Ivanti Pulse Connect 9.1 - RADIUS with CAS Configuration - SecurID Access Implementation Guide
2 years ago
Originally Published: 2021-10-01

Ivanti Pulse Connect 9.1 - RADIUS with CAS Configuration - SecurID Access Implementation Guide

This section describes how to integrate IvantiPulse Connect with SecurID Access Cloud Authentication Service using RADIUS.

Architecture Diagram

Admin_Dharani_0-1633102339039.png

 

Configure SecurID Cloud Authentication Service

To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the SecurID Access Console. Cloud Authentication RADIUS server listens on port UDP 1812.

  1. Sign into the SecurID Access Cloud Administrative Console

  2. Browse to Authentication Clients > RADIUS > Add RADIUS Client

    1. Enter the Name for the Client.

    2. Enter IP Address . This is the IP of the Pulse Connect Authentication server.

    3. Enter Shared Secret. Create a Shared Secret. This secret will be used in the Pulse Connect configuration Authentication server.

  3. Click on Platform > Identity Routers

  4. Expand the information for the Identity Router for this configuration and note the Eth0 IP Address (Management). This is used in the Radius configuration below for the Radius server.

  5. Click Publish Changes when all changes have been finalized.

 

Configure Ivanti Pulse Connect

Perform these steps to configure Ivanti Pulse Connect as a RADIUS client to SecurID  Cloud Authentication Service.

Procedure

  1. Sign into the Pulse Connect Administration Console.

  2. Create a Pulse Connect Authentication Server for Radius. Browse to Authentication > Auth. Servers

    Select RADIUS Server from server type and click on New Server.

    1. Enter the Name for th is Authentication Server

    2. Enter Radius Server . This is the IP of the SecurID Identity Provider found above.

    3. Enter Shared Secret. This is the Shared Secret for the SecurID radius client created above.

    4. Enter Timeout. The default value is 30 seconds, this may be insufficient for MFA. If necessary, this value may need to be increased.

    5. Enter Backup Server information if you have more than one SecurID Authentication Manger RADIUS server.

    6. Save Changes

  3. Add Rule to Created Radius Server. Under Settings > Custom RADIUS rules click on New RADIUS rule

    1. Enter Name

    2. Response Packet Type >Choose Access Challenge

    3. Then Take Action > Select show Generic Login Page

    4. Save Changes

  4. Create a User Realm

      1. Browse to Users -> User Realms

      2. Click on New

      3. Enter a unique Name

      4. Set Authentication. Choose the appropriate Authentication Server from the dropdown list.

      5. Save Changes

      6. Select Role Mapping Tab and Click on New Rule... to create your required Rule as needed to further restrict access based on your requirements. ie. user name is * to match all user ids. Make sure to Add a Role to the Rule .  Users is the default system Role of all users . Click on Save Changes

    Admin_Dharani_1-1633102415755.png

     

    Admin_Dharani_2-1633102445687.png

     

  5. Create a Sign-in Policy

      1. Browse to Authentication -> Signing-In -> Sign-in Policies

      2. Click on New URL...

      3. Select User type This would be Users

      4. Set Sign-in URL. This is the URL for the given Secure Access Service.

      5. Select the associated Realm and click Add . Created in step 4.

      6. Save Changes

    Admin_Dharani_3-1633102500724.png

     

    Admin_Dharani_4-1633102544899.png

     

Note:  The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds.

In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout.

 

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the RADIUS configuration to your use case.

Related Articles

Trending Articles

Don't see what you're looking for?