Re: Which Authentiction Server to use.

weir · ‎10-10-2018

Hi,

Im looking to implement a PSA3000 but not sure on the best approach for the authentication server. I ould like to use AD and have a second google authenticator to login to the portal. This is nice as users just have one username and password to remember.

My issue is if users forget their domain password or the password expires. We have an on prem password system for users changing password but of course they have to be on the network for them to access that. If they can not connect onto the pulse secure then they can not reset the password.

We could use a local server for auth but that would require every user to have 2 passwords.

Is there a better sollution?

akanoon · ‎10-10-2018

Hi,

You can turn on password management. See https://docs.pulsesecure.net/WebHelp/PCS/8.3R3/Content/PCS/PCS_AdminGuide_8.3/Using_the_LDAP_Passwor...

You'll basically need to create an LDAP server under Auth Servers and point it to your AD server. Then at Realm level, you can enable Password Management under Authentication Policy > Password:

Regards,

Please remember to mark solved once the thread is resolved. Kudos are also appreciated.

weir · ‎10-10-2018

Thanks for the reply.

My issue is however if a remote worker has forgotten their domain password. I belive there is no way for them to reset the domain password via the pulse secure box.

It feels like a catch22. You can not connect to be able to change and you can’t change because you can not connect.

Am I missing something.

akanoon · ‎10-10-2018

Assuming they can connect (just bear with me here), how would they do the domain reset? Would they do this via some security challenge?

One of the things that can be done is to set up a sign in policy/realm that does an Anonymous connection back to the application you are using to the reset. End user gets presented with the challenge and they take care of the reset.

If you want to see this in action, send me a direct message and we'll set up a confcall and I'll show you how it's done.

Please remember to mark solved once the thread is resolved. Kudos are also appreciated.

weir · ‎10-10-2018

Well the password manager software is an on prem webbased system.

It basically gives a webpage to allow you to change the password based on security questions.

With the Anonymous connection can you only allow access to that one webpage?

weir · ‎10-10-2018

Just had a play and this might work.

Is there away to use anonymous server but with entering a username and then using the google Authenticator?

weir · ‎10-10-2018

So I think this is how I would like to set it up.

I create a security group of users who are allowed access to the pulse secure box. The user will go to the sign in page and enter their domain username and password. This will authenticate against AD. It will have a second server giving the google authenticate that they will have to setup.

If one of these users then forgets their password I would like to give them a signin page that asks for username and then asks for the google authenticate. This should use the same code they would use if they knew their password. Once in they would get the password reset system only.

I’m not sure I want the password reset option open to anyone via an anonymous server. It feels like if you have your username and google code that should be secure enough to allow users to reset password.

Is this all possible?

akanoon · ‎10-10-2018

Unfortunately, this is not possible. Once you select Anonymous, you really can't pass in a username to be used against the Google Auth.

I understand your concern but we have many customers doing this. They create a web ACL so only the reset application is accessible. Also, that isn't useable unless the end user knows his security. You can also add some more checks and only allow access during work hours, etc.

Please remember to mark solved once the thread is resolved. Kudos are also appreciated.

weir · ‎10-10-2018

Can you have 3 auth servers.

The first a local one with a username and simple password that people would not forget like their surname. Then pass that username to use against an AD and then a google authenticate for that user.

If they don’t remember their AD password then we use a new sign in page with only the two servers.

weir · ‎10-11-2018

I thought I had sorted this by setting up a second local server with the same usernames and then using google for the secondary. Unfortunately it looks like you can not use the same code as it asks me to re register. If I look in the users part for my google server I have a duplicate username.

Is there any way around this.