Junos Pulse Policy Secure Access Control in the Federated

Pulse Policy Secure
Access Control in the Federated Enterprise Using
IF-MAP Network Configuration Example
Product Release 5.2
Document Revision 1.0
Published: 2015-03-31
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Secure, LLC
2700 Zanker Road, Suite 200
San Jose, CA 95134
http://www.pulsesecure.net
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Pulse Policy Secure Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such
software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By
downloading, installing or using such software, you agree to the terms and conditions of that EULA.”
© 2015 by Pulse Secure, LLC. All rights reserved
Table of Contents
About the Documentation ............................................................................................ xiii
Documentation and Release Notes .............................................................................. xiii
Supported Platforms ....................................................................................................... xiii
Documentation Conventions ......................................................................................xiii
Documentation Feedback ........................................................................................... xv
Requesting Technical Support .................................................................................. xvi
Self-Help Online Tools and Resources ................................................................ xvi
Opening a Case with PSGSC ............................................................................................xvi
Part 1
Overview
Chapter 1
Solution Components ............................................................................................... 3
Solution Example Overview: User Experience and Security Objectives for a
Federated Enterprise Network.......................................................................................... 3
Local Access......................................................................................................................... 4
Remote Access ............................................................................................................................5
Resource Access .........................................................................................................................5
Federated Access .......................................................................................................................5
Chapter 2
Component Versions .................................................................................................... 7
Software Versions Used in this Example ................................................................................ 7
Chapter 3
Component Topology......................................................................................................... 9
Solution Example Topology: Pulse Secure Access Solutions for a Federated
Enterprise Network .............................................................................................................. 9
Component Topology ........................................................................................................ 9
Local Access: 802.1x Network Access Control ............................................................... 10
Remote Access: Pulse Connect Secure SSL VPN ......................................................... 11
Resource Access: Pulse Policy Secure .................................................................................... 11
Federation ........................................................................................................................................................... 11
Odyssey Access Client Software ........................................................................................... 12
Pulse Secure Client Software ............................................................................................... 12
Part 2
Configuration
Chapter 4
Local Network Access Policy Deployments .......................................................... 15
Campus 802.1x and DHCP Deployment ................................................................................ 15
Deployment Diagram .................................................................................................. 16
Layer 2 Switch Configuration .................................................................................................. 17
Pulse Policy Secure Configuration..................................................................................20
© 2015 by Pulse Secure, LLC. All rights reserved
1
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
DHCP Server Configuration ..................................................................................................... 21
Branch 802.1x and DHCP Deployment............................................................................ 24
Deployment Diagram .................................................................................................. 24
Layer 2 Switch Configuration ..........................................................................................25
Pulse Policy Secure Configuration .................................................................................28
DHCP Server Configuration ............................................................................................30
Chapter 5
Remote Access Policy Deployment .................................................................... 33
Pulse Connect Secure User Access Management Framework .......................................33
Overview ........................................................................................................................ 33
User Roles................................................................................................................................... 34
Authentication Server .................................................................................................40
User Authentication Realm ..................................................................................................... 41
Network Connect Connection Profile .............................................................................43
Sign-In Policy ......................................................................................................................45
Complete Configuration .............................................................................................46
Chapter 6
User Access Management Framework.................................................................. 47
Campus Pulse Policy Secure User Access Management Framework ............................47
Overview ........................................................................................................................ 47
User Roles................................................................................................................................... 48
Authentication Server .................................................................................................50
User Authentication Realm .............................................................................................52
Sign-In Policy ......................................................................................................................53
Complete Configuration .............................................................................................54
Branch Pulse Policy Secure User Access Management Framework ...............................54
Overview ........................................................................................................................ 55
User Roles................................................................................................................................... 56
Authentication Server ........................................................................................................57
User Authentication Realm ......................................................................................59
Sign-In Policy ...............................................................................................................60
Complete Configuration .............................................................................................62
Chapter 7
Resource Access Policy Deployments .................................................................. 63
Campus Resource Access Policy Enforcement Deployment ........................................ 63
Deployment Diagram ............................................................................................ 64
SRX Series Configuration ................................................................................................64
Pulse Policy Secure Configuration..................................................................................66
Branch Resource Access Policy Enforcement Deployment ........................................... 68
Deployment Diagram ............................................................................................ 69
SSG Series Configuration ................................................................................................69
Pulse Policy Secure Configuration .................................................................................72
Chapter 8
IF-Map Federation ................................................................................................. 75
IF-MAP Deployment ............................................................................................................ 75
Overview ............................................................................................................................... 75
Pulse Policy Secure IF-MAP Server Configuration .....................................................77
Pulse Policy Secure IF-MAP Client Configuration ......................................................84
Pulse Secure Access Service IF-MAP Client Configuration ......................................86
iv
© 2015 by Pulse Secure, LLC. All rights reserved
Table of Contents
Part 3
Administration
Chapter 9
Local Sessions ............................................................................................................ 91
Reviewing 802.1x Network Access Logs ............................................................................... 91
Chapter 10
Remote Sessions ...................................................................................................... 95
Reviewing SSL VPN Access Logs........................................................................................ 95
Chapter 11
Federated Sessions ............................................................................................... 99
Reviewing IF-MAP Logs .......................................................................................................... 99
© 2015 by Pulse Secure, LLC. All rights reserved
v
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
List of Figures
Part 1
Overview
Chapter 1
Solution Components ...............................................................................................3
Figure 1: Federated Enterprise Network with Employees Located in Campus,
Branch, and Home Offices ......................................................................................... 4
Chapter 3
Component Topology ........................................................................................................9
Figure 2: Network Deployment Supporting Users in Campus, Branch, and Home
Offices ................................................................................................................................... 10
Part 2
Configuration
Chapter 4
Local Network Access Policy Deployments ..........................................................15
Figure 3: Campus 802.1x Deployment .................................................................................... 17
Figure 4: HP Procurve Web UI: Configuration > VLAN Configuration........................... 18
Figure 5: Pulse Policy Secure: UAC > Network Access > Location
Group............................................................................................................................. 20
Figure 6: Pulse Policy Secure: UAC > Network Access > RADIUS Client ..................... 21
Figure 7: Pulse Policy Secure: UAC > Network Access > RADIUS Return Attributes
Policies ................................................................................................................................... 21
Figure 8: ScreenOS Web UI: Network > Interfaces ........................................................... 22
Figure 9: ScreenOS Web UI: Network > DHCP .............................................................. 23
Figure 10: ScreenOS Web UI: Network > DHCP > DHCP Server Address Edit ......... 23
Figure 11: Branch 802.1x Deployment........................................................................................ 25
Figure 12: J-Web UI: Point and Click CLI > protocols > dot1x......................................26
Figure 13: J-Web UI: Point and Click CLI > access > dot1x > authenticator................ 27
Figure 14: J-Web UI: Point and Click CLI > access > radius-server.................................. 27
Figure 15: J-Web UI: Configure > Switching > VLAN .....................................................28
Figure 16: Pulse Policy Secure: UAC > Network Access > Location
Group..............................................................................................................................29
Figure 17: Pulse Policy Secure: UAC > Network Access > RADIUS Client . . . 29 Figure
18: Pulse Policy Secure: UAC > Network Access > RADIUS Return
Attributes Policies ....................................................................................................... 30
Figure 19: ScreenOS Web UI: Network > Interfaces ................................................................. 31
Figure 20: ScreenOS Web UI: Network > DHCP ....................................................................31
Figure 21: ScreenOS Web UI: Network > DHCP > DHCP Server Address List ............... 32
Chapter 5
Remote Access Policy Deployment .................................................................... 33
Figure 22: Pulse Connect Secure User Access Management
Framework ....................................................................................................................34
Figure 23: Pulse Connect Secure: Users > User Roles .......................................................... 35
Figure 24: Pulse Connect Secure: Users > User Roles .......................................................36
© 2015 by Pulse Secure, LLC. All rights reserved
vii
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 25: Pulse Connect Secure: Users > User Roles > Enterprise > Network Connect
.................................................................................................................................................37
Figure 26: Pulse Connect Secure: Users >User Roles > Enterprise > Restrictions >
Host Checker .......................................................................................................................38
Figure 27: Pulse Connect Secure: Users > User Roles ............................................................. 39
Figure 28: Pulse Connect Secure: Authentication > Auth Servers > AD
Server ............................................................................................................................................ 41
Figure 29: Pulse Connect Secure: Users > User Realms ...................................................42
Figure 30: Pulse Connect Secure: Users > User Authentication Realms . . . 43
Figure 31: Pulse Connect Secure SSL VPN Connection ............................................... 44
Figure 32: Pulse Connect Secure: Users > Resource Policies > Network Connect
Connection Profiles............................................................................................................45
Figure 33: Pulse Secure Access Service: Authentication > Signing In ........................... 46
Chapter 6
User Access Management Framework.................................................................. 47
Figure 34: Pulse Policy Secure User Access Management Framework ..........................48
Figure 35: Pulse Policy Secure: Users > User Roles ................................................................ 49
Figure 36: Pulse Access Control Service: Users > User Roles > Enterprise
> Restrictions > Host Checker .................................................................................49
Figure 37: Pulse Policy Secure: Authentication > Auth. Servers ......................................51
Figure 38: Pulse Policy Secure: Users > User Authentication Realms ........................52
Figure 39: Pulse Policy Secure: Users > User Authentication Realms > Role Mapping
.................................................................................................................................. 52
Figure 40: Pulse Policy Secure: Authentication > Signing In > Sign-in
Policies ..................................................................................................................................53
Figure 41: Pulse Policy Secure: Authentication > Signing In > Authentication Protocol
Sets ........................................................................................................................................54
Figure 42: Pulse Policy Secure User Access Management Framework ..........................55
Figure 43: Pulse Policy Secure: Users > User Roles ................................................................ 56
Figure 44: Pulse Policy Secure: Users > User Roles > Enterprise > General
> Restrictions > Host Checker........................................................................................57
Figure 45: Pulse Policy Secure: Authentication > Auth. Servers > New
Active Directory Server > AD Server ..............................................................................58
Figure 46: Pulse Policy Secure: Users > User Authentication Realms ........................59
Figure 47: Pulse Policy Secure: Users > User Authentication Realms > Role Mapping
......................................................................................................................................... 60
Figure 48: Pulse Policy Secure: Authentication > Signing In > Sign-In
Policies .................................................................................................................................. 61
Figure 49: Pulse Policy Secure: Authentication > Signing In > Authentication Protocol
Sets ........................................................................................................................................61
Chapter 7
Resource Access Policy Deployments .................................................................. 63
Figure 50: Campus Resource Access Policy Enforcement Deployment ...................... 64
Figure 51: J-Web UI: Point and Click CLI > services > unified-access-control .............. 65
Figure 52: J-Web UI: Point and Click CLI > security > policies > policy >
untrust-trust ...................................................................................................... 66
Figure 53: Pulse Policy Secure: UAC > Infranet Enforcer > Connection ......................... 67
Figure 54: Pulse Policy Secure: UAC > System > Status ..................................................67
Figure 55: Pulse Policy Secure: UAC > Infranet Enforcer > Resource Access Policies68
viii
© 2015 by Pulse Secure, LLC. All rights reserved
List of Figures
Figure 56: Branch Resource Access Policy Enforcement Deployment ..................... 69
Figure 57: ScreenOS Web UI: Configuration > Infranet Auth > Controllers....................70
Figure 58: ScreenOS Web UI: Configuration > Infranet Auth > General
Settings ...........................................................................................................................................71
Figure 59: ScreenOS Web UI: Policy > Policies (From Untrust to Trust) >
Advanced Policy Settings .................................................................................................72
Figure 60: Pulse Policy Secure: UAC > Infranet Enforcer > Connection ......................... 73
Figure 61: Pulse Policy Secure: UAC > Infranet Enforcer > Enforcer
Policies ..................................................................................................................................74
Figure 62: Pulse Policy Secure: UAC > Infranet Enforcer > Resource Access Policies74
Chapter 8
IF-Map Federation ................................................................................................. 75
Figure 63: IF-MAP Deployment ......................................................................................... 76
Figure 64: Federated Access Service Devices ....................................................................76
Figure 65: Pulse Policy Secure: System > IF-MAP Federation >
Overview ........................................................................................................................ 78
Figure 66: Pulse Policy Secure: System > IF-MAP Federation > This
Server ....................................................................................................................................79
Figure 67: Pulse Policy Secure: System > IF-MAP Federation > IF-MAP
Client ................................................................................................................ 80
Figure 68: Pulse Policy Secure: System > IF-MAP Federation > IF-MAP
Client .............................................................................................................................. 81
Figure 69: Pulse Policy Secure: System > IF-MAP Federation >
Session-Export Policy .......................................................................................................82
Figure 70: Pulse Policy Secure: System > IF-MAP Federation >
Session-Import Policy ...............................................................................................83
Figure 71: Pulse Policy Secure: System > IF-MAP Federation >
Overview ................................................................................................................. 84
Figure 72: Pulse Policy Secure: System > IF-MAP Federation >
Session-Export Policy .......................................................................................................85
Figure 73: Pulse Policy Secure: System > IF-MAP Federation >
Session-Import Policy................................................................................................86
Figure 74: Pulse Secure Access Service: System > IF-MAP Federation > Overview 87
Figure 75: Pulse Secure Access Service: System > IF-MAP Federation > SessionExport Policy .......................................................................................................................88
Part 3
Administration
Chapter 9
Local Sessions ............................................................................................................ 91
Figure 76: Odyssey Access Client ............................................................................................ 91
Figure 77: ipconfig ................................................................................................................ 92
Figure 78: Odyssey Access Client .................................................................................... 92
Figure 79: ipconfig ............................................................................................................... 93
Figure 80: Pulse Policy Secure: Status > Active Users .......................................................93
Figure 81: Pulse Policy Secure: System > Log/Monitoring > User
Access .......................................................................................................................................... 93
Figure 82: Pulse Policy Secure: System > IF-MAP Federation (Client) >
Active Users > Exported .............................................................................................. 94
© 2015 by Pulse Secure, LLC. All rights reserved
ix
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Chapter 10
Remote Sessions ...................................................................................................... 95
Figure 83: Remote Host Computer: ipconfig .................................................................... 95
Figure 84: Pulse Secure Client ........................................................................................... 96
Figure 85: Remote Host Computer: ipconfig ................................................................... 96
Figure 86: Pulse Connect Secure: System > Log/Monitoring > User
Access .......................................................................................................................................... 97
Figure 87: Pulse Connect Secure: System > IF-MAP Federation (Client) > Active
Users > Exported .......................................................................................................... 98
Chapter 11
Federated Sessions ............................................................................................... 99
Figure 88: Pulse Access Control Service: System > IF-MAP Federation (Client) >
Active Users > Exported ............................................................................................. 99
Figure 89: Pulse Connect Secure: System > IF-MAP Federation (Client)
> Active Users > Exported ........................................................................................100
Figure 90: Web Server with IP Address 6.6.6.6......................................................................100
Figure 91: Pulse Secure Access Control Service: System > IF-MAP Federation
(Server) > Active Users > Imported .........................................................................100
Figure 92: Pulse Access Control Service: System > Log/Monitoring > User Access
.......................................................................................................................................................101
Figure 93: Web Server with IP Address 5.5.5.5 ....................................................................101
Figure 94: Pulse Secure Access Control Service: System > IF-MAP Federation
(Client) > Active Users > Imported ...........................................................................102
Figure 95: Pulse Secure Access Control Service: System > Log/Monitoring > User
Access ........................................................................................................................................102
Figure 96: Pulse Secure Access Control Service: System > Log/Monitoring >
Events.......................................................................................................................................... 103
x
© 2015 by Pulse Secure, LLC. All rights reserved
List of Tables
About the Documentation ............................................................................. xiii
Table 1: Notice Icons................................................................................................................... xiv
Table 2: Text and Syntax Conventions ............................................................................ xiv
Part 1
Overview
Chapter 2
Component Versions .................................................................................................... 7
Table 3: Software Versions Used in This Example ................................................................ 7
Part 2
Configuration
Chapter 4
Local Network Access Policy Deployments ..........................................................15
Table 4: Campus Switch 802.1x Configuration ............................................................................ 17
Table 5: Campus Policy Secure 802.1x Configuration ...................................................... 20
Table 6: Campus DHCP Address Ranges ........................................................................... 22
Table 7: Branch Switch 802.1x Configuration .................................................................... 26
Table 8: Branch Policy Secure 802.1x Configuration......................................................... 28
Table 9: Branch DHCP Address Ranges............................................................................. 30
Chapter 7
Resource Access Policy Deployments ................................................................ 63
Table 10: Campus UAC Enforcer Configuration................................................................ 64
Table 11: Campus Pulse Policy Secure Resource Access Policy
Configuration ............................................................................................................... 66
Table 12: Branch UAC Enforcer Configuration ........................................................................... 70
Table 13: Branch Pulse Policy Secure Resource Access Policy
Configuration ....................................................................................................................... 73
Part 3
Administration
Chapter 9
Local Sessions ............................................................................................................ 91
Table 14: User Access Logs ................................................................................................... 94
Chapter 10
Remote Sessions ...................................................................................................... 95
Table 15: User Access Logs ............................................................................................................. 97
© 2015 by Pulse Secure, LLC. All rights reserved
xi
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
About the Documentation

Documentation and Release Notes on page xiii

Supported Platforms on page xiii

Documentation Conventions on page xiii

Documentation Feedback on page xv

Requesting Technical Support on page xvi
Documentation and Release Notes
To obtain the latest version of Pulse Secure technical documentation, see the product
documentation page at http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Supported Platforms
For the features described in this document, the following platforms are supported:

IC Series

SA Series

EX Series

SRX Series

MAG Series
Documentation Conventions
Table 1 on page xiv defines notice icons used in this guide.
© 2015 by Pulse Secure, LLC. All rights reserved
xiii
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xiv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
xiv
Represents output that appears on the
terminal screen.
user@host> show chassis alarms

Introduces or emphasizes important
new terms.


Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.

Identifies RFC and Internet draft titles.

Junos OS CLI User Guide

RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
© 2015 by Pulse Secure, LLC. All rights reserved
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.

To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.

The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
> (bold right angle bracket)
© 2015 by Pulse Secure, LLC. All rights reserved
Represents graphical user interface (GUI)
items you click or select.
Separates levels in a hierarchy of menu
selections.

In the Logical Interfaces box, select
All Interfaces.

To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
xv
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Requesting Technical Support
Technical product support is available through the Pulse Secure Global Support Center
(PSGSC). If you are a customer with an active support contract, or are covered under
warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with PSGSC.

Product warranties—For product warranty information, visit
http://www.pulsesecure.net/support
Self-Help Online Tools and Resources
For quick and easy problem resolution, Pulse Secure has designed an online selfservice portal called the Pulse Secure Global Support Center (PSGSC) that provides
you with the following features:

Find CSC offerings: http://www.pulsesecure.net/support

Search for known bugs: http://www.pulsesecure.net/support

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base:
http://www.pulsesecure.net/support

Download the latest versions of software and review release notes:
http://www.pulsesecure.net/support/

Search technical bulletins for relevant hardware and software notifications:
http://www.pulsesecure.net/support

Open a case online in the CSC Case Management tool:
http://www.pulsesecure.net/support
Toverify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: http://www.pulsesecure.net/support
Opening a Case with PSGSC
You can open a case with PSGSC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.pulsesecure.net/support.

Call 1-888-314-5822 (toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.pulsesecure.net/support.
xiv
© 2015 by Pulse Secure, LLC. All rights reserved
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
PART 1
Overview

Solution Components on page 3

Component Versions on page 7

Component Topology on page 9
© 2015 by Pulse Secure, LLC. All rights reserved
1
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
CHAPTER 1
Solution Components

Solution Example Overview: User Experience and Security Objectives for a Federated
Enterprise Network on page 3
Solution Example Overview: User Experience and Security Objectives for a Federated
Enterprise Network
This example provides a concrete overview of the Pulse Secure network access
services solution for the federated enterprise. The solution enforces identity-based
security policies for LAN access, remote access, and resource access.
In a federated enterprise, computing resources and data are located in multiple
locations—in large campus sites and in branch offices. Employees connect to the
corporate network from campus, branch, or private home offices. Figure 1 on page 4
represents the federated enterprise network problem abstractly, showing many
branches, many campuses, and many home users. The network operation center
(NOC) handles the routing and data transport between sites.
© 2015 by Pulse Secure, LLC. All rights reserved
3
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 1: Federated Enterprise Network with Employees Located in
Campus, Branch, and Home Offices
Branch
Network Access
Resource Access
Home
Network Access
Branch
Network Access
Resource Access
Campus
Network Access
Resource Access
Home
Network Access
Campus
Network Access
Resource Access
g037045
NOC
A federated solution is a coordinated solution, requiring not only compatible network
equipment and cooperation among administrators, but also coordination of user
experience and security objectives. In this example, the access solution serves the
following goals:


User Experience. Ensure that employees can access the corporate network and
can access resources and data in both local and remote locations without having
to specify their authentication credentials at each security policy enforcement point.
Security. Enforce a simple “employees only” policy—employees get access, nonemployees do not. The policy also requires endpoint host computers to run
particular antivirus software.
The following sections provide an overview of the user experience and security
goals for enterprise scenarios:

Local Access on page 4

Remote Access on page 5

Resource Access on page 5

Federated Access on page 5
Local Access
In this example, Lisa is an employee who works at the branch work site. John is an
employee who works at the campus work site. At company work sites, employee
desktop computers are wired to LAN switches, but the users are not admitted to the
LAN and do not have IP connectivity until they use their employee usernames and
password for authentication.
4
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 1: Solution Components
The IT department has installed Pulse Secure Odyssey Access Client (OAC)
software on office desktop computers and has configured OAC to perform the
authentication and DHCP requests for the user. When Lisa starts her workday, for
example, she enters her unique username and password to initiate the
authentication and network admission request. If her request meets authentication
and endpoint inspection requirements, she is admitted to the corporate network and
assigned an IP address. This example provides details on the deployment
components and configuration required to enable this local access scenario.
Remote Access
Remote employees, such as home office workers or sales workers who work from
customer sites or hotels, use an ISP or private network to connect to the Internet
and then use Pulse Secure client to create an SSL VPN connection to the corporate
network. In this example, Bob is an employee who works from his home office. To
connect to the corporate network, he opens the Junos Pulse client, selects the SSL
VPN connection, types his employee username and password, and clicks Connect.
Junos Pulse performs the authentication request. If his request meets authentication
and endpoint inspection requirements, he is admitted to the corporate network and
the Junos Pulse adapter is assigned an IP address. This example provides details
on the deployment components and configuration required to enable this remote
access scenario.
Resource Access
Admission to the corporate network, either through the local access or remote
access mechanism, gives the user access to “unprotected” resources connected to
the LAN. Identity-based resource access control is an additional security measure
that is enforced when a user accesses “protected” resources. Protected resources
are applications and files hosted on servers deployed behind a firewall that enforces
both security rules and identity-based permissions. In this example, we deploy
firewalls as an additional enforcement point. We want to perform the additional
security check and collect logs that prove the identity-based enforcement, but we do
not want to interrupt the user with a second authentication challenge. This example
provides details on the deployment components and configuration required to
enforce an additional identity-based resource access policy without requiring
additional actions by users.
Federated Access
In a large network, you might implement resource access policies using many
different network access services. In this example, we deploy the Pulse Policy
Secure in the campus network and a second Policy Secure in the branch network.
In the branch network, for example, the branch Policy Secure creates session
entries for the user named Lisa when she logs in and is admitted to the local
network. When Lisa accesses a resource associated with the branch Policy Secure,
the service can refer to the existing session entry, so it does not need to prompt her
for authentication credentials. But what happens when Lisa visits a URL associated
with a different Policy Secure, such as one located in the campus network? If the
campus Policy Secure cannot associate a request with an existing authenticated
session entry, it prompts Lisa to provide her username and password.
© 2015 by Pulse Secure, LLC. All rights reserved
5
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
In this example, we want to perform identity-based security checks throughout the
network without requiring user action each time the user reaches a new
enforcement point. In a federated deployment, the access services share
information about authenticated user sessions. In this example, the Policy Secure
and Connect Secure are deployed in a federation. When branch employees start
their workday, log in, and are admitted to the branch network, the branch Policy
Secure exports information about the sessions to the campus Policy Secure. When
a user visits a URL associated with the campus Policy Secure, the campus service
refers to the imported authenticated session entry and so does not need to prompt
for username and password. It uses the imported session information to perform the
security check and enforce the policy.
This example provides details on how to deploy the Pulse Secure access devices in
an Interface for Metadata Access Points (IF-MAP) federation, and it shows how you
can use IF-MAP logs to verify that session information is being shared as expected.
For information about the IF-MAP standard, go to the following location:
http://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification
Related
Documentation
6
Solution Example Topology: Pulse Secure Access Solutions for a Federated Enterprise
Network on page 9
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 2
Component Versions

Software Versions Used in this Example on page 7
Software Versions Used in this Example
Table 3 on page 7 summarizes the software versions used in this example.
Table 3: Software Versions Used in This Example
Hardware Component
Software Version
Configuration File Download3
NS5 GT
ScreenOS 6.3
Campus DHCP server
Branch DHCP server
HP 2626
10.02
Campus 802.1x switch
EX3200
Junos OS 10.1R2.8
Branch 802.1x switch
SRX100
Junos OS 10.1R2.8
Campus Infranet Enforcer
SSG20
ScreenOS 6.3
Branch Infranet Enforcer
IC Series
Pulse Secure Access
Control Service 4.1r1
Campus – system.cfg, user.cfg
Branch – system.cfg, user.cfg
build 17057
SA Series
Junos Pulse Secure Access
Service 7.1r1
system.cfg, user.cfg
build 17675
Client hosts
Windows XP SP3
–
Client
Odyssey Access Client 5.3
–
Client
Junos Pulse 2.0
–
© 2015 by Pulse Secure, LLC. All rights reserved
7
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 3: Software Versions Used in This Example (continued)
Hardware Component
Software Version
Configuration File Download3
1
Refer to product user documentation for information on loading configuration files. For Pulse Secure services products, we
recommend you (1) Upgrade to the release version used in this example; (2) Import the configuration; (3) Modify network
address configuration as necessary; (4) Upgrade to the release version you want to evaluate.
8
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 3
Component Topology

Solution Example Topology: Pulse Secure Access Solutions for a Federated Enterprise
Network on page 9
Solution Example Topology: Pulse Secure Access Solutions for a Federated
Enterprise Network
This example scenario shows a simple federated network for a laboratory we use for
evaluating new Pulse Secure client features. If you have not already built your own
feature evaluation laboratory, you can make use of this example by emulating the
network design, downloading the configuration files, and using them as a template
for configuration of your own laboratory deployment. If you already have an
evaluation laboratory in place, you can use this example to understand how to
deploy the Pulse Secure services within your existing campus and branch network
infrastructure.
The following sections describe and illustrate the network topology and provide an
overview of the access solutions implemented in this example:

Component Topology on page 9

Local Access: 802.1x Network Access Control on page 10

Remote Access: Pulse Connect Secure SSL VPN on page 11

Resource Access: Pulse Policy Secure on page 11

Federation on page 11

Odyssey Access Client Software on page 12

Pulse Secure Client Software on page 12
Component Topology
Figure 2 on page 10 shows the network components deployed in the campus and
branch locations, as well as an SSL VPN SA Series device deployed to support
users working from home offices. The sections that follow explain the solutions
enabled by this deployment.
ccess Control in the Federated Enterprise Using IF-MAP Network Configuration Example
10
© 2015 by Pulse Secure, LLC. All rights reserved
Figure 2: Network Deployment Supporting Users in Campus, Branch, and
Home Offices
Branch
Management - 10.0.1.0/24
Enterprise - 10.0.2.0/24
Guest - 10.0.3.0/24
Remediation - 10.0.4.0/24
Lisa
Web server
5.5.5.5
192.168.242.1
Home
Bob
ScreenOS Enforcer
SSG20
L2 switch
EX3200
IF-MAP client
IC series “ICA”
192.168.241.1
ISP
DHCP server
192.168.250.1
Branch
IF-MAP client
SA series “SA”
NOC
192.168.243.1
Campus
IF-MAP server
IC Series “ICB”
DHCP server
192.168.244.1
L2 switch
HP2626
192.168.246.1
192.168.240.1
Junos Enforcer
SRX100
Campus
Management - 20.0.1.0/24
Enterprise - 20.0.2.0/24
Guest - 20.0.3.0/24
Remediation - 20.0.4.0/24
John
Web server
6.6.6.6
AD/DNS
Globalcorp.local
192.168.252.33
Figure 2 on page 10 shows a network operation center (NOC) that handles the routing
and data transport between sites. In our simple lab example, a branch gateway
router and a campus gateway router are connected through NOC links. We do not
provide details on the NOC in this example. In your network, you must use your
routing infrastructure in such a way that the local and remote access services can
reach each other.
Local Access: 802.1x Network Access Control
In this example, employee admission to the LAN is controlled by an IEEE 802.1x
deployment. To implement 802.1x network access control, you configure three
components to communicate using 802.1x protocols:
10

Supplicant. A client application that uses an 802.1x protocol to broadcast its user
credentials. In Figure 2 on page 10, the Odyssey Access Control (OAC) software
installed on John’s and Lisa’s host computers acts as the 802.1x supplicant.

Authenticator. An 802.1x-enabled switch that enforces the port-based network
access control. In this deployment, the Layer 2 switches are configured as
RADIUS clients. The Layer 2 switch uses results of the RADIUS server return
attributes policy to determine the VLAN in which to place the user.
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 3: Component Topology
In Figure 2 on page 10, the campus Layer 2 switch and branch Layer 2 switch act as
802.1x authenticators.

Authentication server. In Figure 2 on page 10, Pulse Policy Secure devices are
deployed in campus and branch data centers. The IC Series devices run the Pulse
Policy Secure, which is configured to act as a RADIUS server. It authenticates
users against an Active Directory authentication source. It uses the authentication
results and endpoint inspection results to determine the VLAN in which to place the
user and sends those results to the switch.
In this network, DHCP services are configured so that there is a one-to-one
correspondence between VLANs and IP subnets. Users who pass authentication
and endpoint inspection are placed in the Enterprise VLAN and receive an IP
address that belongs to the Enterprise subnet. Users who pass authentication but fail
endpoint inspection are placed in the Remediation VLAN and receive an IP address
that belongs to the Remediation subnet. Users who fail authentication are placed in
the Guest VLAN and receive an IP address that belongs to the Guest subnet.
For information about the IEEE 802.1x standard, go to the following location:
http://standards.ieee.org/getieee802/download/802.1X-2010.pdf
Remote Access: Pulse Connect Secure SSL VPN
In this example, home office employees like Bob use the Pulse Secure client to
establish an SSL VPN connection to the corporate network. In Figure 2 on page 10,
the SA Series device is deployed in a colocation center. The SA Series runs the
Pulse Connect Secure, which performs authentication and endpoint inspection to
determine whether to admit remote users to the corporate intranet. In this example,
users who pass authentication against the Active Directory server and pass the
endpoint inspection policy are mapped to the Enterprise role and are able to
establish an SSL VPN connection to the corporate network.
Resource Access: Pulse Policy Secure
In Figure 2 on page 10, the SRX Series and SSG Series devices are deployed as
enforcement points for the Pulse Policy Secure resource access policy. Users who
map to the Enterprise role are permitted to access protected resources. Users who
map to the Remediation role are denied access.
Federation
In Figure 2 on page 10, the IC Series and SA Series devices are deployed to perform
their core functions—local access control for campus and branch users and secure
access for remote users. The devices are also configured to participate in a federation
that uses the Interface for Metadata Access Points (IF-MAP) standard protocol to
share data about user sessions. For information about the IF-MAP standard, see
http://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification.
The campus IC Series device runs the Pulse Policy Secure. In this deployment, the
campus Policy Secure acts as the IF-MAP server. It collects session information
exported by IF-MAP clients. As noted, the campus Policy Secure is used in the 802.1x
deployment and resource access policy deployment, so it also maintains its own
session table.
© 2015 by Pulse Secure, LLC. All rights reserved
11
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
The SA Series device runs the Pulse Connect Secure. In this deployment, it acts as an
IF-MAP client and exports its session information to the IF-MAP server. When Bob
makes an SSL VPN connection to the corporate network through the Connect Secure,
the session table entry is exported to the campus Policy Secure. When Bob tries to
access a Web server protected by the campus firewall, the campus Policy Secure
uses that information to determine whether Bob is permitted access. The Connect
Secure does not import session information.
The branch IC Series device runs the Policy Secure. In this deployment, it acts as an
IF-MAP client and exports its session information to the IF-MAP server. It also imports
session information from the IF-MAP server. The branch Policy Secure thereby has
session information for Bob when he tries to access a Web server protected by the
branch firewall, and it uses that information to determine whether Bob is permitted
access. An IF-MAP client does not export session information that it has not obtained
firsthand—that is, it does not export Bob’s session information back to the IF-MAP
server.
Odyssey Access Client Software
In this example, the IT department has installed Pulse Secure Odyssey Access Client
(OAC) software on employee desktops. OAC is configured to use the 802.1x
Extensible Authentication Protocol (EAP) to request to be authenticated and admitted
to the LAN. OAC also performs endpoint inspection. The results of the authentication
request and endpoint inspection determine whether the user is mapped to the
Enterprise role or the Remediation role.
Pulse Secure Client Software
In this example, remote users use Pulse Secure client software to initiate an SSL VPN
connection to the corporate network. You can also deploy Junos Pulse clients on the
office desktops. We show both clients for demonstration purposes. If the employees
are laptop users who sometimes also work from home, you can use Junos Pulse as
both a local access client when connected from the office and as an SSL VPN client
when connected from home.
12
© 2015 by Pulse Secure, LLC. All rights reserved
PART 2
Configuration

Local Network Access Policy Deployments on page 15

Remote Access Policy Deployment on page 33

User Access Management Framework on page 47

Resource Access Policy Deployments on page 63

IF-Map Federation on page 75
© 2015 by Pulse Secure, LLC. All rights reserved
13
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
CHAPTER 4
Local Network Access Policy Deployments

Campus 802.1x and DHCP Deployment on page 15

Branch 802.1x and DHCP Deployment on page 24
Campus 802.1x and DHCP Deployment
The purpose of the 802.1x deployment in this example is to implement network access
control (NAC) for the campus network that enforces the following objectives:

Enforces a network admission control policy—Allows employees, and only employees,
to access the local network.

Enforces endpoint inspection rules—Allows connections from host computers that
have the latest antivirus, but does not allow connections from noncompliant hosts.

Places connections that fail the authentication check into the Guest VLAN, where they
can access nothing and can do no harm.

Places connections that pass authentication but fail endpoint inspection in the
Remediation VLAN, where they can access remediation resources, such as the latest
antivirus software, but nothing else, and so can do no harm.
In the configuration pages of this example, we show the required or relevant parts of the
configuration and provide a link for downloading the complete configuration for the lab
device. Use the related documentation list to find more detailed information about the
feature, including limitations and options we have not shown.
The campus and branch configurations are similar. The notable difference is in equipment:
the campus deployment uses an HP Procurve switch, and the branch deployment uses
a Juniper Networks EX Series switch. The Pulse Secure 802.1x local access solution
operates with your existing Layer 2 switch as long as the switch supports 802.1x. When
you read this documentation, you may choose to focus on the deployment that more
closely resembles your own infrastructure or to compare the deployments to see the
areas of equivalent functionality and get a general understanding of communication
among the 802.1x deployment components.
© 2015 by Pulse Secure, LLC. All rights reserved
15
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
The following sections show deployment and configuration details for the campus
802.1x and DHCP deployment:

Deployment Diagram on page 16

Layer 2 Switch Configuration on page 17

Pulse Policy Secure Configuration on page 20

DHCP Server Configuration on page 21
Deployment Diagram
Figure 3 on page 17 shows the deployment diagram for the campus 802.1x and DHCP
deployment. In this 802.1x deployment, John is an employee. When he turns on his
computer to begin his workday, he does not have network connectivity. He has an
OAC client installed on the desktop computer in his office. When John enters his
username and password through the OAC client, the client initiates authentication to
the network using EAP. In the 802.1x system, the OAC client is an 802.1x supplicant.
The switch acts as the 802.1x authenticator. It sends a RADIUS client request to the
RADIUS server—in this case, to the Pulse Policy Secure running on the IC Series
device. The Policy Secure authenticates users against its associated authentication
source, the AD server named Globalcorp.local. It also sends a probe to OAC to
perform endpoint inspection on John’s desktop computer. Based on the
authentication results and endpoint inspection results, the Policy Secure determines
John’s user role. The Policy Secure RADIUS return attributes policy uses the role
information to send RADIUS return attributes, in particular the VLAN assignment, to
the switch. In this example, John is authenticated and gains access to the enterprise
VLAN. Next, OAC sends a request for a DHCP server to assign it an IP address.
Because John is in the enterprise VLAN, the request is served by the corresponding
DHCP server subinterface, and John obtains the next IP address belonging to the
enterprise subnet.
16
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Figure 3: Campus 802.1x Deployment
NOC
Branch
Campus
192.168.250.1
DHCP server
IF-MAP server
IC series “ICB”
Globalcorp.local
John
g037042
L2 switch
HP2626
AD/DNS
Layer 2 Switch Configuration
Table 4 on page 17 describes the features we configured on the Layer 2 switch to
enable 802.1x port-based network access.
Table 4: Campus Switch 802.1x Configuration
Feature
Description
802.1x protocol
We enable 802.1x authentication, the 802.1x authenticator service, and the ports that
listen for 802.1x supplicant communication.
RADIUS client-server
communication
We specify the IP address for the Pulse Policy Secure that acts as the RADIUS server
and the shared secret used in secure communication between the client and server. The
shared secret string configured for the RADIUS client and RADIUS server must match.
In the HP switch configuration, the shared secret is called the key.
© 2015 by Pulse Secure, LLC. All rights reserved
17
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 4: Campus Switch 802.1x Configuration (continued)
Feature
Description
VLAN tagged ports
VLAN ID numbers are arbitrary. In this example, we provision and use the following
VLAN tags:

VLAN 36 is the Enterprise VLAN. Employees must map to the Enterprise role to be
admitted to the Enterprise VLAN and have access to unprotected resources on the
corporate network.

VLAN 37 is the Guest VLAN. Failed authentication requests are resolved by placing
the port in the Guest VLAN.

VLAN 38 is the Remediation VLAN. Employees who pass authentication but fail
endpoint inspection are mapped to the Remediation role and admitted to the
Remediation VLAN instead of the Enterprise VLAN.

VLAN 39 is the Management VLAN. The management VLAN is provisioned for
device communication, such as RADIUS communication between the switch and the
Policy Secure. Note that unlike the other ports, the management port has been
assigned an IP address (20.0.1.25). When you configure RADIUS client-server
communication on the Policy Secure side of the communication, you specify IP
address 20.0.1.25 as the RADIUS client address.
NOTE: Most switches have a default VLAN (usually VLAN 0 or 1). Do not use the
default VLAN for the 802.1x implementation.
Figure 4 on page 18 shows the VLAN settings for the HP Procurve switch.
Figure 4: HP Procurve Web UI: Configuration > VLAN Configuration
The 802.1x configuration settings are not readily available through the Web user
interface. The following command-line sample shows the complete configuration of the
HP Procurve switch. The relevant portions are shown in boldface text.
ftghp01(config)# show config
Startup configuration:
; J9021A Configuration Editor; Created on release #N.10.02
hostname "ftghp01"
18
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
snmp-server contact "FT admin" snmpserver location "Sunnyvale" maxvlans 256
ip default-gateway 20.0.1.254
sntp server 217.160.254.116
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
no ip address
jumbo
exit
vlan 10
name "VLAN10"
ip address 10.65.23.135 255.255.255.0
tagged 2
exit
vlan 31
name "VLAN31"
no ip address
tagged 2
exit
vlan 36
name "Enterprise"
no ip address
tagged 2
exit
vlan 37
name "Guest"
no ip address
tagged 2
exit
vlan 38
name "Remediation"
no ip address
tagged 2
exit
vlan 39
name "Management"
ip address 20.0.1.25 255.255.255.0
tagged 2
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
aaa authentication port-access eap-radius
radius-server host 192.168.240.1 key juniper
aaa port-access authenticator 3-6
aaa port-access authenticator active
aaa port-access supplicant 3-6
spanning-tree
Click here to download the complete configuration for this device.
© 2015 by Pulse Secure, LLC. All rights reserved
19
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Pulse Policy Secure Configuration
Table 5 on page 20 describes the features we configured on the Pulse Policy Secure to
enable 802.1x port-based network access.
Table 5: Campus Policy Secure 802.1x Configuration
Feature
Description
Location group
The location group identifies the switch that is a RADIUS client and identifies the signin policy that associates the session with a user realm.
RADIUS client-server
communication
We specify the IP address for the switch that is the RADIUS client and specify the
shared secret used in secure communication with the switch. The shared secret
strings configured for the RADIUS client and for the RADIUS server must match. In
the HP switch configuration, the shared secret is called the key.
RADIUS return attributes policy
rules
We configure two rules:

The Enterprise-Access rule returns VLAN 36 for users who pass authentication
and endpoint inspection.

The Remediation-Access rule returns VLAN 38 for requests that do not pass
both authentication and endpoint inspection.
NOTE: We do not need rules to place requests in the Guest VLAN or management
VLAN. The switch resolves failed authentication requests by placing them in the Guest
VLAN. The management VLAN is not used for user access.
Figure 5 on page 20, Figure 6 on page 21, and Figure 7 on page 21 show these settings.
Figure 5: Pulse Policy Secure: Network Access > Location Group
20
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Figure 6: Pulse Policy Secure: Network Access > RADIUS Client
Figure 7: Pulse Policy Secure: Network Access > RADIUS Return Attributes Policies
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
DHCP Server Configuration
In this network, hosts are assigned IP addresses by a DHCP server. This example
uses a Netscreen Series 5GT device to provide DHCP services. For the sake of
completeness, we show the deployment and configuration details for this device. In
your deployment, you can use any device that provides DHCP services.
The DHCP server is deployed physically in the path of the switch to the gateway
router. The interface configurations for the switch ports and the DHCP device are
coordinated to provision IP addresses for four subnets, summarized in Table 6 on page
22. When a user accesses the network via the 802.1x deployment and is mapped to
the enterprise VLAN, for example, the DHCP server assigns the endpoint the next
available IP address from the address range configured for the enterprise subnet.
© 2015 by Pulse Secure, LLC. All rights reserved
21
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 6: Campus DHCP Address Ranges
Purpose
Switch Port
VLAN
Management
1
39
Enterprise
2
Guest
Remediation
DHCP Server
Subinterface
Subnet Address
Address Range
Name: trust.5
IP address:
20.0.1.254/24
20.0.1.x
No DHCP services
36
Name: trust.2
IP address:
20.0.2.254/24
20.0.2.x
20.0.2.50 20.0.2.90
3
37
Name: trust.3
IP address:
20.0.3.254/24
20.0.3.x
20.0.3.50 20.0.3.90
4
38
Name: trust.4
IP address:
20.0.4.254/24
20.0.4.x
20.0.4.50 20.0.4.90
Figure 8 on page 22, Figure 9 on page 23, and Figure 10 on page 23 show the DHCP server
settings.
Figure 8: ScreenOS Web UI: Network > Interfaces
22
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Figure 9: ScreenOS Web UI: Network > DHCP
Figure 10: ScreenOS Web UI: Network > DHCP > DHCP Server Address Edit
Click here to download the complete set of commands used to configure this device.
Related
Documentation

Understanding 802.1X Network Access Control Deployments

ScreenOS Concepts and Examples Reference Guide > Dynamic Host Configuration Protocol
© 2015 by Pulse Secure, LLC. All rights reserved
23
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Branch 802.1x and DHCP Deployment
The purpose of the 802.1x deployment in this example is to implement network
access control (NAC) for the branch network that enforces the following objectives:

Enforces a network admission control policy—Allows employees, and only
employees, to access the local network.

Enforces endpoint inspection rules—Allows connections from host computers that
have the latest antivirus, but does not allow connections from noncompliant hosts.

Places connections that fail the authentication check into the Guest VLAN, where
they can access nothing and therefore cannot do any harm.

Places connections that pass authentication but fail endpoint inspection in the
Remediation VLAN, where they can access only remediation resources, such as
the latest antivirus software, but nothing else and so do no harm.
In the configuration pages of this example, we show the required or relevant parts of the
configuration and provide a link for downloading the complete configuration for the lab
device. Use the related documentation list to find more detailed information about the
feature, including limitations and options we have not shown.
The campus and branch configurations are similar. The notable difference is in
equipment: the campus deployment uses an HP Procurve switch, and the branch
deployment uses a Juniper Networks EX Series switch. The Pulse Secure 802.1x
local access solution operates with your existing Layer 2 switch as long as the switch
supports 802.1x. When you read this documentation, you may choose to focus on the
deployment that more closely resembles your own infrastructure or to compare the
deployments to see the areas of equivalent functionality and get a general
understanding of communication among the 802.1x deployment components.
The following sections describe and show deployment and configuration details for
the branch 802.1x and DHCP deployment:

Deployment Diagram on page 24

Layer 2 Switch Configuration on page 25

Pulse Policy Secure Configuration on page 28

DHCP Server Configuration on page 30
Deployment Diagram
Figure 11 on page 25 shows the deployment diagram for the branch 802.1x and DHCP
deployment. In this 802.1x deployment, Lisa is an employee. When she turns on her
computer in the morning, she does not have network connectivity. She has an OAC
client installed on the desktop computer in her office. When Lisa enters her username
and password through the OAC client, the client initiates authentication to the network
using EAP. In the 802.1x system, the OAC client is an 802.1x supplicant. The switch
acts as the 802.1x authenticator. It sends a RADIUS client request to the RADIUS
server—in this case, to the Pulse Policy Secure running on the IC Series device. The
Policy Secure authenticates users against its associated authentication source, the
Active Directory (AD) server named Globalcorp.local.
24
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
It also sends a probe to OAC to perform endpoint inspection on Lisa’s desktop
computer. Based on the authentication results and endpoint inspection results, the
Policy Secure determines Lisa’s user role. The Policy Secure RADIUS return attributes
policy uses the role information to send RADIUS return attributes, in particular the
VLAN assignment, to the switch. In this example, Lisa is authenticated and gains
access to the enterprise VLAN. Next, OAC sends a request for a DHCP server to
assign it an IP address. Because Lisa is in the enterprise VLAN, the request is served
by the corresponding DHCP server subinterface, and Lisa obtains the next IP address
belonging to the enterprise subnet.
Figure 11: Branch 802.1x Deployment
NOC
Campus
Branch
192.168.250.1
DHCP server
L2 switch
EX3200
192.168.241.0
g037037
AD/DNS
Globalcorp.local
IF-MAP client
IC series “ICA”
Lisa
Layer 2 Switch Configuration
Table 7 on page 26 describes the features we configured on the switch to enable
802.1x port-based network access.
© 2015 by Pulse Secure, LLC. All rights reserved
25
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 7: Branch Switch 802.1x Configuration
Feature
Description
802.1x protocol
We enable 802.1x authentication, the 802.1x authenticator service, and the ports that
listen for 802.1x supplicant communication.
RADIUS client-server
communication
We specify the IP address for the Pulse Policy Secure that acts as the RADIUS server
and the shared secret used in secure communication between the client and server. The
shared secret strings configured for the RADIUS client and for the RADIUS server must
match.
VLAN tagged ports
VLAN ID numbers are arbitrary. In this example, we provision and use the following
VLAN tags:

VLAN 32 is the Enterprise VLAN. Employees must map to the Enterprise role to
be admitted to the Enterprise VLAN and have access to unprotected resources on
the corporate network.

VLAN 33 is the Guest VLAN. Failed authentication requests are resolved by placing
the port in the Guest VLAN.

VLAN 34 is the Remediation VLAN. Employees who pass authentication but fail
endpoint inspection are mapped to the Remediation role and admitted to the
Remediation VLAN instead of the Enterprise VLAN.

VLAN 35 is the Management VLAN. The management VLAN is provisioned for
device communication, such as RADIUS communication between the switch and the
Policy Secure.
NOTE: Most switches have a default VLAN (usually VLAN 0 or 1). Do not use the
default VLAN for the 802.1x implementation.
Figure 12 on page 26, Figure 13 on page 27, Figure 14 on page 27, and Figure 15 on page 28
show these settings.
Figure 12: J-Web UI: Point and Click CLI > protocols > dot1x
26
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Figure 13: J-Web UI: Point and Click CLI > access > dot1x > authenticator
Figure 14: J-Web UI: Point and Click CLI > access > radius-server
© 2015 by Pulse Secure, LLC. All rights reserved
27
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 15: J-Web UI: Configure > Switching > VLAN
Click here to see the complete configuration of this device.
Pulse Policy Secure Configuration
Table 8 on page 28 describes the features we configured on the Pulse Policy Secure to
enable 802.1x port-based network access.
Table 8: Branch Policy Secure 802.1x Configuration
Feature
Description
Location group
The location group identifies the switch that is a RADIUS client and identifies the signin policy that associates the session with a user realm.
RADIUS client-server
communication
We specify the IP address for the switch that is the RADIUS client and specify the
shared secret used in secure communication with the switch. The shared secret
strings configured for the RADIUS client and that configured for the RADIUS server
must match.
RADIUS return attributes policy
rules
We configure two rules:

The Enterprise-Access rule returns VLAN 32 for users who pass authentication
and endpoint inspection.

The Remediation-Access rule returns VLAN 34 for requests that pass
authentication but do not pass endpoint inspection.
NOTE: Rules are not needed to place requests in the guest VLAN or the
management VLAN. The switch resolves failed authentication requests by placing
them in the Guest VLAN. The management VLAN is not used for user access.
Figure 16 on page 29, Figure 17 on page 29, and Figure 18 on page 30 show these settings.
28
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Figure 16: Pulse Policy Secure: Network Access > Location Group
Figure 17: Pulse Policy Secure: Network Access > RADIUS Client
© 2015 by Pulse Secure, LLC. All rights reserved
29
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 18: Pulse Policy Secure: Network Access > RADIUS Return Attributes Policies
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
DHCP Server Configuration
In this network, hosts are assigned IP addresses by a DHCP server. This example uses
a Netscreen Series 5GT device to provide DHCP services. For the sake of
completeness, we show the deployment and configuration details for this device. In
your deployment, you can use any device that provides DHCP services.
In this example, the DHCP server is deployed physically in the path of the switch to the
gateway router. The interface configuration for the switch ports and the DHCP device
are coordinated to provision IP addresses for four subnets, summarized in
Table 9 on page 30. When a user accesses the network via the 802.1x deployment and
is mapped to the enterprise VLAN, for example, the DHCP server assigns the endpoint
the next available IP address from the address range configured for the enterprise
subnet.
Table 9: Branch DHCP Address Ranges
Purpose
Subnet Address
Address Range
Management
10.0.1.x
10.0.1.100 10.0.1.150
Enterprise
10.0.2.x
Guest
10.0.3.x
30
DHCP Server
Sub-interface
Switch Port
VLAN
Name: trust.5
IP address:
10.0.1.254/24
ge-0/0/0
35
10.0.2.100 10.0.2.150
Name: trust.2
IP address:
10.0.2.254/24
ge-0/0/2
32
10.0.3.100 10.0.3.150
Name: trust.3
IP address:
10.0.3.254/24
ge-0/0/3
33
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 4: Local Network Access Policy Deployments
Table 9: Branch DHCP Address Ranges (continued)
Purpose
Subnet Address
Address Range
Remediation
10.0.4.x
10.0.4.100 10.0.4.150
DHCP Server
Sub-interface
Name: trust.4
IP address:
10.0.4.254/24
Switch Port
VLAN
ge-0/0/4
34
Figure 19 on page 31, Figure 20 on page 31, and Figure 21 on page 32 show the DHCP
server settings.
Figure 19: ScreenOS Web UI: Network > Interfaces
Figure 20: ScreenOS Web UI: Network > DHCP
© 2015 by Pulse Secure, LLC. All rights reserved
31
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 21: ScreenOS Web UI: Network > DHCP > DHCP Server Address List
Click here to download the complete set of commands used to configure this device.
32
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 5
Remote Access Policy Deployment

Pulse Connect Secure User Access Management Framework on page 33
Pulse Connect Secure User Access Management Framework
The purpose of the Pulse Connect Secure user access management framework
configuration used in this example is simply to enable employees to use SSL VPN to
connect to the corporate network from remote locations, such as home offices.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for
the lab device. Use the related documentation list to find more detailed information
about the feature, including limitations and options we have not shown.
The following sections describe and show deployment and configuration details for
the Connect Secure user access management framework:

Overview on page 33

User Roles on page 34

Authentication Server on page 40

User Authentication Realm on page 41

Network Connect Connection Profile on page 43

Sign-In Policy on page 45

Complete Configuration on page 46
Overview
The Pulse Connect Secure user access management framework is a set of
configuration objects that you associate to implement identity-based connection and
resource access policies. The modularity gives you flexibility to manage groups of
users differently. Ultimately, rules match the user role associated with the session, so
the purpose of the framework is to determine the session’s user role.
Figure 22 on page 34 shows how the framework components are associated to
determine the user role. The user sign-in policy associates the session with an
authentication realm. The authentication realm defines how authentication results and
endpoint inspection results are used to determine the session user role. The role is
used in network connection and resource access policy rules.
© 2015 by Pulse Secure, LLC. All rights reserved
33
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 22: Pulse Connect Secure User Access Management Framework
Sign-In Page/Sign-In Policy
Access Features
Authentication Realm
Resource Profile
Auth Server
Role
Resource Policy
Host Checker
In this example, all users found in the Active Directory server are mapped to
enterprise and remediation roles. If the users then pass endpoint inspection
requirements for the enterprise role, they are granted the enterprise role permissions
and can complete an SSL VPN connection to the corporate network. If the users do
not pass endpoint inspection requirements for the enterprise role, they are limited to
remediation role permissions.
User Roles
The user role configuration establishes access mechanisms, session options, and UI
options. In this example, users are mapped into two roles:

Enterprise—A designation for employees who should be allowed to make an SSL
VPN connection to the corporate network.

Remediation—A designation for noncompliant hosts.
Figure 23 on page 35 shows a summary of the user roles configured for this example.
34
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 23: Pulse Connect Secure: Users > User Roles
Figure 24 on page 36, Figure 25 on page 37, Figure 26 on page 38, and Figure 27 on page 39
show user role configuration details. The Enterprise role gives users access to the
Web, the file system, and Network Connect, which is used to establish an SSL VPN
connection. The Remediation rule gives users access only to the Web so that they
can view a Web page with remediation instructions.
© 2015 by Pulse Secure, LLC. All rights reserved
35
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 24: Pulse Connect Secure: Users > User Roles
36
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 25: Pulse Connect Secure: Users > User Roles > Enterprise > Network Connect
Upon successful authentication, the host computer is probed to evaluate compliance
with the endpoint inspection requirements. If the host passes the host check for the
Enterprise role, the employee is granted the Enterprise role permissions. If the host
does not pass endpoint inspection requirements for the Enterprise role, the employee
is limited to Remediation role permissions. Figure 26 on page 38 shows the endpoint
inspection rule for the Enterprise role, a predefined rule requiring Symantec antivirus
software on the host computer.
© 2015 by Pulse Secure, LLC. All rights reserved
37
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 26: Pulse Connect Secure: Users >User Roles > Enterprise > Restrictions > Host
Checker
Figure 27 on page 39 shows the Remediation role summary. This Remediation role is
configured to allow access only to the Web so that the user can view a Web page
with remediation instructions.
38
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 27: Pulse Connect Secure: Users > User Roles
© 2015 by Pulse Secure, LLC. All rights reserved
39
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Authentication Server
The authentication server configuration is the connection information for the
authentication servers you use in your enterprise. This example uses an Active
Directory (AD) server. The AD domain in this example is named GLOBALCORP. If
your AD server uses multiple domains, you would create a different Connect Secure
configuration object for each.
Figure 28 on page 41 shows the authentication server configured for this example.
40
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 28: Pulse Connect Secure: Authentication > Auth Servers > AD Server
User Authentication Realm
The user authentication realm configuration references the authentication server and
includes the rules that map users to user roles. The authentication realm in this
example is named Users.
© 2015 by Pulse Secure, LLC. All rights reserved
41
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 29 on page 42 shows the authentication realm configured for this example.
Note that it uses the campus Active Directory server.
Figure 29: Pulse Connect Secure: Users > User Realms
Figure 30 on page 43 shows the role mapping rule. In effect, all users in the Active
Directory server are mapped to Enterprise and Remediation roles. If they then pass
endpoint inspection requirements for the Enterprise role, they are granted the
Enterprise role permissions. If they do not pass endpoint inspection requirements for
the Enterprise role, they are limited to Remediation role permissions.
42
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 30: Pulse Connect Secure: Users > User Authentication Realms
Network Connect Connection Profile
The network connect connection profile configures connection settings for the SSL
VPN connection to the corporate network. In Figure 31 on page 44, Bob’s ISP
determines the connection properties for the connection from his home to the Internet
and the SA Series device. When Bob is authenticated and is mapped to the
Enterprise role, the network connect connection profile determines the connection
properties for Bob’s connection to the Intranet.
© 2015 by Pulse Secure, LLC. All rights reserved
43
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 31: Pulse Connect Secure SSL VPN Connection
Intranet
IF-MAP client
SA series “SA”
Bob
g037046
Internet
Figure 32 on page 45 shows the network connect connection profile for this example.
The network connect connection profile settings include the IP address range for
assigning local IP addresses to SSL VPN clients.
44
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Remote Access Policy Deployment
Figure 32: Pulse Connect Secure: Users > Resource Policies > Network Connect Connection
Profiles
Sign-In Policy
The sign-in policy configuration associates the Connect Secure URL and Web-based
sign-in page with an authentication realm. In this example, we associate the default
URL and sign-in page with the realm we created that is named Users.
Figure 33 on page 46 shows the sign-in page summary for this example.
© 2015 by Pulse Secure, LLC. All rights reserved
45
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 33: Pulse Connect Secure: Authentication > Signing In
Complete Configuration
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
46
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 6
User Access Management Framework

Campus Pulse Policy Secure User Access Management Framework on page 47

Branch Pulse Policy Secure User Access Management Framework on page 54
Campus Pulse Policy Secure User Access Management Framework
The Pulse Policy Secure user access management framework is a set of configuration
objects that you associate to implement an identity-based security policy. The
framework for this example is designed to enforce a simple “employees only” policy and
to check for noncompliant host computers.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for the
lab device. Use the related documentation list to find more detailed information about
the feature, including limitations and options we have not shown.
The campus and branch configurations are similar. There are no notable differences.
We provide separate details for the sake of completeness.
The following sections show deployment and configuration details for the campus user
access management framework:

Overview on page 47

User Roles on page 48

Authentication Server on page 50

User Authentication Realm on page 52

Sign-In Policy on page 53

Complete Configuration on page 54
Overview
The Pulse Policy Secure user access management framework is a set of configuration
objects that you associate to implement identity-based network access and resource
access policies. The modularity gives you flexibility to manage groups of users
differently. Ultimately, access policy rules match the user role associated with the
session, so the purpose of framework is to determine the session’s user role.
© 2015 by Pulse Secure, LLC. All rights reserved
47
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 34 on page 48 shows how the framework components are associated to
determine the user role. The user sign-in policy associates the session with an
authentication realm. The authentication realm defines how authentication results and
endpoint inspection results are used to determine the session user role. The role is
used in network access rules and resource access policy rules.
Figure 34: Pulse Policy Secure User Access Management Framework
Sign-In Page/Sign-In Policy
Access Policies
Authentication Realm
Network Access
Auth Server
Role
Host Checker
Resource Access
In this example, all users found in the Active Directory server are mapped to
enterprise and remediation roles. If the users then pass endpoint inspection
requirements for the enterprise role, they are granted the enterprise role permissions.
If the users do not pass endpoint inspection requirements for the enterprise role, they
are limited to remediation role permissions.
User Roles
The user role configuration establishes access mechanisms, session options, and UI
options. In this example, users are mapped into two roles:

Enterprise—A designation for employees who should have access to the
corporate network and access to protected Web servers.

Remediation—A designation for users with noncompliant host computers.
Figure 35 on page 49 shows a summary of the user roles configured for this example.
48
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
Figure 35: Pulse Policy Secure: Users > User Roles
Upon successful authentication, the host computer is probed to evaluate compliance
with the endpoint inspection requirements. If the host passes the host check for the
Enterprise role, the employee is granted the Enterprise role permissions. If the host
does not pass endpoint inspection requirements for the Enterprise role, the employee
is limited to Remediation role permissions. Figure 36 on page 49 shows the endpoint
inspection rule for the Enterprise role, a predefined rule requiring Symantec antivirus
software on the host computer.
Figure 36: Pulse Connect Secure: Users > User Roles > Enterprise > Restrictions
> Host Checker
© 2015 by Pulse Secure, LLC. All rights reserved
49
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Authentication Server
The authentication server configuration is the connection information for the
authentication servers that you use in your enterprise. This example uses an Active
Directory (AD) server. The AD domain in this example is named GLOBALCORP. If
your AD server uses multiple domains, you would create a different Policy Secure
configuration object for each.
Figure 37 on page 51 shows the configuration for the authentication server.
50
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
Figure 37: Pulse Policy Secure: Authentication > Auth. Servers
© 2015 by Pulse Secure, LLC. All rights reserved
51
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
User Authentication Realm
The user authentication realm configuration:

References the authentication server.

Includes the rules that map users to roles.
The authentication realm in this example is named Users. Figure 38 on page 52 and
Figure 39 on page 52 show the configuration details.
Figure 38: Pulse Policy Secure: Users > User Authentication Realms
Figure 39: Pulse Policy Secure: Users > User Authentication Realms > Role Mapping
52
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
Sign-In Policy
The sign-in policy configuration associates the Policy Secure URL and Web-based
sign-in page with an authentication realm. In this example, we associate the default
URL and sign-in page with the realm we created named Enterprise.
Figure 40 on page 53 shows the sign-in page summary for this example.
Figure 40: Pulse Policy Secure: Authentication > Signing In > Sign-in Policies
Figure 41 on page 54 shows the default authentication protocol sets. These are the
protocols used in 802.1x communication between supplicants (OAC or Pulse Secure
client), the authenticator (Layer 2 switch), and the authentication server (Policy Secure
RADIUS server).
© 2015 by Pulse Secure, LLC. All rights reserved
53
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 41: Pulse Policy Secure: Authentication > Signing In > Authentication Protocol Sets
Complete Configuration
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
Branch Pulse Policy Secure User Access Management Framework
The Pulse Policy Secure user access management framework is a set of
configuration objects that you associate to implement an identity-based security
policy. The framework for this example is designed to enforce a simple “employees
only” policy and to check for noncompliant host computers.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for the
lab device. Use the related documentation list to find more detailed information about
the feature, including limitations and options we have not shown.
The campus and branch configurations are similar. There are no notable differences.
We provide separate details for the sake of completeness.
54
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
The following sections show deployment and configuration details for the branch user
access management framework:

Overview on page 55

User Roles on page 56

Authentication Server on page 57

User Authentication Realm on page 59

Sign-In Policy on page 60

Complete Configuration on page 62
Overview
The Pulse Policy Secure user access management framework is a set of
configuration objects that you associate to implement identity-based network access
and resource access policies. The modularity gives you flexibility to manage groups
of users differently. Ultimately, access policy rules match the user role associated
with the session, so the purpose of framework is to determine the session’s user role.
Figure 42 on page 55 shows how the framework components are associated to
determine the user role. The user sign-in policy associates the session with an
authentication realm. The authentication realm defines how authentication results
and endpoint inspection results are used to determine the session user role. The role
is used in network access rules and resource access policy rules.
Figure 42: Pulse Policy Secure User Access Management Framework
Sign-In Page/Sign-In Policy
Access Policies
Authentication Realm
Network Access
Auth Server
Role
Host Checker
Resource Access
In this example, all users found in the Active Directory server are mapped to
enterprise and remediation roles. If the users then pass endpoint inspection
requirements for the enterprise role, they are granted the enterprise role permissions.
If the users do not pass endpoint inspection requirements for the enterprise role, they
are limited to remediation role permissions.
© 2015 by Pulse Secure, LLC. All rights reserved
55
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
User Roles
The user role configuration establishes access mechanisms, session options, and UI
options. In this example, users are mapped into two roles:
 Enterprise—A designation for employees who should have access to the
corporate network and access to protected Web servers.

Remediation—A designation for users with noncompliant host computers.
Figure 43 on page 56 shows a summary of the user roles configured for this example.
Figure 43: Pulse Policy Secure: Users > User Roles
Upon successful authentication, the host computer is probed to evaluate compliance
with the endpoint inspection requirements. If the host passes the host check for the
Enterprise role, the employee is granted the Enterprise role permissions. If the host
does not pass endpoint inspection requirements for the Enterprise role, the employee
is limited to Remediation role permissions. Figure 44 on page 57 shows the endpoint
inspection rule for the Enterprise role, a predefined rule requiring Symantec antivirus
software on the host computer.
56
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
Figure 44: Pulse Policy Secure: Users > User Roles > Enterprise > General > Restrictions
> Host Checker
Authentication Server
The authentication server configuration is the connection information for the
authentication servers that you use in your enterprise. This example uses an Active
Directory (AD) server. The AD domain in this example is named GLOBALCORP. If
your AD server uses multiple domains, you create a different Policy Secure
configuration object for each.
Figure 45 on page 58 shows the configuration for the authentication server. Note that
it uses the campus Active Directory server.
© 2015 by Pulse Secure, LLC. All rights reserved
57
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 45: Pulse Policy Secure: Authentication > Auth. Servers > New Active Directory Server
> AD Server
58
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
User Authentication Realm
The user authentication realm configuration:

References the authentication server.

Defines endpoint inspection requirements.

Includes the rules that map users to roles.
The authentication realm in this example is named Enterprise. Figure 46 on page 59 and
Figure 47 on page 60 show the configuration details.
Figure 46: Pulse Policy Secure: Users > User Authentication Realms
© 2015 by Pulse Secure, LLC. All rights reserved
59
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 47: Pulse Policy Secure: Users > User Authentication Realms > Role Mapping
Sign-In Policy
The sign-in policy configuration associates the Pulse Policy Secure URL and
Web-based sign-in page with an authentication realm. In this example, we associate
the default URL and sign-in page with the realm we created named Enterprise.
Figure 48 on page 61 shows a summary of the sign-in page that is configured for this
example.
60
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 6: User Access Management Framework
Figure 48: Pulse Policy Secure: Authentication > Signing In > Sign-In Policies
Figure 49 on page 61 shows the default authentication protocol sets. These are the
protocols used in 802.1x communication between supplicants (OAC or Pulse Secure
clients), the authenticator (Layer 2 switch), and the authentication server (Policy Secure
RADIUS server).
Figure 49: Pulse Policy Secure: Authentication > Signing In > Authentication Protocol Sets
© 2015 by Pulse Secure, LLC. All rights reserved
61
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Complete Configuration
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
62
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 7
Resource Access Policy Deployments

Campus Resource Access Policy Enforcement Deployment on page 63

Branch Resource Access Policy Enforcement Deployment on page 68
Campus Resource Access Policy Enforcement Deployment
The purpose of the identity-based resource access policy in this example is to enforce
a simple “employees only” policy. If your business has more complex requirements,
you can configure more roles and resource access policy rules to enforce more
granular restrictions, such as allowing only HR employees access to HR databases or
Finance employees access to the accounting side of a customer relationship
management (CRM) database.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for the
lab device. Use the related documentation list to find more detailed information about
the feature, including limitations and options we have not shown.
The campus and branch configurations are similar. The notable difference is that the
campus deployment uses a Juniper Networks SRX Series device to enforce the
identity-based resource access policy, while the branch deployment uses a Juniper
Networks SSG Series device. With regard to the identity-based resource access
policy objective, the SRX Series devices and the SSG Series devices are functionally
equivalent: in addition to whatever other security features each might have, either
product line can be configured to enforce the identity-based resource access policy.
When you navigate this documentation, you may choose to focus on the deployment
that more closely resembles your own infrastructure or to compare the deployments to
see the areas of equivalent functionality.
The following sections show deployment and configuration details for the campus
resource access policy deployment:

Deployment Diagram on page 64

SRX Series Configuration on page 64

Pulse Policy Secure Configuration on page 66
© 2015 by Pulse Secure, LLC. All rights reserved
63
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Deployment Diagram
Figure 50 on page 64 shows the deployment diagram for the campus resource access
policy enforcement deployment. The campus uses an SRX100 device to protect Web
server 6.6.6.6. In addition to performing firewall security checks, we deploy the
SRX100 to enforce the identity-based resource access policy. Only users mapped to
the Enterprise role are allowed to access Web server 6.6.6.6. When John attempts to
access this Web server, the SRX100 performs a session lookup against the
authentication table pushed to it by the campus Pulse Policy Secure. In this scenario,
the authentication table has an entry for John because he gained access to the
campus network through the 802.1x deployment associated with the campus Policy
Secure. The authentication table entry shows that John belongs to the Enterprise
role, so he is allowed to access Web server 6.6.6.6.
Figure 50: Campus Resource Access Policy Enforcement Deployment
NOC
Branch
Campus
192.168.240.1
192.168.246.1
DHCP server
IF-MAP server
IC series “ICB”
SRX100
Unprotected
server
AD/DNS
Globalcorp.local
g037040
6.6.6.6/32
Protected
server
John
SRX Series Configuration
Table 10 on page 64 describes the features we configured on the SRX Series device
to enable enforcement of Pulse Policy Secure resource policy rules.
Table 10: Campus UAC Enforcer Configuration
Junos OS Configuration Hierarchy
Description
services
With the Junos OS services hierarchy, we configure communication with the
Pulse Policy Secure. We specify the interface to use for communication, the
Policy Secure IP address, and the Policy Secure administrator password.
64
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 7: Resource Access Policy Deployments
Table 10: Campus UAC Enforcer Configuration (continued)
Junos OS Configuration Hierarchy
Description
security
We add a security policy rule that directs the SRX device to enforce the “Uac
policy.”
Figure 51 on page 65 and Figure 52 on page 66 show these configurations.
Figure 51: J-Web UI: Point and Click CLI > services > unified-access-control
© 2015 by Pulse Secure, LLC. All rights reserved
65
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 52: J-Web UI: Point and Click CLI > security > policies > policy > untrust-trust
Click here to display the complete configuration for this device.
Pulse Policy Secure Configuration
Table 11 on page 66 describes the features we configured on the Pulse Policy Secure to
enable enforcement of Policy Secure resource policy rules.
Table 11: Campus Pulse Policy Secure Resource Access Policy Configuration
Feature
Description
Infranet Enforcer
Connection information for communication with the SRX Series:
Resource Access Policy

Specify the SRX Series device administrator password.

Use the SRX J-Web UI to look up the SRX Series device serial number. The serial
number is shown on the J-Web dashboard page.

Location Group is not used in this example.
The Enterprise-Access-Permitted rule allows Enterprise role users access to all ports
on servers 4.4.4.4 and 6.6.6.6.
Figure 53 on page 67, Figure 54 on page 67, and Figure 55 on page 68 show this
configuration.
66
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 7: Resource Access Policy Deployments
Figure 53: Pulse Policy Secure: Infranet Enforcer > Connection
When communication is established between the Pulse Policy Secure and the SRX
Series device, the Enforcer Status shown on the system status page is green, as
shown in Figure 54 on page 67.
Figure 54: Pulse Policy Secure: System > Status
Figure 55 on page 68 shows a summary of the resource access policy configured for
this example.
© 2015 by Pulse Secure, LLC. All rights reserved
67
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 55: Pulse Policy Secure: Infranet Enforcer > Resource Access Policies
Click the following links to download the complete configuration for this device: Part
1, Part 2.
Related
Documentation

Junos SRX Enforcer Feature Guide
Branch Resource Access Policy Enforcement Deployment
The purpose of the identity-based resource access policy in this example is to
enforce a simple “employees only” policy. If your business has more complex
requirements, you can configure more roles and resource access policy rules to
enforce more granular restrictions, such as allowing only HR employees access to
HR databases or Finance employees access to the accounting side of a customer
relationship management (CRM) database.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for
the lab device. Use the related documentation list to find more detailed information
about the feature, including limitations and options we have not shown.
The campus and branch configurations are similar. The notable difference is that
the campus deployment uses a Juniper Networks SRX Series device to enforce the
identity-based resource access policy, while the branch deployment uses a Juniper
Networks SSG Series device. With regard to the identity-based resource access
policy objective, the SRX Series devices and the SSG Series devices are
functionally equivalent: in addition to whatever other security features each might
have, either product line can be configured to enforce the identity-based resource
access policy. When you navigate this documentation, you may choose to focus on
the deployment that more closely resembles your own infrastructure or to compare
the deployments to see the areas of equivalent functionality.
68
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 7: Resource Access Policy Deployments
The following sections show deployment and configuration details for the branch
resource access policy deployment:

Deployment Diagram on page 69

SSG Series Configuration on page 69

Pulse Policy Secure Configuration on page 72
Deployment Diagram
Figure 56 on page 69 shows the deployment diagram for the branch resource access
policy enforcement deployment. The campus uses an SSG20 device to protect Web
server 5.5.5.5. In addition to performing firewall security checks, we deploy the
SSG20 to enforce the identity-based resource access policy. Only users mapped to
the Enterprise role are allowed to access Web server 5.5.5.5. When Lisa attempts
to access this Web server, the SSG20 performs a session lookup against the
authentication table (also called the auth table) that has been pushed to it by the
branch Pulse Policy Secure. In this scenario, the auth table has an entry for Lisa
because she gained access to the branch network through the 802.1x deployment
associated with the branch Policy Secure. The auth table entry shows that Lisa
belongs to the Enterprise role, so she is allowed to access Web server 5.5.5.5.
Figure 56: Branch Resource Access Policy Enforcement Deployment
NOC
Campus
Branch
192.168.250.1
DHCP server
IF-MAP client
IC series “ICA”
192.168.246.1
SSG20
Unprotected
server
AD/DNS
Globalcorp.local
Lisa
g037035
5.5.5.5/32
Protected
server
SSG Series Configuration
Table 12 on page 70 describes the features we configured on the SSG Series device
to enable enforcement of Pulse Policy Secure resource policy rules.
© 2015 by Pulse Secure, LLC. All rights reserved
69
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 12: Branch UAC Enforcer Configuration
Feature
Description
Pulse Policy Secure
Instance
The Pulse Policy Secure Instance refers to the Policy Secure.
NACN Parameters
Communication between the SSG device and Policy Secure is secured by
NetScreen Address Change Notification (NACN) conventions. Specify:

Password. A one-time password.

Certificate. Communication between the two components is secured using
certificates. For information on importing the certificate, see the “Unified
Access Control Solution” chapter in the ScreenOS Concepts and Examples
Reference Guide.
Pulse Policy Secure Connection
Options
Typically, you use the default settings related to communication with the Policy
Secure. The settings are configurable to support troubleshooting.
Security Policy > Advanced Settings
A security policy rule that directs the SSG device to enforce the Policy Secure
resource access policy (also called the Infranet Auth policy).
If the policy lookup results in a deny action, you can specify a redirect URL,
such as a remediation Web page.
Figure 57 on page 70, Figure 58 on page 71, and Figure 59 on page 72 show these
configurations.
Figure 57: ScreenOS Web UI: Configuration > Infranet Auth > Controllers
70
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 7: Resource Access Policy Deployments
Figure 58: ScreenOS Web UI: Configuration > Infranet Auth > General Settings
© 2015 by Pulse Secure, LLC. All rights reserved
71
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 59: ScreenOS Web UI: Policy > Policies (From Untrust to Trust) > Advanced Policy
Settings
Click here to display the complete configuration for this device.
Pulse Policy Secure Configuration
Table 13 on page 73 describes the features we configured on the Policy Secure to
enable enforcement of resource policy rules.
72
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 7: Resource Access Policy Deployments
Table 13: Branch Pulse Policy Secure Resource Access Policy Configuration
Feature
Description
Infranet Enforcer
Connection information for communication with the SSG Series device:
Resource Access Policy

Specify the NACN password that you set on the SSG Series device.

Specify the administrator username and password for the SSG Series device.

Use the ScreenOS Web UI to look up the SSG Series device serial number.

Location Group is not used in this example.
The Enterprise-Access-Permitted rule allows Enterprise role users access to all ports
on servers 3.3.3.0/24 and 5.5.5.0/24.
Figure 60 on page 73, Figure 61 on page 74, and Figure 62 on page 74 show these
configurations.
Figure 60: Pulse Policy Secure: UAC > Infranet Enforcer > Connection
The policy list on the Infranet Enforcer > Enforcer Policies tab, shown in
Figure 61 on page 74, is populated by communication from the SSG Series device.
If changes are required, we recommend that you make the changes on the SSG
Series device.
© 2015 by Pulse Secure, LLC. All rights reserved
73
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 61: Pulse Policy Secure: Infranet Enforcer > Enforcer Policies
Figure 62 on page 74 shows the resource access policies summary for this example.
Figure 62: Pulse Policy Secure: Infranet Enforcer > Resource Access Policies
Click the following links to download the complete configuration for this device:
Part 1, Part 2.
74
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 8
IF-Map Federation

IF-MAP Deployment on page 75
IF-MAP Deployment
The purpose of the federated deployment is to enable the resource access policy to be
enforced at each enforcement point without forcing the employees to enter
authentication credentials at each enforcement point. To do this, you configure the
Pulse Secure access services to share session information with each other.
In the configuration pages of this example, we show the required or relevant parts of
the configuration and provide a link for downloading the complete configuration for the
lab device. Use the related documentation list to find more detailed information about
the feature, including limitations and options we have not shown.
The following sections describe and show deployment and configuration details for
the federated deployment:

Overview on page 75

Pulse Policy Secure IF-MAP Server Configuration on page 77

Pulse Policy Secure IF-MAP Client Configuration on page 84

Pulse Secure Access Service IF-MAP Client Configuration on page 86
Overview
In this example, the Pulse Secure network access services are configured to
participate in a federation that uses the IF-MAP (Interface for Metadata Access Point)
standard protocol to share data about user sessions. The IF-MAP client-server model
is similar to common client-server data synchronization models. Many clients report to
one server, which is the common synchronization point. The server updates clients
from its “master” data store. Figure 63 on page 76 shows the data synchronization
operations between the
IF-MAP server and IF-MAP clients. For export operations, session data is transformed
to the IF-MAP data standard. For import operations, IF-MAP data is transformed into
Pulse Secure client session information.
© 2015 by Pulse Secure, LLC. All rights reserved
75
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 63: IF-MAP Deployment
Figure 64 on page 76 shows the topology of our network.
Figure 64: Federated Access Service Devices
Branch
Management - 10.0.1.0/24
Enterprise - 10.0.2.0/24
Guest - 10.0.3.0/24
Remediation - 10.0.4.0/24
Lisa
Web server
5.5.5.5
192.168.242.1
Home
Bob
ScreenOS Enforcer
SSG20
L2 switch
EX3200
IF-MAP client
IC series “ICA”
192.168.241.1
ISP
DHCP server
192.168.250.1
Branch
IF-MAP client
SA series “SA”
NOC
192.168.243.1
Campus
IF-MAP server
IC Series “ICB”
DHCP server
192.168.244.1
L2 switch
HP2626
192.168.246.1
192.168.240.1
Junos Enforcer
SRX100
Campus
Management - 20.0.1.0/24
Enterprise - 20.0.2.0/24
Guest - 20.0.3.0/24
Remediation - 20.0.4.0/24
John
Web server
6.6.6.6
AD/DNS
Globalcorp.local
192.168.252.33
This example has three participants in the IF-MAP federation:

76
The campus Pulse Policy Secure that runs on the campus IC Series device shown
in Figure 63 on page 76 is the IF-MAP server. It collects session information exported
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 8: IF-Map Federation


by IF-MAP clients. The campus Policy Secure is used in the 802.1x deployment
and resource access policy deployment, so it also maintains its own session table.
The Pulse Secure Access Service that runs on the SA Series device shown in
Figure 63 on page 76 is an IF-MAP client that exports its session information to
the IF-MAP server. The campus Policy Secure thereby “knows” about Bob’s
authenticated session when he tries to access a Web server protected by the
campus firewall, and it uses that information to determine whether Bob is
permitted access. Note that the Secure Access Service does not import session
information.
The branch Policy Secure that runs on the branch IC Series device shown in
Figure 63 on page 76 is an IF-MAP client that exports its session information to the
IF-MAP server and imports session information from the IF-MAP server. The
branch Policy Secure thereby “knows” about Bob’s authenticated session when he
tries to access a Web server protected by the branch firewall, and uses that
information to determine whether Bob is permitted access.
Note that an IF-MAP client does not export session information that it has not learned
firsthand—that is, it does not export Bob’s session information back to the IF-MAP
server.
Pulse Policy Secure IF-MAP Server Configuration
You configure the following settings for the IF-MAP server:

Communication with the IF-MAP clients.

A session export policy. The session export policy specifies how to transform
Pulse Secure session data into IF-MAP standard data.

A session import policy. The session import policies select how to transform IFMAP data into Pulse Secure client session data.
Figure 65 on page 78 shows the IF-MAP server setting.
© 2015 by Pulse Secure, LLC. All rights reserved
77
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 65: Pulse Policy Secure: System > IF-MAP Federation > Overview
Figure 66 on page 79 through Figure 68 on page 81 show the IF-MAP server’s client
settings.
78
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 8: IF-Map Federation
Figure 66: Pulse Policy Secure: System > IF-MAP Federation > This Server
© 2015 by Pulse Secure, LLC. All rights reserved
79
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 67: Pulse Policy Secure: System > IF-MAP Federation > IF-MAP Client
80
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 8: IF-Map Federation
Figure 68: Pulse Policy Secure: System > IF-MAP Federation > IF-MAP Client
Figure 69 on page 82 shows the configuration for the IF-MAP server session export
policy. The session export policy specifies how to transform Pulse Secure client session
data into IF-MAP standard data. In this example, we specify that session data for
sessions matching Enterprise and Remediation roles is to be exported as IF-MAP
capability data.
© 2015 by Pulse Secure, LLC. All rights reserved
81
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 69: Pulse Policy Secure: System > IF-MAP Federation > Session-Export Policy
Figure 70 on page 83 shows the configuration for the IF-MAP server session import
policy configured for this example. The session import policy specifies how to
transform IF-MAP data into Pulse Secure client session data. In this example, we
configure a policy that selects
IF-MAP records based on identity (use of the * wildcard matches all) and imports a
copy of session records related to all IF-MAP capabilities.
82
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 8: IF-Map Federation
Figure 70: Pulse Policy Secure: System > IF-MAP Federation > Session-Import Policy
© 2015 by Pulse Secure, LLC. All rights reserved
83
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
Pulse Policy Secure IF-MAP Client Configuration
You configure the following settings for the IF-MAP client:

Communication with the IF-MAP server.

A session export policy. The session export policy specifies how to transform
Pulse Secure client session data into IF-MAP standard data.

A session import policy. The session import policies select how to transform IFMAP data into Pulse session data.
Figure 71 on page 84 shows this configuration.
Figure 71: Pulse Policy Secure: System > IF-MAP Federation > Overview
Figure 72 on page 85 shows the configuration for the IF-MAP client session export policy
configured for this example. The session export policy specifies how to transform Pulse
Secure session data into IF-MAP standard data. In this example, we specify that
session data for sessions matching Enterprise and Remediation roles is to be exported
as IF-MAP capability data.
© 2015 by Pulse Secure, LLC. All rights reserved
83
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 72: Pulse Policy Secure: System > IF-MAP Federation > Session-Export Policy
Figure 73 on page 86 shows the configuration for the IF-MAP client session import
policy configured for this example. The session import policy specifies how to
transform IF-MAP data into Pulse Secure client session data. In this example, we
configure a policy that selects
IF-MAP records based on identity (use of the * wildcard matches all) and imports a
copy of session records related to all IF-MAP capabilities.
© 2015 by Pulse Secure, LLC. All rights reserved
85
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 73: Pulse Policy Secure: System > IF-MAP Federation > Session-Import Policy
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
Pulse Secure Access Service IF-MAP Client Configuration
You configure the following settings for the IF-MAP client:
86

Communication with the IF-MAP server.

A session export policy. The session export policy specifies how to transform
Pulse Secure session data into IF-MAP standard data.
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 8: IF-Map Federation
Figure 74 on page 87 shows the IF-MAP client configuration.
Figure 74: Pulse Secure Access Service: System > IF-MAP Federation
> Overview
Figure 75 on page 88 shows the session export policy. The session export policy
specifies how to transform Pulse Secure session data into IF-MAP standard data. In
this example, we specify that session data for sessions matching Enterprise and
Remediation roles is to be exported as IF-MAP capability data.
© 2015 by Pulse Secure, LLC. All rights reserved
87
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 75: Pulse Secure Access Service: System > IF-MAP Federation
> Session-Export Policy
Click the following links to download the complete configuration for this device: Part 1,
Part 2.
Related
Documentation
88

IF-MAP Feature Guide
© 2015 by Pulse Secure, LLC. All rights reserved
PART 3
Administration

Local Sessions on page 91

Remote Sessions on page 95

Federated Sessions on page 99
© 2015 by Pulse Secure, LLC. All rights reserved
89
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
CHAPTER 9
Local Sessions

Reviewing 802.1x Network Access Logs on page 91
Reviewing 802.1x Network Access Logs
You can use the Pulse Policy Secure logs to verify that the components that
communicate in response to an 802.1x access request are functioning as expected.
The following sequence of screens shows a client connection to the branch network.
You can try something similar to observe the logs that are generated when a user
connects to the network.
Figure 76 on page 91 shows the state of Lisa’s OAC client before she makes a
connection. The client has no IP address.
Figure 76: Odyssey Access Client
© 2015 by Pulse Secure, LLC. All rights reserved
91
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 77 on page 92 shows the results of the ipconfig command before Lisa makes a
connection. The client has no IP address.
Figure 77: ipconfig
Figure 78 on page 92 shows the OAC Connect to the network option that Lisa selects
to make a connection.
Figure 78: Odyssey Access Client
Figure 79 on page 93 shows the results of the ipconfig command after Lisa makes the
connection. Her host computer is assigned an IP address.
92
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 9: Local Sessions
Figure 79: ipconfig
Figure 80 on page 93 shows the branch Policy Secure active users table. It shows an
entry for Lisa’s connection.
Figure 80: Pulse Policy Secure: Status > Active Users
Figure 81 on page 93 shows the set of logs related to authentication that are written
when the user attempts to log in.
Figure 81: Pulse Policy Secure: System > Log/Monitoring > User Access
© 2015 by Pulse Secure, LLC. All rights reserved
93
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Table 14 on page 94 explains what the logs show, from the bottom up.
Table 14: User Access Logs
Log ID
Description
AUT24326
Shows that Lisa was authenticated against the AD server.
AUT24803
Shows that Lisa’s host computer met the endpoint inspection policy.
AUT24414
Shows that Lisa was mapped to the Enterprise and Remediation roles.
EAM24459
Shows that Lisa, having passed the endpoint inspection policy, was assigned to the enterprise
VLAN.
EAM24805
Shows success of RADIUS authentication. Lisa sent an authentication request through the
EX3200 switch, which is the RADIUS client.
Finally, note that in this IF-MAP deployment, the user session is exported from the IFMAP client to the IF-MAP server. Figure 82 on page 94 shows the exported session
table.
Figure 82: Pulse Policy Secure: System > IF-MAP Federation (Client) > Active Users >
Exported
94
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 10
Remote Sessions

Reviewing SSL VPN Access Logs on page 95
Reviewing SSL VPN Access Logs
You can use the Pulse Connect Secure logs to verify the components that communicate in
response to SSL VPN client connection request function as expected. The following sequence
of screens show the remote client connection that happens in this example—Bob’s connection
from home.
Figure 83 on page 95 shows the results of the ipconfig command before Bob initiates a Pulse
connection: his host computer shows the IP address for the physical Ethernet adapter.
Figure 83: Remote Host Computer: ipconfig
Figure 84 on page 96 shows the Pulse Secure client. In this sequence, Bob opens the Pulse
Secure client and enters his credentials.
© 2015 by Pulse Secure, LLC. All rights reserved
95
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 84: Pulse Secure Client
Upon successful authentication, Bob’s host computer now shows both the IP address for the
physical Ethernet adapter and the IP address for the SSL VPN connection. Figure 85 on page
96 shows the results of the ipconfig command after Bob’s Pulse Secure connection is
completed.
Figure 85: Remote Host Computer: ipconfig
Figure 86 on page 97 shows the set of logs related to authentication that are written when the
user attempts to log in.
96
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 10: Remote Sessions
Figure 86: Pulse Connect Secure: System > Log/Monitoring > User Access
Table 15 on page 97 explains what the logs show, starting from the bottom up.
Table 15: User Access Logs
Log ID
Description
AUT24326
Shows that Bob was authenticated against the AD server. Note that it logs the IP address for Bob’s
host computer—192.168.1.10.
AUT24803
Shows that Bob’s host computer met the endpoint inspection policy.
AUT24414
Shows that Bob was identified as belonging to the Enterprise and Remediation Roles.
ERR24670
Shows an attempt to make a network connect connection.
FDU24754
Shows that the session information for Bob was exported to the IF-MAP server.
NWC2364
Shows the network connect session was started and that the IP address for Bob’s session is
192.168.243.100.
NWC30477
Shows the SSL VPN connection has been established.
Finally, note that in this IF-MAP deployment, the user session is exported from the IF-MAP client
to the IF-MAP server. Figure 87 on page 98 shows the exported session table.
© 2015 by Pulse Secure, LLC. All rights reserved
97
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 87: Pulse Connect Secure: System > IF-MAP Federation (Client) > Active Users >
Exported
98
© 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 11
Federated Sessions

Reviewing IF-MAP Logs on page 99
Reviewing IF-MAP Logs
You can use the Pulse Access Control Service IF-MAP server logs to verify session federation.
When Lisa connects to the LAN through branch Pulse Access Control Service and Bob connects
to the Pulse Connect Secure, those devices export the session information to the IF-MAP server.
The export appears in their respective IF-MAP client export session lists. Figure 88 on page 99
shows the exported session table for the branch Access Control Service.
Figure 88: Pulse Access Control Service: System > IF-MAP Federation (Client) > Active Users
> Exported
Figure 89 on page 100 shows the exported session table for the branch Connect Secure.
© 2015 by Pulse Secure, LLC. All rights reserved
99
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 89: Pulse Connect Secure: System > IF-MAP Federation (Client) > Active Users
> Exported
Next, Lisa and Bob access a resource protected by the campus enforcer. Figure
90 on page 100 shows the website located behind the firewall.
Figure 90: Web Server with IP Address 6.6.6.6
The IF-MAP server imports the session information about Lisa and Bob. Figure 91
on page 100 shows the imported session table.
Figure 91: Pulse Access Control Service: System > IF-MAP Federation (Server) > Active Users
> Imported
100
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 11: Federated Sessions
In addition, the IF-MAP server logs shown in Figure 92 on page 101 provide detailed
information about the same operations. Note the entries that indicate when a session is
removed from the IF-MAP server master session table. The IF-MAP server purges sessions a
few minutes after the client disconnects.
Figure 92: Pulse Access Control Service: System > Log/Monitoring > User Access
Next, let’s observe a client import policy operation. Let’s have Bob access a resource protected
by the branch enforcer. Figure 93 on page 101 shows the website located behind the firewall.
Figure 93: Web Server with IP Address 5.5.5.5
You can see the entry for Bob in the branch Pulse Secure Access Control Service IF-MAP
imported active users table, shown in Figure 94 on page 102.
© 2015 by Pulse Secure, LLC. All rights reserved
101
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
Figure 94: Pulse Access Control Service: System > IF-MAP Federation (Client) > Active Users
> Imported
Figure 95 on page 102 shows the logs that indicate the session import operation.
Figure 95: Pulse Access Control Service: System > Log/Monitoring > User Access
Figure 96 on page 103 shows the more verbose event logs. Use the event logs if you need to
troubleshoot.
102
© 2015 by Pulse Secure, LLC. All rights reserved
Chapter 11: Federated Sessions
Figure 96: Pulse Secure Access Control Service: System > Log/Monitoring > Events
© 2015 by Pulse Secure, LLC. All rights reserved
103
Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example
104
© 2015 by Pulse Secure, LLC. All rights reserved
Download PDF