Configuring a Pulse Credential Provider Connection for Password or Smart Card Login

If you allow a user to log in with a smart card or with a username/password, then you can have the Pulse Credential provider automatically authenticate the user based on the login method. The Pulse user sees two different credential provider tiles for the Pulse connection, one for smart card authentication and one for username/password authentication. Credential provider tiles that launch a Pulse connection include a Pulse logo. See Figure 30. The Pulse connection determines which realm to use through preferred realm settings that you specify as part of the Pulse connection preferences. If the connection succeeds, the login type is saved so that, if re-authentication is needed (for example, if the connection times out), the same login type is used.

Figure 30: Pulse Credential Provider Tiles

Before you begin:

The following procedure summarizes the steps to create a Pulse Secure Connection that uses credential provider authentication, and allows the user to choose either smart card login or username/password login. Table 6 describes the configuration options:

  1. Click Users > Pulse Secure > Connections and create or select a connection set.
  2. Create or edit a connection. For connection type, you can select either UAC (802.1X) for a Layer 2 connection or Connect Secure or Policy Secure (L3) for a Layer 3 connection. The SRX connection type does not support credential provider authentication.
  3. For the Connection is established option, choose one of the credential configuration options shown in Figure 31 and Figure 32.

Figure 31: Connect automatically after user signs in to the desktop

The user credentials are used to establish the authenticated Pulse connection to the network, log in to the endpoint, and log in to the domain server.

Select User as the mode. Under options, select Connect automatically.

 

Figure 32: Connect automatically when the machine starts; the connection is authenticated again when the user signs in to the desktop

Machine credentials are used to establish the authenticated Pulse connection to the network using the specified Machine Connection Preferences or Pre-login Connection Preferences. When the user provides user credentials, the connection is authenticated again.

Select Machine or User as the mode. Under options, select Connect automatically.

  1. For Connect Secure or Policy Secure (L3) connections that are set to have the connection established automatically, you can define location awareness rules that enable an endpoint to connect conditionally.
  2. For a Layer 2 connection that uses machine certificate authentication, make sure that the connection has an entry in the Trusted Server List. To allow any server certificate, type ANY as the Server certificate DN. To allow only one server certificate, specify the server certificate’s full DN, for example, C=US; ST=NH; L=Kingston; O=My Company; OU=Engineering; CN=c4k1.stnh.mycompany.net; E=ausername@mycompany.com.
  3. For the desired connection behavior, set the connection preferences as described in Table 7.

Note: If the Pulse connection is configured to use a list of Pulse servers, the preferred roles and realms you specify must be applicable to all of those servers.

Table7: Configuration Options for Credential Provider Login

Pulse Client Credential Provider Login Behavior

Connection is established

User Connection Preferences

Pre-Login Connection Preferences

Machine Connection Preferences

At user login, the user can choose from two credential provider tiles: smart card login or username/password login.

The credentials are then used to connect to the network, login to the endpoint, and login to the domain server.

Automatically at user login

Preferred User Realm and Preferred User Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.

Enables Pulse credential provider tiles. The realm name appears on each tile. You must specify values for both of the following options:

·Preferred Pre-login Password Realm—The authentication realm that provides username/password authentication.

·Preferred Pre-login Smartcard Realm—The authentication realm that provides smartcard authentication.

Not available.

At machine login and at user login, the user can choose from two credential provider tiles: smart card login or username/password login.

Automatically when machine starts. Connection is authenticated again at user login.

Enables Pulse credential provider tiles. The realm name appears on each tile.

·Preferred Pre-login Password Realm—The authentication realm that provides username/password authentication.

·Preferred Pre-login Smartcard Realm—The authentication realm that provides smartcard authentication.

Preferred Machine Realm and Preferred Machine Role Set are not available if you specify values for Preferred Pre-login Password Realm Preferred Pre-login Smartcard Realm.

Related Documentation