pulse policy secure · configuring 802.1x profiles -ttls/pap, ttls/ms-chap-v2, and peap/ms-chap-v2...

© 2015 by Pulse Secure, LLC. All rights reserved

Pulse Policy Secure

Configuration Guide

Policy Secure 802.1x authentication with native Mac OSX

supplicant

Published: 2015-02-04

Document Revision 1.0


Pulse Secure, LLC

2700 Zanker Road, Suite 200

San Jose, CA 95134

http://www.pulsesecure.net

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered

trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer,

or otherwise revise this publication without notice.

Configuration Guide - Policy Secure 802.1x authentication with native Mac OSX supplicant

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of

such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net. By

downloading, installing or using such software, you agree to the terms and conditions of that EULA.”


Table of Contents 1 Configuring native Mac OSX supplicant for Policy Secure 802.1x authentication .............. 5

1.1 Configuring 802.1x profiles ..................................................................................................5

1.1.1 TTLS-PAP authentication profile ............................................................................................ 5

1.1.2 TTLS/MS-CHAP-V2 authentication profile ............................................................................. 7

1.1.3 PEAP authentication profile .................................................................................................. 8

1.2 Configuring Authentication Protocol Set on PPS ...................................................................9

2 802.1x authentication in Mac OSX ................................................................................ 10

3 Host checking on Mac OSX with native supplicant ......................................................... 10

4 Glossary ....................................................................................................................... 11


List of Figures Figure 1 TTLS/PAP: General ............................................................................................................................ 6 Figure 2 TTLS/PAP: Wi-Fi ................................................................................................................................ 6 Figure 3 TTLS/MS-CHAP-V2: General .............................................................................................................. 7 Figure 4 TTLS/MS-CHAP-V2: Wi-Fi .................................................................................................................. 7 Figure 5 PEAP/MS-CHAP-V2: General ............................................................................................................. 8 Figure 6 PEAP/MS-CHAP-V2: Wi-Fi ................................................................................................................. 9 Figure 7 Authentication Protocol Set ............................................................................................................ 10


1 Configuring native Mac OSX supplicant for Policy Secure 802.1x authentication

This section details the procedure for configuring native Mac OSX supplicant for Policy Secure 802.1x

authentication.

System Requirements:

Apple Mac OSX (10.8/10.9) endpoint

IPhone Configuration utility.

Authentication to a Pulse Policy Secure (PPS) 802.1x server in OSX endpoints can be achieved using the

native supplicant through use of the iPhone configuration utility tool. This tool allows you to easily

create, maintain, and install configuration profiles, track and install provisioning profiles, and capture

device information including console logs.

You can create various profiles (TTLS/PAP, TTLS/MS-CHAP-V2, and PEAP/MS-CHAP-V2) required for

Policy Secure 802.1x authentication using the iPhone configuration utility (IPCU). Once IPCU generates

the configuration profiles, they can be exported to a Mac OSX endpoints running (10.8/10.9). To create

profiles, install the profiles (by double clicking on the exported files) on their OSX endpoints and that will

provision Layer 2 access when connected to 802.1x enabled switch port.

1.1 Configuring 802.1x profiles Configuring 802.1x profiles -TTLS/PAP, TTLS/MS-CHAP-V2, and PEAP/MS-CHAP-V2 is applicable only for

General and Wi-Fi settings.

If the authentication server is LDAP, TTLS-PAP is a good choice. It works with all LDAP servers.

If the authentication server is Active Directory or local, TTLS-MSChapV2 or PEAP-MSChapV2 is a good

choice.

1.1.1 TTLS-PAP authentication profile To configure TTLS-PAP profile, perform the following:

1. On the iPhone configuration utility (IPCU) navigate to Configuration Profiles tab.

2. On configuration Profiles page, select General and enter the required values.


Figure 1 TTLS/PAP: General

3. Select Wi-Fi and enter the required values.

Figure 2 TTLS/PAP: Wi-Fi


1.1.2 TTLS/MS-CHAP-V2 authentication profile To configure TTLS/MS-CHAP-V2, perform the following:



Figure 3 TTLS/MS-CHAP-V2: General


Figure 4 TTLS/MS-CHAP-V2: Wi-Fi


1.1.3 PEAP authentication profile To configure PEAP, perform the following:



Figure 5 PEAP/MS-CHAP-V2: General



Figure 6 PEAP/MS-CHAP-V2: Wi-Fi

1.2 Configuring Authentication Protocol Set on PPS On the Pulse Policy Secure (PPS) navigate to Authentication -> Signing In -> Authentication Protocols

Edit the existing default protocol set -802.1X like the example below to support EAP-TTLS/PAP, EAP-

TTLS/MS-CHAP-V2 and PEAP/EAP-MS-CHAP-V2 outer and inner authentication protocol combinations

for 802.1x authentication.


Figure 7 Authentication Protocol Set

2 802.1x authentication in Mac OSX It is observed that when Pulse Policy Secure (PPS) is configured to communicate with backend Active

Directory authentication server for user authentication, EAP-TTLS/PAP, EAP-TTLS/MS-CHAP-V2 and

PEAP/EAP-MS-CHAP-V2 authentication protocol combinations work successfully for 802.1x

authentication with native supplicant in OSX endpoints.

EAP-TTLS/CHAP combination works as expected with system local, but does not work with Active

Directory authentication server. To perform CHAP, PPS must have the password as clear text. PPS must

be able to retrieve the clear text password from backend AD server which is not allowed.

3 Host checking on Mac OSX with native supplicant On Mac OSX endpoint Policy Secure Host checking can be enforced only for Layer3 connection. Once

Mac OSX endpoint gets authenticated using native supplicant and gains network access, you can launch

and install Pulse Secure client (via browser deployment or SCCM advertisement) and establish Layer3

session. This evaluates the health status of the OSX endpoints and thereby ensuring legitimate resource

access behind PPS Enforcer.


There will be two different sessions for Layer2 and Layer3 connections on Pulse Policy Secure (PPS)

which will consume separate license for each session. If RADIUS only license is installed only the Layer3

session is accounted.

4 Glossary Item Description

PPS Pulse Policy Secure

EAP Extensible Authentication Protocol

PAP Password Authentication Protocol

TTLS Tunneled Transport Layer Security

PEAP Protected Extensible Authentication Protocol

MS-CHAP-V2 Microsoft version of the Challenge-Handshake Authentication Protocol

IPCU iPhone Configuration Utility

pulse policy secure · configuring 802.1x profiles -ttls/pap, ttls/ms-chap-v2, and peap/ms-chap-v2...

Documents