This whitepaper describes how to configure Pulse Connect Secure together with VASCO IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with two-factor authentication.
For more information contact: sales@kappadata.be
5. 4 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Reference guide
ID Title Author Publisher Date ISBN
6. 5 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
1 Overview
This whitepaper describes how to configure Pulse Connect Secure together with VASCO
IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with
two-factor authentication.
7. 6 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
2 Technical Concepts
2.1 Pulse Secure
2.1.1 Pulse Connect Secure
Pulse Connect Secure offers setting up remote access to the company’s intranet through an SSL
VPN solution, in a way that is easy to use though still flexible. The solution is available as a
hardware appliance or a virtual appliance.
2.2 VASCO
2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance
IDENTIKEY Authentication Server is an off-the-shelf centralized server that provides two-factor
authentication with DIGIPASS devices. It offers complete functionality and management features
without the need for significant budgetary or personnel investments.
IDENTIKEY Appliance is a standalone authentication appliance that offers the features of
IDENTIKEY Authentication Server, being ready to be deployed right away.
The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY
Appliance is similar.
8. 7 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
3 Installation
3.1 Pulse Connect Secure
Follow the installation steps on the console of the Pulse Connect Secure appliance.
Start the installation.
Configure the network settings.
Create an admin user.
9. 8 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Finalize the configuration with certificate information and a random string.
3.2 IDENTIKEY Appliance
Open the console of the IDENTIKEY appliance. Log on with ‘rescue’ for the basic configuration.
Choose n for network configuration.
10. 9 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Configure the IP address of the appliance by typing i.
Configure the gateway of the appliance by typing g.
Navigate to the appliance’s IP address using https, and open the configuration wizard by logging
on with the default credentials ‘sysadmin’ – ‘sysadmin’.
11. 10 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Follow the configuration wizard, and configure the sysadmin password, network settings and
certificate information.
13. 12 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Configure the license for the appliance. You can request a temporary license from the Vasco
Customer Portal http://cp.vasco.com.
14. 13 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Finish the wizard with the IDENTIKEY configuration and an administrator user.
15. 14 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
4 Setup without IDENTIKEY
Before adding two-factor authentication to the sign-in, it is important to validate a standard
configuration without a connection to IDENTIKEY Authentication Server. A standard
authentication setup in Pulse Connect Secure will be configured, based on users that are added
locally.
4.1 Architecture
4.2 Pulse Connect Secure Settings
Navigate to the administration interface of Pulse Connect Secure. This is hosted on
https://[server IP address]/admin.
4.2.1 Authentication Servers
An authentication server in Pulse Connect Secure configures a system that can handle the
authentication for the SSL VPN sign-in.
In order to authenticate using local users on Pulse Connect Secure, we will use the authentication
server called ‘System Local’ that is default configured.
Navigate to Authentication > Auth Servers > System Local
16. 15 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Create a local user in the System Local authentication server, to test the authentication. Open tab
Users and click on New.
17. 16 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Username: userlocal
Full Name: Local Test User
Password: Test1234
Click on Save Changes.
4.2.2 User Realms
A User Realm is the central configuration for the SSL VPN sign-in, specifying how it will be
handled exactly. The authentication server to be used will be selected in the user realm.
Navigate to the default user realm ‘Users’, which specifies the authentication based on System
Local.
Users > User Realms > Users
18. 17 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
4.2.3 User Roles
User roles are managed in Pulse Connect Secure to specify what a user is allowed to do in the
SSL VPN.
A default role ‘Users’ already exists with the most usual configuration for what regular users are
allowed to. Any role can be configured specific to the needs of the environment, regardless of the
authentication configuration.
Roles will be assigned to users based on the configured Role Mapping inside the user realm.
For the user realm Users, a default role mapping has been defined that assigns the Users role to
all users for the realm.
Navigate to the tab ‘Role Mapping’ of the user realm.
19. 18 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
4.2.4 Sign-in
A sign-in policy will link the sign-in URL to the user realm that will be used to authenticate users.
The default sign-in policy links the root URL to the Users user realm.
Navigate to Authentication > Sign-in Policies > */
20. 19 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
4.3 Testing the Solution
Browse to the SSL VPN Web portal, hosted on the root URL of the Pulse Secure Connect’s IP
address over https.
Authenticate with the test user userlocal and password Test1234. Check if you are redirected to
the Pulse Secure Connect main user interface.
22. 21 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
5 Solution
When the basic setup is completed successfully, the solution is ready to be integrated with
IDENTIKEY. This will secure the SSL VPN with two-factor authentication. The users and DIGIPASS
will be managed in IDENTIKEY, and the authentication will use the RADIUS protocol.
5.1 Architecture
5.2 Pulse Connect Secure Settings
Navigate to the administration interface of Pulse Connect Secure. This is hosted on
https://[server IP address]/admin.
5.2.1 Authentication Servers
To connect to IDENTIKEY, a new Authentication Server should be defined in Pulse Connect
Secure. This will configure the RADIUS connection.
Navigate to Authentication > Auth Servers
Select Radius Server in the dropdown box and click New Server
23. 22 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Name: Identikey
Radius Server: IP of the IDENTIKEY server
Shared Secret: Choose a shared secret to secure the Radius connection
Enable ‘Users authenticate using tokens or one-time passwords’
Click on Save Changes at the bottom of the page.
5.2.2 User Realms
Now we have to specify a new user realm where we will link the new Authentication Server.
Navigate to Users > User Realms > New
24. 23 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Name: Identikey
Authentication: Identikey
Click on Save Changes at the bottom of the page.
Configure the Role Mapping for this user realm. For the setup, we will use a simple configuration
to assign the ‘Users’ role to all users.
Navigate to the tab ‘Role Mapping’ of the user realm, and choose New Rule.
25. 24 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Name: All Users
If username is: *
Add role Users
Click on Save Changes at the bottom of the page.
5.2.3 Sign-in
The new user realm will have to be linked to the existing sign-in page. We will set this up in the
Sign-in Policy.
Navigate to Authentication > Sign-in Policies > */
26. 25 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Enable the Identikey realm. Select Users and click Remove. Select Identikey and click Add.
It is possible to select multiple user realms. This will provide a list of the available realms
on the sign-in page.
5.3 IDENTIKEY Authentication Server Settings
The incoming RADIUS connection needs to be configured in IDENTIKEY. With it, the required
authentication process also needs to be set up.
5.3.1 Policies
In the Policy, the behavior of the authentication is defined. There are different specific settings
possible, which need to be set according to the requirements of the environment. For the test
setup, only local authentication on IDENTIKEY will be performed, without any additional settings.
Navigate to the IDENTIKEY Web Administration. It is available on https://[IP of
IDENTIKEY]/webadmin . Log on with the administrator account.
27. 26 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Navigate to Policies > Create.
Policy ID: Pulse Secure Integration
Inherits From: Identikey Local Authentication
Click on Create.
If needed, specific settings can be modified in the policy details. However in this setup, the
default settings inherited from Identikey Local Authentication will be fine.
5.3.2 Client
A client specifies which applications are allowed to connect to IDENTIKEY through which protocol.
For the setup, a client will be registered to allow incoming RADIUS requests from Pulse Connect
Secure.
28. 27 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Navigate to Clients > Register.
Client Type: RADIUS Client
Location: The IP address of the Pulse Connect Secure server
Policy ID: Pulse Secure Integration
Protocol ID: RADIUS
Shared Secret: The shared secret that you chose when configuring the Authentication
Server in Pulse Connect Secure. This secret has to be the same on both sides of the
connection.
Confirm Shared Secret: repeat the shared secret
Click on Create.
5.3.3 User
A user has to be configured to test the authentication.
Navigate to Users > Create.
29. 28 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
User ID: user1
Domain: master
Click on Create.
5.3.4 DIGIPASS
The DIGIPASS record will be able to check the one-time password that is submitted by the user
during authentication. This DIGIPASS is unique and identified by its serial number. It will be
assigned to the user account, so the correct link is established between the user ID and the
DIGIPASS.
To be able to use a DIGIPASS, the records should be imported into IDENTIKEY. For testing
purposes, demo DIGIPASS licenses can be used. The import happens by following the wizard
DIGIPASS > Import.
For assigning the DIGIPASS to user1, navigate to the user account. Select the tab Assigned
DIGIPASS.
30. 29 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Click Assign and follow the wizard.
Select ‘Search now to select DIGIPASS to assign’ to select the required DIGIPASS in the next
step. Click Next.
31. 30 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Select the correct DIGIPASS and click Next.
Select a grace period of 0 days, and click Assign.
The DIGIPASS is now assigned to the user and ready for use. Click on Finish.
5.4 Testing the Solution
Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .
32. 31 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Username: user1
Password: OTP generated by the DIGIPASS assigned to user1
Click on Sign In.
In case of success, you will be redirected to the SSL VPN homepage.
33. 32 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
6 Solution with Virtual DIGIPASS
The solution is now secured with one-time passwords generated by a DIGIPASS. In another
setup, Pulse Connect Secure can also handle authentications by a virtual DIGIPASS. The virtual
DIGIPASS generates OTP’s on the server and these are delivered to the user through email, SMS
or phone calls.
The SSL VPN sign-in will now consist of two steps. The first step is to request the OTP from the
server, and the next step to submit the OTP for authentication.
An SMS gateway has to be configured to send the virtual OTP over SMS.
6.1 Architecture
6.2 Pulse Connect Secure Settings
6.2.1 Authentication Servers
In order to authenticate using a virtual DIGIPASS, we have to modify the settings of the
Authentication Server in Pulse Connect Secure.
An extra authentication rule will specify that a second step needs to be added to the
authentication, if the RADIUS server notifies that a virtual OTP is generated.
Navigate to Authentication > Authentication Servers > Identikey
34. 33 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Click ‘New Radius Rule’ in the edit screen of the authentication server.
Name: Virtual Digipass
Response Packet Type: Access Challenge
Attribute criteria:
Reply-Message matches the expression Enter One-Time Password
Show Next Token page
Click Add next to the attribute criteria.
Click on Save Changes at the bottom of the page.
When a virtual OTP is requested from IDENTIKEY through RADIUS, it will send a special
value in the RADIUS Reply-Message attribute. This value is exactly equal to ‘Enter One-
Time Password’.
35. 34 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
6.3 IDENTIKEY Authentication Server Settings
6.3.1 MDC Configuration
Navigate to the IDENTIKEY Appliance configuration, on https://[IP of IDENTIKEY]/application.
For an IDENTIKEY Authentication Server installation, the MDC configuration is in a
separate tool. The software is located at VASCO > IDENTIKEY Server >Virtual DIGIPASS
MDC Configuration.
Log on with a system administrator account.
36. 35 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Navigate to Authentication Server > Message Delivery Component
Enable the Message Delivery Component. Then configure an SMS gateway with its specific
connection details. Enable that gateway and click Save.
6.3.2 Policies
To test the virtual DIGIPASS, the setup has to be completed to allow for this scenario.
The policy defines how the virtual OTP is requested.
Open the IDENTIKEY web administration.
37. 36 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Navigate to Policies and open the policy Pulse Secure Integration.
Open the tab Virtual DIGIPASS.
All default values inherited from the IDENTIKEY Local Authentication policy are already correct for
the setup.
Delivery Method: SMS
MDC Profile: empty
Request Method: Password
This means that the user will request an OTP from the server, by providing his static password.
Another option would be to request an OTP by a specific keyword.
6.3.3 DIGIPASS
The user will need a virtual DIGIPASS serial number to be assigned.
The specific DIGIPASS records should be imported by using the wizard DIGIPASS > Import.
Navigate to the user account and open the tab Assigned DIGIPASS.
38. 37 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Click on Assign and follow the wizard.
Choose a DIGIPASS type that is a virtual DIGIPASS, in this case DPVTL. Let IDENTIKEY
automatically select an available virtual DIGIPASS.
39. 38 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Click on Assign, and on Finish on the next page. A virtual DIGIPASS is now assigned to the user,
and ready to be used.
6.3.4 User
A password has to be set for the user, to request a virtual OTP. The mobile phone number also
has to be added, so the virtual OTP will be sent to that number.
Navigate to Users and select the user1 account.
40. 39 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Click on Set Password and choose a static password for the user.
Type the password and repeat it for confirmation. Click on Save.
In the user account, click on Edit to enter the mobile phone number.
Enter the number in the field ‘Mobile’ and click on Save.
6.4 Testing the Solution
Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .
41. 40 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Username: user1
Password: the static password defined for user1
Click Sign In.
An additional page is shown where the received virtual OTP can be entered.
Normally, an SMS message should be delivered to the mobile phone number configured for user1.
The message contains the generated virtual OTP.
Enter the OTP on the page and click on Enter.
42. 41 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
In case of success, you will be redirected to the SSL VPN homepage.