Integrate Pulse Secure

Authentication method	Notes	Supported protocols
Token	Identity as a Service supports response-only tokens. One-step or two-step authentication (including token push authentication). Note: Challenge/response tokens unsupported with MSCHAPv2.	EAP-GTC or EAP MSCHAPv2
OTP (One Time Password) by SMS or Token	Two-step authentication only	EAP-GTC

Note: The Pulse Secure-VM supports only PAP authentication methods with RADIUS.

Complete the following steps before integrating your authentication system with Identity as a Service:

Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).

Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.

Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.

If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

Login to the Pulse Secure Web management. The Pulse Secure main page appears displaying the Dashboard.

Note: It is assumed that you have already deployed and pre-configured the network interface and SSL certificates to Pulse Secure VM software.

Expand the Authentication option and select Auth Servers. The Authentication Server page appears.

In the New drop-down list, select RADIUS Server, and click New Server. The New RADIUS Server page appears.

In the New RADIUS Server page, do the following:

In the Name field, enter the Entrust IdentityGuard Radius Server name; for example, Entrust IdentityGuard.

In the RADIUS Server field, enter the IP address of the RADIUS server.

In the Authentication Port field, enter the port number. The default port is 1812.

In the Accounting Port field, enter the port number. The default port is 1813.

In the Shared Secret field, enter the RADIUS secret.

In the Retries field, enter the number of retries to allow.

Leave the other settings at the default values.

Scroll down to Custom Radius Rules.

Click New Radius Rule. The Add Custom Radius Rule page appears.

In the Add Custom radius Rule page, do the following:

In the Name field, enter the name for the Radius rule, for example, Radius_Rule.

From the Response Packet Type drop-down list, select Access Challenge.

From the Radius Attribute drop-down list, select Reply-Message(18).

From the Operand drop-down list select matches the expression.

In the Value field, enter (.*).

Select show Generic Login page.

Click Save Changes. You are returned to the Auth Servers page.

In the Pulse Connect Secure menu, expand the Authentication option and select Auth Servers. The Authentication Server page appears.

From the New drop-down list, select LDAP Server, and click New Server. The LDAP Server Profile page appears.

In the New LDAP Server page, do the following:

In the Name field, enter the name of your LDAP Server hostname (for example, Ldap).

In the LDAP Server field, enter the IP address or host name of the Active Directory.

In the Port field, enter 389.

From the LDAP Server Type drop-down list, select Active Directory.

Click Test Connection to make sure that Pulse Secure can communicate with the LDAP server.

In the Authentication Required? pane, do the following:

Select the Authentication required to search LDAP check box.

In the Admin DN field, enter the domain name (for example, if your Active Directory has the domain name iguser.mycompany.com, then you will specify Admin DN as cn=administrator,cn=users,dc=iguser,dc=mycompany,dc=com).

In the Password field, enter the Active Directory administrator account password.

Leave the other settings at the default values.

In the Finding user entries pane, do the following:

In the Base DN field, enter the domain name (for example, if your Active Directory has the domain name iguser.mycompany.com, then you will specify Base DN dc=iguser,dc=mycompany,dc=com).

In the Filter field, enter cn=<USER>.

In the Pulse Connect Secure main page menu, click Users, and then select User Realms > New User Realms. The New Authentication Realm page appears.

In the New Authentication Realm page, do the following:

In the Name field, enter an authentication realm name, for example, IdentityGuard_Realm.

In the Servers pane, do the following:

In the Authentication field, select Entrust IdentityGuard.

In the User Directory/Attribute field, select Same as above.

Click Save Changes.

In the Pulse Connect Secure main page menu, click Users, and then select Users Realms > LDAP. The LDAP page appears.

Click the Role Mapping tab. The Role Mapping page appears

Click New Rule. The Role Mapping Rule page appears.

In the Role Mapping Rule page, do the following:

In the Name field, enter a rule name; for example, User_rule.

In the Rule: If username pane, enter * next to the drop-down list.

In the then assign these roles, select Users.

Click Add.

Click Save Changes.

 

In the Pulse Connect Secure home page menu, click Users and then select User Realms > Entrust IdentityGuard. The User Realm page appears.

Click the Role Mapping tab. The Role Mapping page appears

Click New Rule. The Role Mapping Rule page appears.

In the Role Mapping Rule page, do the following:

In the Name field, enter a rule name; for example, User_rule.

In the Rule: If username pane, enter * next to the drop-down list.

In the then assign these roles, select Users.

Click Add.

Click Save Changes.

Click the Users tab and navigate to select Users Role > New User Role. The New Role page appears.

In the Name field, enter a role name.

In the Options pane, select the Session Options, UI Options, and Pulse Secure client check boxes.

In the Access features pane, select the Web and VPN Tunneling check boxes.

Click Save Changes.

Click the Authentication tab and navigate to select Signing In > Sign-in Policies. The Signing In page appears.

Click New URL. The New Sign-In Policy page appears.

In the New Sign-In Policy page, do the following:

In the User Type field, select Users.

In the Sign-in URL field, enter */.

In the Sign-in page field, select Default sign-in page.

Leave the other settings at their default values.

In the Authentication Realm field, do the following:

Select User picks from a list of authentication realms option.

In the Available Realm field, select the authentication realm configured in the section,  Configure the authentication realm in the section, Configure the AAA clients and authentication realm, for example, Identity as a Service_Realm.

Click Add.

5. Click Save Changes.

Click the Users tab and navigate to select Resource Policies > VPN Tunneling > Access Control. The VPN Tunneling Access Control page appears.

Click New Policy. The New Policy page appears.

In the Name field, enter a name, for example, VPN Tunneling Policy.

In the Resources field, enter *:*.

In the Roles pane, select Policy applies to ALL roles.

In the Action pane, select Allow access.

Click Save Changes at the bottom of the Pulse Secure main page. You are returned to the VPN Tunneling Access Control page.

Click the Connection Profiles tab to configure the SSL VPN profiles. The VPN Tunneling Connection Profile page appears.

Click New Profile. The  New Profile page appears.

In the New Profile page, do the following:

In the Name field, enter a name, for example, SSL_VPN.

In the IPv4 address assignment pane:

• Select DHCP server and enter the DHCP server IP address, or

• Select IPv4 address pool and enter the assignable IPv4 address ranges for the client.

Scroll down until you see SSL in the Connection Settings pane, and select SSL.

Scroll down until you see the DNS Settings pane. Select Manual DNS Settings.

In the Primary DNS field, enter the IP address of the DNS server.

Click Save Changes.

Click the System tab and navigate to select Network > VPN Tunneling. The Network VPN Tunneling page appears.

In the IP Address field, enter the subnet IP address, for example 172.30.20.0/24, and click Add.

In the VPN Tunnel Server IP Address field, enter a static IP address to access the SSL VPN from the web browser or Pulse Secure client.

Click Save.

Configure Pulse Secure Client on client PC

Open a Web browser on the client computer.

Enter the VPN Tunnel Server IP Address, for example <https://172.30.20.15>. You are presented with the Pulse Secure login window.

Enter the Identity as a Service user name and password.

Click Sign In. You are prompted to respond to the Identity as a Service challenge.

In the Response field, enter the Grid response using your Entrust grid card.

Click Sign In. The Pulse Secure User Portal page appears.

Under the Client Application Session, click Start. The installer download page appears.

Double-click to open the downloaded Pulse Secure Client.

You are prompted to install the Pulse Secure Client.

Click Next to proceed with the installation.

Note: Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.

Integrate a RADIUS client

Click > Security > Applications. The Applications page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select RADIUS and VPN Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click Pulse Secure. The Add Pulse Secure  page appears.

Optional: Edit the Application Name.

Optional. Enter a Description for your application.

Optional. Add a custom application logo as follows:

Click next to Application Logo. The Upload Logo dialog box appears.

Click to select an image file to upload.

Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.

If required, resize your image.

Click OK.

Click Next. The Setup page appears.

Click Add to next to Hosts to add the host name of the VPN server. The RADIUS agent receives the request on this host. The RADIUS Agent on the Gateway determines the RADIUS application the request is for based on the host name and port.

Enter the host name in the Host dialog box and then click OK. Repeat this step to add more host names.

In the Port field, enter the port on which the RADIUS agent accepts messages.

Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.

Attention: The RADIUS agent uses the host name that sent a request and the port number that it received the request from to determine which RADIUS application made the request. Because of that:
–Two RADIUS applications with the same port value cannot share any host names.
–Two RADIUS applications that have one or more matching host names must have different port values.

In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.

From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.

Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.

In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.

In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.

In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.

From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.

Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.

Optional: Enable the Authentication Settings.Optional: Enable the Authentication Settings.

Optional. Add Response Attributes.Optional. Add Response Attributes. Response attributes are returned to the RADIUS application after successful authentication. Use this setting to configure RADIUS attributes to return information such as the user's group information to the VPN server.

Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.

Select EAP Enabled to allow the RADIUS application to accept EAP messages.

When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.

When disabled, incoming authentication requests are processed by the RADIUS application as a standard RADIUS authentication request (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.

Select the EAP Protocol from the drop-down list. The options are PEAPv0 with MS-CHAPv2 and PEAPv1 with GTC.

This setting defines the type of EAP authentication protocol that is performed on EAP requests received by the RADIUS application. Consult the configuration requirements of your VPN server to determine which EAP protocol to select.

Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication. The setting is enabled by default.

Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.

Leave the Minimum TLS Version,  Maximum TLS Version and Allow Weak Ciphers at the default settings unless you have an older VPN and need to configure these settings to allow older versions of TLS or weaker ciphers to interoperate with older VPN servers that do not support the latest versions.

Configure the  Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are only required for backwards compatibility.

Select Token OTP Only, Password with second-factor, or No first-factor as the Authentication Type. This setting defines the level of authentication required to access a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.

Note: MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.

Click Submit.

On the client PC, double-click to open the Pulse Secure Client.

Note:  It is assumed that you have already deployed Pulse Secure Client software on the client computer by following the instructions in section, Deploying and configuring Pulse Secure Client.

Select the + to add a new SSL connection profile. The Add Connection dialog appears.

In the Name field, enter the SSL VPN name.

In the Server URL field, enter the Pulse Secure SSL URL, for example, https://172.30.20.15/sslvpn.

Click Connect. You are prompted to authenticate.

In the User Name field, enter the Identity as a Service user name.

In the Passcode field, enter the Identity as a Service Password or Temporary PIN.

Click Connect.

On the Pulse Secure page, select Connections > Advanced Connection Details.

 

The following Pulse Secure SSL/ VPN connection details screen appears.

On the client PC, double-click to open the Pulse Secure Client.

Note:  It is assumed that you have already deployed Pulse Secure Client software to client computer as outlined in the section, Configure the Pulse Secure Client.

Select the + to add a new SSL connection profile. The Add Connection dialog appears.

In the Name field, enter the SSL VPN name.

In the Server URL field, enter the Pulse Secure SSL URL, for example, https://172.30.20.15/sslvpn.

Click Connect. You are prompted to authenticate.

In the User Name field, enter the Identity as a Service user name.

In the Passcode field, enter the Identity as a Service Password or Temp PIN.

Click Connect. You are prompted to enter the second-factor authentication response.

Enter the second-factor authentication response.

Note: The challenge depends on the type of second factor authentication you have configured in the Entrust IdentityGuard Radius Server.

Click Connect. After the connection is complete, the Pulse Secure Client Connections screen appears.

Test using the Entrust Identity app for push authentication

Log in with the correct first-factor username/password on your RADIUS client.

Open the Entrust Identity app on a mobile device.

Unlock (log in) using the identity you want to use to respond to the request.

Tap Actions.

Review the transaction summary details.

Tap Confirm.