You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Remote Access > VPN Tunneling > Credential Provider Authentication for Pulse Connect Secure

Credential Provider Authentication for Pulse Connect Secure

The Pulse credential provider integration enables connectivity to a network that is required for the user to log on to the Windows domain. For example, the domain controller might reside behind a firewall and the endpoint uses credential provider login to connect to Connect Secure prior to domain login. Pulse integrates with Microsoft credential providers to enable password based login and smart card login. A credential provider interface appears as a tile on a Windows (Vista or later) login screen. See Figure 108.

Figure 108: Pulse Logon Tile

You enable Pulse credential provider support on a Pulse connection. After the connection has been downloaded to the endpoint through the normal Pulse distribution methods, a Pulse logon tile appears on the endpoint’s desktop. When the user initiates the logon process, Pulse establishes the connection.

Pulse supports the following credential provider types:

Pulse credential provider support usage notes:

To enable user-at-credprov credential provider support for a Pulse connection:

  1. Create a Pulse connection set for the role (Users > Pulse > Connections), and then create a new Pulse connection. You can select Connect Secure or Policy Secure (L3), Policy Secure (802.1X), or SRX for the connection type.
  2. In the Connection is established section, select one of the following options:
    • Automatically at user login—The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server. The Pulse connection may be configured so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt.
    • Automatically when the machine starts. Connection is authenticated again at user login—Machine credentials are used to establish the authenticated Pulse connection to the network when the endpoint is started. When a user clicks the login tile and provides user credentials, the connection is authenticated again and the original connection is dropped. When the user logs off, the user connection is ended and the machine connection is established again. In one typical use case, the machine credentials provide access to one VLAN and the user credentials provide access to a different VLAN. Be sure that the Pulse connection does not result in Pulse prompts, for example, prompts for realm or role selection or a server certificate trust prompt, because the machine credential login does not present an interface to respond to the prompts.
  1. For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type Any as the Server certificate DN. To allow only one server certificate, specify the server certificate’s full DN for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; E=ausername@mycompany.com.
  2. Specify Realm and Role Preferences to suppress realm or role selection dialogs during the logon process:
    • Preferred User Realm—Specify the realm that for this connection. The connection ignores any other realm available for the specific logon credentials

    The following options enable you to allow the user to login using a smart card or a password:

    • Preferred Smartcard Logon Realm—Preferred realm to be used when user logs in with a smart card.
    • Preferred Password Logon Realm—Preferred realm to be used when user logs in with a password.

    http://www.juniper.net/techpubs/images/note.gif

    Note: Be sure that the authentication realms you specify exist, and that they support the appropriate login credential option.

    • Preferred User Role Set—Specify the preferred role or the name of rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.

To enable machine-then-user-at-credprov credential provider support for a Pulse connection:

  1. Create a Pulse connection set for the role (Users > Pulse > Connections), and then create a new Pulse connection. You can select Connect Secure or Policy Secure (L3), Policy Secure (802.1X), or SRX for the connection type.
  2. In the Connection is established section, select one of the following options:
    • Automatically at user login—The user credentials are used to establish the authenticated Pulse connection to the network, login to the endpoint, and login to the domain server. The Pulse connection may be configured so that prompts are presented during the login process, for example, prompts for realm or role selection or a server certificate trust prompt.
    • Automatically when the machine starts. Connection is authenticated again at user login—Machine credentials are used to establish the authenticated Pulse connection to the network when the endpoint is started. When a user clicks the login tile and provides user credentials, the connection is authenticated again and the original connection is dropped. When the user logs off, the user connection is ended and the machine connection is established again. In one typical use case, the machine credentials provide access to one VLAN and the user credentials provide access to a different VLAN. Be sure that the Pulse connection does not result in Pulse prompts, for example, prompts for realm or role selection or a server certificate trust prompt, because the machine credential login does not present an interface to respond to the prompts.
  1. For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type Any as the Server certificate DN. To allow only one server certificate, specify the server certificate’s full DN for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; E=ausername@mycompany.com.
  2. Specify Realm and Role Preferences to suppress realm or role selection dialogs during the logon process for both machine logon and user logon:
    • Preferred Machine Realm—Specify the realm that this connection uses when establishing the machine connection. The connection ignores any other realm available for the specific logon credentials
    • Preferred Machine Role Set—Specify the role or the name of rule for the role set that this connection uses when establishing the machine connection. The role or rule name used must be a member of the preferred machine realm.
    • Preferred User Realm—Specify the realm that for this connection that is used when a user logs onto the endpoint. The connection ignores any other realm available for the user’s logon credentials.
    • Preferred User Role Set—Specify the preferred role or the name of rule for the role set to be used for user authentication. The role or rule name used must be a member of the preferred user realm.
  1. Optionally specify pre-login preferences:
    • Pre-login maximum delay—The time period (seconds) that a Windows client waits for an 802.1x connection to succeed during the login attempt. The range 1 to 120 seconds.
    • Pre-login user based virtual LAN—If you are using VLANs for the machine login and the user login, you can enable this check box to allow the system to make the VLAN change.
  1. Click Save Changes and then distribute the Pulse connection to Pulse client endpoints. The Pulse tile appears on the login page the next time the end users log in.

    http://www.juniper.net/techpubs/images/note.gif

    Note: The user account must exist on both the Windows PC and on Connect Secure with the same login name.

    Check the user logs for credential provider log-in information. See Figure 109.

    Figure 109: Credential Provider Log Information