine tunnel if the user authentication fails.
Thanks,
Ray.
Sorry I forgot to mention this, as you said "At some point I had it configured so it was prompting for credentials, but if it failed (or I hit cancel), then the entire connection failed. I need it to be always connected via machine cert and then have the option of logging on interactively with user credentials, always falling back to the always on mode. I must be missing something somewhere."
You were are not missing anything, This is how it works; if the user tried to authenticate the existing machine tunnel will be teared down. From that point, only user tunnel can be formed. There is no fallback mechanism that facilitates to bring back the machine tunnel if the user authentication fails.
Thanks,
Ray.
Hi mwarnier,
I think your users are trying to authenticate from a domain-joined (AD) machine using credential provider, you will be sending the username in \ format to AD to authenticate and the same will cached by the credential provider. While users are authenticating the exact format will be provided as username by credential provider however the LDAP Server only looks for attribute which you configured such as samaccountname or userprincipalname, this is the reason it's failing.
As a workaround, try editing any attribute for eg. "comment" and enter the value as "DOMAIN\USERNAME" then change the attribute as "comment=" in your LDAP server. It will work! I tried this in my lab. However it's not feasible if you're having huge number of customers. So, If possible, use AD auth server.
Thanks,
Ray.
I think your users are trying to authenticate from a domain-joined (AD) machine using credential provider, you will be sending the username in \ format to AD to authenticate and the same will cached by the credential provider. While users are authenticating the exact format will be provided as username by credential provider however the LDAP Server only looks for attribute which you configured such as samaccountname or userprincipalname, this is the reason it's failing.
As a workaround, try editing any attribute for eg. "comment" and enter the value as "DOMAIN\USERNAME" then change the attribute as "comment=" in your LDAP server. It will work! I tried this in my lab. However it's not feasible if you're having huge number of customers. So, If possible, use AD auth server.
Thanks,
Ray.
