pulse policy secure · configuring 802.1x profiles -ttls/pap, ttls/ms-chap-v2, and peap/ms-chap-v2...
TRANSCRIPT
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Policy Secure
Configuration Guide
Policy Secure 802.1x authentication with native Mac OSX
supplicant
Published: 2015-02-04
Document Revision 1.0
© 2015 by Pulse Secure, LLC. All rights reserved
Pulse Secure, LLC
2700 Zanker Road, Suite 200
San Jose, CA 95134
http://www.pulsesecure.net
Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer,
or otherwise revise this publication without notice.
Configuration Guide - Policy Secure 802.1x authentication with native Mac OSX supplicant
The information in this document is current as of the date on the title page.
END USER LICENSE AGREEMENT
The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of
such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net. By
downloading, installing or using such software, you agree to the terms and conditions of that EULA.”
© 2015 by Pulse Secure, LLC. All rights reserved
Table of Contents 1 Configuring native Mac OSX supplicant for Policy Secure 802.1x authentication .............. 5
1.1 Configuring 802.1x profiles ..................................................................................................5
1.1.1 TTLS-PAP authentication profile ............................................................................................ 5
1.1.2 TTLS/MS-CHAP-V2 authentication profile ............................................................................. 7
1.1.3 PEAP authentication profile .................................................................................................. 8
1.2 Configuring Authentication Protocol Set on PPS ...................................................................9
2 802.1x authentication in Mac OSX ................................................................................ 10
3 Host checking on Mac OSX with native supplicant ......................................................... 10
4 Glossary ....................................................................................................................... 11
© 2015 by Pulse Secure, LLC. All rights reserved
List of Figures Figure 1 TTLS/PAP: General ............................................................................................................................ 6 Figure 2 TTLS/PAP: Wi-Fi ................................................................................................................................ 6 Figure 3 TTLS/MS-CHAP-V2: General .............................................................................................................. 7 Figure 4 TTLS/MS-CHAP-V2: Wi-Fi .................................................................................................................. 7 Figure 5 PEAP/MS-CHAP-V2: General ............................................................................................................. 8 Figure 6 PEAP/MS-CHAP-V2: Wi-Fi ................................................................................................................. 9 Figure 7 Authentication Protocol Set ............................................................................................................ 10
© 2015 by Pulse Secure, LLC. All rights reserved
1 Configuring native Mac OSX supplicant for Policy Secure 802.1x authentication
This section details the procedure for configuring native Mac OSX supplicant for Policy Secure 802.1x
authentication.
System Requirements:
Apple Mac OSX (10.8/10.9) endpoint
IPhone Configuration utility.
Authentication to a Pulse Policy Secure (PPS) 802.1x server in OSX endpoints can be achieved using the
native supplicant through use of the iPhone configuration utility tool. This tool allows you to easily
create, maintain, and install configuration profiles, track and install provisioning profiles, and capture
device information including console logs.
You can create various profiles (TTLS/PAP, TTLS/MS-CHAP-V2, and PEAP/MS-CHAP-V2) required for
Policy Secure 802.1x authentication using the iPhone configuration utility (IPCU). Once IPCU generates
the configuration profiles, they can be exported to a Mac OSX endpoints running (10.8/10.9). To create
profiles, install the profiles (by double clicking on the exported files) on their OSX endpoints and that will
provision Layer 2 access when connected to 802.1x enabled switch port.
1.1 Configuring 802.1x profiles Configuring 802.1x profiles -TTLS/PAP, TTLS/MS-CHAP-V2, and PEAP/MS-CHAP-V2 is applicable only for
General and Wi-Fi settings.
If the authentication server is LDAP, TTLS-PAP is a good choice. It works with all LDAP servers.
If the authentication server is Active Directory or local, TTLS-MSChapV2 or PEAP-MSChapV2 is a good
choice.
1.1.1 TTLS-PAP authentication profile To configure TTLS-PAP profile, perform the following:
1. On the iPhone configuration utility (IPCU) navigate to Configuration Profiles tab.
2. On configuration Profiles page, select General and enter the required values.
© 2015 by Pulse Secure, LLC. All rights reserved
Figure 1 TTLS/PAP: General
3. Select Wi-Fi and enter the required values.
Figure 2 TTLS/PAP: Wi-Fi
© 2015 by Pulse Secure, LLC. All rights reserved
1.1.2 TTLS/MS-CHAP-V2 authentication profile To configure TTLS/MS-CHAP-V2, perform the following:
1. On the iPhone configuration utility (IPCU) navigate to Configuration Profiles tab.
2. On configuration Profiles page, select General and enter the required values.
Figure 3 TTLS/MS-CHAP-V2: General
3. Select Wi-Fi and enter the required values.
Figure 4 TTLS/MS-CHAP-V2: Wi-Fi
© 2015 by Pulse Secure, LLC. All rights reserved
1.1.3 PEAP authentication profile To configure PEAP, perform the following:
1. On the iPhone configuration utility (IPCU) navigate to Configuration Profiles tab.
2. On configuration Profiles page, select General and enter the required values.
Figure 5 PEAP/MS-CHAP-V2: General
3. Select Wi-Fi and enter the required values.
© 2015 by Pulse Secure, LLC. All rights reserved
Figure 6 PEAP/MS-CHAP-V2: Wi-Fi
1.2 Configuring Authentication Protocol Set on PPS On the Pulse Policy Secure (PPS) navigate to Authentication -> Signing In -> Authentication Protocols
Edit the existing default protocol set -802.1X like the example below to support EAP-TTLS/PAP, EAP-
TTLS/MS-CHAP-V2 and PEAP/EAP-MS-CHAP-V2 outer and inner authentication protocol combinations
for 802.1x authentication.
© 2015 by Pulse Secure, LLC. All rights reserved
Figure 7 Authentication Protocol Set
2 802.1x authentication in Mac OSX It is observed that when Pulse Policy Secure (PPS) is configured to communicate with backend Active
Directory authentication server for user authentication, EAP-TTLS/PAP, EAP-TTLS/MS-CHAP-V2 and
PEAP/EAP-MS-CHAP-V2 authentication protocol combinations work successfully for 802.1x
authentication with native supplicant in OSX endpoints.
EAP-TTLS/CHAP combination works as expected with system local, but does not work with Active
Directory authentication server. To perform CHAP, PPS must have the password as clear text. PPS must
be able to retrieve the clear text password from backend AD server which is not allowed.
3 Host checking on Mac OSX with native supplicant On Mac OSX endpoint Policy Secure Host checking can be enforced only for Layer3 connection. Once
Mac OSX endpoint gets authenticated using native supplicant and gains network access, you can launch
and install Pulse Secure client (via browser deployment or SCCM advertisement) and establish Layer3
session. This evaluates the health status of the OSX endpoints and thereby ensuring legitimate resource
access behind PPS Enforcer.
© 2015 by Pulse Secure, LLC. All rights reserved
There will be two different sessions for Layer2 and Layer3 connections on Pulse Policy Secure (PPS)
which will consume separate license for each session. If RADIUS only license is installed only the Layer3
session is accounted.
4 Glossary Item Description
PPS Pulse Policy Secure
EAP Extensible Authentication Protocol
PAP Password Authentication Protocol
TTLS Tunneled Transport Layer Security
PEAP Protected Extensible Authentication Protocol
MS-CHAP-V2 Microsoft version of the Challenge-Handshake Authentication Protocol
IPCU iPhone Configuration Utility