Pulse Policy Secure. Device Access Management Framework Feature Guide. Product Release 5.1. Published: Document Revision 1.

Transcription

2 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Policy Secure Device Access Management Framework Feature Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA by Pulse Secure, LLC. All rights reserved II

3 Table of Contents About the Documentation... xi Documentation and Release Notes... xi Supported Platforms... xi Documentation Conventions... xi Documentation Feedback... xiii Requesting Technical Support... xiii Self-Help Online Tools and Resources... xiv Opening a Case with PSGSC... xiv Part 1 Overview Chapter 1 Feature Overview... 3 Understanding the Device Access Management Framework... 3 Part 2 Configuration Chapter 2 Examples... 9 Deploying a BYOD Policy for AirWatch Managed Devices... 9 Solution Overview... 9 Requirements Configuring the AirWatch MDM Service...11 Configuring the Wireless Access Point Configuring the Device Access Management Framework Configuring an Authentication Protocol Set Configuring the MDM Authentication Server Configuring the Certificate Server Adding the MDM Certificate to the Trusted Client CA Configuration Configuring User Roles Configuring a Realm and Role Mapping Rules Configuring a Sign-In Policy Configuring an 802.1x Network Access Policy Configuring a Location Group...42 Configuring a RADIUS Client...43 Configuring a RADIUS Return Attributes Policy by Pulse Secure, LLC. All rights reserved III

4 Device Access Management Framework Feature Guide Configuring a Resource Access Policy Deploying a BYOD Policy for MobileIron Managed Devices Solution Overview...52 Requirements Configuring the MobileIron MDM...54 Configuring the Wireless Access Point Configuring the Device Access Management Framework Configuring an Authentication Protocol Set Configuring the MDM Authentication Server Configuring the Certificate Server Adding the MDM Certificate to the Trusted Client CA Configuration Configuring User Roles Configuring a Realm and Role Mapping Rules Configuring a Sign-In Policy Configuring an 802.1x Network Access Policy Configuring a Location Group Configuring a RADIUS Client...83 Configuring a RADIUS Return Attributes Policy Configuring a Resource Access Policy Deploying a BYOD Policy for Devices Discovered by Pulse Secure Endpoint Profiler. 91 Solution Overview...92 Requirements Configuring the Endpoint Profiler Configuring the Wireless Access Point Configuring the Device Access Management Framework Configuring an Authentication Protocol Set Configuring an Authentication Server Configuring User Roles Configuring a Realm and Role Mapping Rules Configuring a Sign-In Policy Configuring an 802.1x Network Access Policy Configuring a Location Group Configuring a RADIUS Client Configuring a RADIUS Return Attributes Policy Configuring a Resource Access Policy Part 3 Administration Chapter 3 Verifying Proper Configuration Using Logs to Verify Proper Configuration Chapter 4 Tuning the Configuration User and Policy Administration Overview Part 4 Troubleshooting Chapter 5 Tools Using Policy Tracing and Debug Logs Using Policy Tracing to Troubleshoot Access Issues Using the Debug Log IV 2015 by Pulse Secure, LLC. All rights reserved

5 List of Figures Part 1 Overview Chapter 1 Feature Overview... 3 Figure 1: User Access Management Framework and Device Access Management Framework... 4 Part 2 Configuration Chapter 2 Examples... 9 Figure 2: Solution Topology Figure 3: AirWatch Certificate Template Configuration Figure 4: AirWatch Credential Configuration Figure 5: AirWatch Wi-Fi Configuration Figure 6: Deploying a Profile to Your Organization s Managed Devices Figure 7: AirWatch API Tenant Code Configuration Figure 8: WLC 802.1x Authentication Configuration Figure 9: WLC RADIUS Configuration Figure 10: WLC VLAN Configuration Figure 11: Authentication Protocol Set Configuration Page...21 Figure 12: Authentication Server Configuration Page Figure 13: Certificate Server Configuration Page Figure 14: Trusted Client CA Management Page Figure 15: Import Trusted Client CA Page Figure 16: Trusted Client CA Configuration for AirWatch Figure 17: User Role Configuration Page General Settings Figure 18: User Role Configuration Page UI Options Figure 19: User Role Configuration Page Session Options Figure 20: User Role Configuration Page Agentless Access Figure 21: Realm Configuration Page Figure 22: Role Mapping Configuration Page Figure 23: Realm Configuration Page Certificate Restrictions Figure 24: Sign-In Policy Configuration Page Figure 25: Location Group Configuration Page Figure 26: RADIUS Client Configuration Page Figure 27: RADIUS Return Attributes Policy Configuration Page Figure 28: User Role Configuration Page General Settings...48 Figure 29: Role Mapping Configuration Page Figure 30: Resource Access Policy Configuration Page Figure 31: Solution Topology Figure 32: MobileIron SCEP Configuration Figure 33: MobileIron Wi-Fi Configuration by Pulse Secure, LLC. All rights reserved V

6 Device Access Management Framework Feature Guide Figure 34: Applying the Wi-Fi Configuration to a Label...58 Figure 35: Applying a Device Record to a Label Figure 36: WLC 802.1x Authentication Configuration Figure 37: WLC RADIUS Configuration Figure 38: WLC VLAN Configuration Figure 39: Authentication Protocol Set Configuration Page Figure 40: Authentication Server Configuration Page Figure 41: Certificate Server Configuration Page Figure 42: Trusted Client CA Management Page Figure 43: Import Trusted Client CA Page Figure 44: Trusted Client CA Configuration for MobileIron...68 Figure 45: User Role Configuration Page General Settings Figure 46: User Role Configuration Page UI Options...71 Figure 47: User Role Configuration Page Session Options Figure 48: User Role Configuration Page Agentless Access Figure 49: Realm Configuration Page Figure 50: Role Mapping Configuration Page Figure 51: Realm Configuration Page Certificate Restrictions Figure 52: Sign-In Policy Configuration Page Figure 53: Location Group Configuration Page Figure 54: RADIUS Client Configuration Page Figure 55: RADIUS Return Attributes Policy Configuration Page Figure 56: User Role Configuration Page General Settings Figure 57: Role Mapping Configuration Page Figure 58: Resource Access Policy Configuration Page Figure 59: Solution Topology Figure 60: Network Infrastructure Device Configuration Page Figure 61: Endpoint Profiles Smartphone Listing Figure 62: Apple iphone Profile Configuration Page Figure 63: Integrations Management Page Figure 64: WLC 802.1x Authentication Configuration Figure 65: WLC RADIUS Configuration Figure 66: WLC VLAN Configuration Figure 67: Authentication Protocol Set Configuration Page Figure 68: Authentication Server Configuration Page Figure 69: User Role Configuration Page General Settings Figure 70: User Role Configuration Page Session Options Figure 71: User Role Configuration Page Agentless Access Figure 72: Realm Configuration Page Figure 73: Role Mapping Configuration Page Figure 74: Sign-In Policy Configuration Page Figure 75: Location Group Configuration Page Figure 76: RADIUS Client Configuration Page Figure 77: RADIUS Return Attributes Policy Configuration Page Figure 78: Resource Access Policy Configuration Page Part 3 Administration Chapter 3 Verifying Proper Configuration VI 2015 by Pulse Secure, LLC. All rights reserved

7 List of Figures Figure 79: Events Log Settings Figure 80: Events Log Figure 81: User Access Log Part 4 Troubleshooting Chapter 5 Tools Figure 82: Policy Tracing Results Figure 83: Debug Logging Configuration Page by Pulse Secure, LLC. All rights reserved VII

9 List of Tables About the Documentation... xi Table 1: Notice Icons... xii Table 2: Text and Syntax Conventions... xii Part 2 Configuration Chapter 2 Examples... 9 Table 3: Component Version Information...11 Table 4: AirWatch Device Attributes Table 5: Authentication Protocol Set Configuration Guidelines...21 Table 6: Authentication Server Configuration Guidelines...24 Table 7: Certificate Server Settings Table 8: User Role Configuration Guidelines...33 Table 9: Realm Configuration Guidelines...35 Table 10: Role Mapping Configuration Guidelines...37 Table 11: AirWatch Device Attributes Table 12: Realm Configuration Certificate Restriction Guidelines...40 Table 13: Sign-In Policy Configuration Guidelines...42 Table 14: Location Group Configuration Guidelines...43 Table 15: RADIUS Client Configuration Guidelines...44 Table 16: RADIUS Return Attributes Policy Configuration Guidelines...47 Table 17: Resource Access Policy Configuration Guidelines...51 Table 18: Component Version Information...53 Table 19: MobileIron Device Attributes Table 20: Authentication Protocol Set Configuration Guidelines Table 21: Authentication Server Configuration Guidelines...64 Table 22: Certificate Server Settings Table 23: User Role Configuration Guidelines...73 Table 24: Realm Configuration Guidelines...75 Table 25: Role Mapping Configuration Guidelines...77 Table 26: MobileIron Record Attributes Table 27: Realm Configuration Certificate Restriction Guidelines...80 Table 28: Sign-In Policy Configuration Guidelines...82 Table 29: Location Group Configuration Guidelines...83 Table 30: RADIUS Client Configuration Guidelines...84 Table 31: RADIUS Return Attributes Policy Configuration Guidelines...87 Table 32: Resource Access Policy Configuration Guidelines...91 Table 33: Component Version Information...93 Table 34: Authentication Protocol Set Configuration Guidelines Table 35: Authentication Server Configuration Guidelines Table 36: User Role Configuration Guidelines by Pulse Secure, LLC. All rights reserved IX

10 Device Access Management Framework Feature Guide Table 37: Realm Configuration Guidelines Table 38: Role Mapping Configuration Guidelines Table 39: Sign-In Policy Configuration Guidelines Table 40: Location Group Configuration Guidelines Table 41: RADIUS Client Configuration Guidelines Table 42: RADIUS Return Attributes Policy Configuration Guidelines Table 43: Resource Access Policy Configuration Guidelines Part 3 Administration Chapter 4 Tuning the Configuration Table 44: Tuning the Configuration Part 4 Troubleshooting Chapter 5 Tools Table 45: Debug Log Configuration Guidelines X 2015 by Pulse Secure, LLC. All rights reserved

11 About the Documentation Documentation and Release Notes on page xi Supported Platforms on page xi Documentation Conventions on page xi Documentation Feedback on page xiii Requesting Technical Support on page xiii Documentation and Release Notes To obtain the most current version of all Pulse Secure technical documentation, see the product documentation page at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Supported Platforms For the features described in this document, the following platforms are supported: IC4500 IC6500 FIPS IC6500 MAG Series Documentation Conventions Table 1 on page xii defines notice icons used in this guide by Pulse Secure, LLC. All rights reserved XI

12 Device Access Management Framework Feature Guide Table 1: Notice Icons Icon Meaning Informational note Indicates important features or instructions. Caution Warning Alerts you to the risk of personal injury or death. Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page xii defines the text and syntax conventions used in this guide. Convention Description Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the terminal screen. user@host> show chassis alarms No alarms currently active Italic text like this Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>; XII 2015 by Pulse Secure, LLC. All rights reserved

13 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Enclose a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@pulsesecure.net. Requesting Technical Support Technical product support is available through the Pulse Secure Global Support Center (PSGSC). If you have a support contract, then file a ticket with PSGSC. Product warranties For product warranty information, visit by Pulse Secure, LLC. All rights reserved XIII

14 Device Access Management Framework Feature Guide Self-Help Online Tools and Resources For quick and easy problem resolution, Pulse Secure, LLC has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with PSGSC You can open a case with PSGSC on the Web or by telephone. Use the Case Management tool in the PSGSC at Call (toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see XIV 2015 by Pulse Secure, LLC. All rights reserved

17 CHAPTER 1 Feature Overview Understanding the Device Access Management Framework on page 3 Understanding the Device Access Management Framework The device access management framework enables you to leverage mobile device management (MDM) services so that you can use familiar Access Control Service 802.1x network access control and Infranet Enforcer policies to enforce your security objectives in bring your own device (BYOD) environments. In this simple framework, the MDM is a device authentication server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. The framework simply extends the user access management framework to include use of device attributes as a factor in role mapping rules. Figure 1 on page 4 illustrates the similarities by Pulse Secure, LLC. All rights reserved 3

18 Device Access Management Framework Feature Guide Figure 1: User Access Management Framework and Device Access Management Framework The Juniper solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. The Access Control Service queries the MDM database for updates at an interval you specify. This feature enables you to leverage the MDM posture assessment checks and enforce compliance. For example, the MDM might detect that a device is out of compliance with its security policies, such as a password policy. At the next device check interval, the Access Control Service queries the MDM for updated attribute data. In this example, it learns that a formerly compliant device is now noncompliant. It assigns the device the non-compliant role and sends the 802.1x authenticator the corresponding RADIUS attribute to place it in a remediation VLAN. This release supports integration with the following MDM solutions as device attribute servers: AirWatch MDM by Pulse Secure, LLC. All rights reserved

19 Chapter 1: Feature Overview MobileIron MDM In addition, you can integrate with Juniper Networks Endpoint Profiler as a device attribute server. The Endpoint Profiler catalogues mobile device platform information. Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 Deploying a BYOD Policy for Devices Discovered by Juniper Endpoint Profiler on page by Pulse Secure, LLC. All rights reserved 5

23 CHAPTER 2 Examples Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 Deploying a BYOD Policy for Devices Discovered by Juniper Endpoint Profiler on page 91 Deploying a BYOD Policy for AirWatch Managed Devices This example shows how to use Access Control Service policies to enable security based on device identity, device posture, or user identity in a bring your own device (BYOD) environment for an enterprise that uses AirWatch for mobile device management (MDM). It includes the following information: Solution Overview on page 9 Requirements on page 11 Configuring the AirWatch MDM Service on page 11 Configuring the Wireless Access Point on page 18 Configuring the Device Access Management Framework on page 20 Configuring an 802.1x Network Access Policy on page 42 Configuring a Resource Access Policy on page 47 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become commonly held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access the network and protected resources in the same way network access control solutions restrict user access? 2015 by Pulse Secure, LLC. All rights reserved 9

24 Device Access Management Framework Feature Guide MDM vendors have emerged to address the first issue. MDMs such as AirWatch provide enrollment and posture assessment services that prompt employees to enter data about their mobile devices. The MDM data records include device attributes and posture assessment status that can be used in the Access Control Service access management framework to enforce security policies. Figure 2 on page 10 shows a deployment with Access Control Service, a wireless access point, and the AirWatch MDM cloud service. Figure 2: Solution Topology The solution shown in this example leverages the Pulse access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the MDM is a device authentication server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. It is possible to use MAC address as the device identifier, and, indeed, this is supported as a fallback plan. We recommend, however, that you implement the solution as shown here, using client certificates. This example shows how to enable security with the familiar 802.1x framework. In this framework, a native supplicant is used to authenticate the user of the device. The device itself is identified using a client certificate that contains device identity. Client certificates provide a more secure way to identity a device than MAC address, which is vulnerable to spoofing. The 802.1x EAP methods that provide a TLS tunnel (PEAP, TLS and TTLS) can use a client certificate. The following behavior is illustrative: TTLS/MSCHAPv2 The client certificate presented during the TLS handshake is used to identify the device against the MDM records, and MSCHAPv2 is used to authenticate the user against an authentication server by Pulse Secure, LLC. All rights reserved

25 Chapter 2: Examples PEAP/MSCHAPv2 Although PEAP does not allow for user authentication with a client certificate, the client certificate can still be presented during the TLS handshake and can be used to identify the device against the MDM records. MSCHAPv2 is used to authenticate the user against an authentication server. TLS The client certificate can be used to identify the device against the MDM records and authenticate the user against a certificate server. The Juniper solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. Requirements Table 3 on page 11 lists version information for the solution components shown in this example. Table 3: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. Release is used in this example. Any version that supports the device ID and device attributes you plan to query is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point are used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible. Configuring the AirWatch MDM Service This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the AirWatch MDM, refer to its documentation and support resources. This section focused on the following elements of the MDM configuration that are important to this solution: Device identifier The primary key for device records. Your MDM configuration determines whether a Universal Unique Identifier (UUID), Unique Device Identifier (UDID), or serial number is used as the device identifier. For AirWatch, UDID is supported and recommended. Device attributes A standard set of data maintained for each device. For AirWatch, see Table 4 on page 12. When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee attributes related to device identity, user identity, and posture assessment against MDM policies. Table 4 on page 12 describes these attributes. In this solution, these attributes are used 2015 by Pulse Secure, LLC. All rights reserved 11

26 Device Access Management Framework Feature Guide in the Access Control Service role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized ACS attribute name. Table 4: AirWatch Device Attributes Description assetnumber, id deviceid Device identifier. String blocklevelencryption blocklevelencryption True if block-level encryption is enabled; compliancestatus iscompliant Values: Compliant. String status reported. compromisedstatus iscompromised True if the device is compromised; false otherwise. Boolean status reported. dataprotectionenabled dataprotectionenabled True if data protection is enabled; false otherwise. Boolean devicefriendlyname device/user combination. String enrollmentstatus isenrolled Values: Enrolled String filelevelencryption filelevelencryption True if file-level encryption is enabled; false Boolean otherwise. imei IMEI IMEI number of the device. String MDM policy; false otherwise. ispasscodepresent ispasscodepresent True if a passcode has been configured on the device; false otherwise. Boolean locationgroupname locationgroupname MDM location group configuration value. String macaddress macadress model, modelid model Model is automatically reported by the device during registration. String by Pulse Secure, LLC. All rights reserved

27 Chapter 2: Examples Table 4: AirWatch Device Attributes (continued) Description osversion String ownership ownership Values: Employee, Corporate, or Shared. String phonenumber phonenumber Phone number entered during registration. String platform, platformid platform Platform specified during registration. String serialnumber serialnumber Serial number. String udid UDID UDID. String user address user address of device user. String username username Name of device user. String To configure the MDM: 1. Enroll devices in the MDM using the methods supported by the MDM. 2. Create a profile. The profile determines many MDM management options. The following are key to this solution: a. Certificate template. Create a configuration that specifies the field and type of identifier for client device certificates. See Figure 3 on page 14. The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate s subject or alternative subject. We recommend you include the user id in the certificate, so the certificate can identify both the user and the device. For example: CN=<DEVICE_UDID>, uid=<user_id>, o=company b. Credential profile. Create a configuration that specifies the certificate authority and certificate template configuration. See Figure 4 on page 15. c. Wi-Fi profile. Create a configuration that specifies the SSID, security options, and the credential configuration. See Figure 5 on page Save and deploy the profile to devices registered with your organization. See Figure 6 on page Enable API access and generate the AirWatch API key (tenant code). The tenant code is part of the REST API configuration. The tenant code must be included in the Access Control Service MDM server configuration. It is sent in the API call. See Figure 7 on page by Pulse Secure, LLC. All rights reserved 13

32 Device Access Management Framework Feature Guide Figure 7: AirWatch API Tenant Code Configuration Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 8 on page 19 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example by Pulse Secure, LLC. All rights reserved

33 Chapter 2: Examples Figure 8: WLC 802.1x Authentication Configuration Figure 9 on page 19 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 9: WLC RADIUS Configuration Figure 10 on page 20 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example by Pulse Secure, LLC. All rights reserved 19

34 Device Access Management Framework Feature Guide Figure 10: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page Configuring the MDM Authentication Server on page Configuring the Certificate Server on page Adding the MDM Certificate to the Trusted Client CA Configuration on page Configuring User Roles on page Configuring a Realm and Role Mapping Rules on page Configuring a Sign-In Policy on page 40 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP method selected in the MDM Wi-Fi Profile. The predefined authentication protocol set named 802.1x shown in Figure 11 on page 21 can be used as-is since it includes all the EAP methods currently configurable on MDMs by Pulse Secure, LLC. All rights reserved

35 Chapter 2: Examples Figure 11: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate. 3. Complete the configuration as described in Table 5 on page Save the configuration. Table 5: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it by Pulse Secure, LLC. All rights reserved 21

36 Device Access Management Framework Feature Guide Table 5: Authentication Protocol Set Configuration Guidelines (continued) Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring the MDM Authentication Server The MDM authentication server configuration is used by the system to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select MDM Server and click New Server to display the configuration page shown in Figure 12 on page Complete the configuration as described in Table 6 on page Save the configuration by Pulse Secure, LLC. All rights reserved

38 Device Access Management Framework Feature Guide Table 6: Authentication Server Configuration Guidelines Name Specify a name for the configuration. Server Specify the URL for your AirWatch server. This is the URL AirWatch has instructed you to use over port 443. Viewer Url Specify the URL for the AirWatch report viewer. This URL will be used to link record on the Active Users page to the AirWatch records. The URL for the AirWatch MDM viewer for this example has the following form: seconds. Administrator Password Specify the corresponding password. Tenant Code Copy and paste the AirWatch API tenant code. See Figure 7 on page 18. Device Identifier Require Certificate Require that the device certificate pushed to client devices during enrollment is used for If this option is not selected, and the client does not have a certificate, the system uses the ID Template Template for constructing device identifier from certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>. For example, suppose the certificate dn is: CN=<DEVICE_UDID>, uid=<user_id>, o=company. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certdn.cn> by Pulse Secure, LLC. All rights reserved

39 Chapter 2: Examples Table 6: Authentication Server Configuration Guidelines (continued) Guidelines ID Type configuration: UDID The device Unique Device Identifier. This is supported by the AirWatch MDM. Configuring the Certificate Server The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials. To configure authentication with the certificate server: 1. Select Authentication > Auth. Servers. 2. Select Certificate Server and click New Server to display the configuration page shown in Figure 13 on page Complete the configuration as described in Table 7 on page Save the configuration by Pulse Secure, LLC. All rights reserved 25

40 Device Access Management Framework Feature Guide Figure 13: Certificate Server Configuration Page Table 7: Certificate Server Settings Name Specify a name to identify the server within the system. any combination of certificate variables contained in angle brackets and plain text. The user name template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the user name in the Access Control Service system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration. With this configuration, the certificate could identify both the user and the device. In this example, the user name template is <certdn.uid> by Pulse Secure, LLC. All rights reserved

41 Chapter 2: Examples Adding the MDM Certificate to the Trusted Client CA Configuration The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them. To import a trusted client CA certificate: 1. Select System > Configuration > Certificates > Trusted Client CAs to display the page shown in Figure 14 on page 27. Figure 14: Trusted Client CA Management Page 2. Click Import CA Certificate to display the page shown in Figure 15 on page 27. Figure 15: Import Trusted Client CA Page 3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation. 4. Click the link for the Trusted Client CA to display its details. Figure 16 on page 28 shows the configuration for this example by Pulse Secure, LLC. All rights reserved 27

43 Chapter 2: Examples Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or non-compliant; device is employee owned or company owned; device platform is ios, Android, or neither; and so forth. The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 17 on page Complete the configuration for general options as described in Table 8 on page Save the configuration. 5. Click UI options to display the configuration page shown in Figure 18 on page Complete the configuration for UI options as described in Table 8 on page Save the configuration. 8. Click Session Options to display the configuration page shown in Figure 19 on page Complete the configuration for session options as described in Table 8 on page Save the configuration. 11. Click Agentless to display the configuration page shown in Figure 20 on page Complete the configuration for agentless options as described in Table 8 on page Save the configuration by Pulse Secure, LLC. All rights reserved 29

47 Chapter 2: Examples Figure 20: User Role Configuration Page Agentless Access Table 8: User Role Configuration Guidelines Guidelines Overview tab Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Options role is applied. UI Options tab Personalized greeting (via the MDM API) after sign-in and this role has been applied, or after role reevaluation if it results in a role change to this role. In this example, we are using the system to enforce MDM enrollment, flagging compromised devices. The message, therefore, is: The message is forwarded to device using the MDM server Push Notification feature. NOTE: In the case that multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied. Session Options 2015 by Pulse Secure, LLC. All rights reserved 33

48 Device Access Management Framework Feature Guide Table 8: User Role Configuration Guidelines (continued) Guidelines alive. This option is useful for ios devices. Agentless Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the authentication server data and MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 21 on page Complete the configuration as described in Table 9 on page Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 22 on page Complete the configuration as described in Table 10 on page Save the configuration. 7. Click the Authentication Policy tab and then click the Certificate sub tab to display the certificate restriction configuration page shown in Figure 23 on page Complete the configuration as described in Table 12 on page Save the configuration by Pulse Secure, LLC. All rights reserved

49 Chapter 2: Examples Figure 21: Realm Configuration Page Table 9: Realm Configuration Guidelines Name Specify a name for the realm. If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 5 on page 16. Describe the purpose of the realm so that other administrators are aware of it. Servers 2015 by Pulse Secure, LLC. All rights reserved 35

50 Device Access Management Framework Feature Guide Table 9: Realm Configuration Guidelines (continued) Guidelines Authentication Select the user authentication server for this realm s users. This example uses the certificate User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the MDM server configured in the earlier step. Device Check Interval remediation VLAN. Specify the interval at which to query the MDM for updated attribute data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is minutes (7 days). Specify an interval that is appropriate for the MDM. Some MDMs, for example, update records every 4 hours, so a 10 minute interval would not be productive. Dynamic Policy Evaluation the queries return changed attribute values. Refresh interval Do not select. Refresh roles Do not select. Refresh resource policies Do not select. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this MDM example by Pulse Secure, LLC. All rights reserved

51 Chapter 2: Examples Figure 22: Role Mapping Configuration Page Table 10: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a device attribute (see Table 11 on page 38), a logical operator (is or is not), and type a matching value or value pattern. In this example, we select iscompromised, the logical operator is, and enter the value 1 (true). This means that devices with a compromised status match the rule. Role assignment Select the roles to apply if the data matches the rule by Pulse Secure, LLC. All rights reserved 37

52 Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Table 11 on page 38 describes the AirWatch record attributes that can be used in role mapping rules. Table 11: AirWatch Device Attributes Description blocklevelencryption blocklevelencryption True if block-level encryption is enabled; false otherwise Boolean compromisedstatustimestamp compromisedstatustimestamp The refresh date and timestamp of the last status reported. Timestamp True if data protection is enabled; Boolean deviceid assetnumber, id Device identifier. String devicefriendlyname identify the device/user combination. String filelevelencryption filelevelencryption True if file-level encryption is enabled; false otherwise. Boolean IMEI IMEI number of the device. String iscompliant compliancestatus Values: Compliant. String iscompromised True if the device is compromised; Boolean isenrolled enrollmentstatus True if MDM value is Enrolled; false otherwise. Boolean True if the passcode is compliant Boolean ispasscodepresent ispasscodepresent True if a passcode has been configured; false otherwise. Boolean by Pulse Secure, LLC. All rights reserved

53 Chapter 2: Examples Table 11: AirWatch Device Attributes (continued) Description locationgroupname locationgroupname MDM location group configuration value. String macadress macaddress model model, modelid Model is automatically reported by the device during registration. String osversion operatingsystem ownership ownership Values: Employee, Corporate, or Shared. String phonenumber phonenumber Phone number entered during registration. String platform platform, platformid Platform specified during registration. String serialnumber serialnumber Serial number. String UDID udid UDID. String user user address address of device user. String username username Name of device user. String NOTE: By design, you should be able to specify true or false, or 1 or 0, for Boolean data types, in your role mapping rules. Due to an issue in this release, you must use 1 for true and 0 for false by Pulse Secure, LLC. All rights reserved 39

54 Device Access Management Framework Feature Guide Figure 23: Realm Configuration Page Certificate Restrictions Table 12: Realm Configuration Certificate Restriction Guidelines Allow all users Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake. certificate certificate, the certificate attributes are placed in the session context. Only allow users with a client-side certificate If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 24 on page Complete the configuration as described in Table 13 on page Save the configuration by Pulse Secure, LLC. All rights reserved

56 Device Access Management Framework Feature Guide Table 13: Sign-In Policy Configuration Guidelines User type Select Users. Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol you configured in the earlier step. suffix To use this option, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 5 on page 16. This configuration enables you to dedicate the realm to the MDM traffic. Non-MDM traffic passing through the same switch then belongs to a different realm. Remove realm suffix Remove the realm suffix within system processes, such as rule processing and logs. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not used in this scenario. Post-Auth Sign-in Notification Not used in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page Configuring a RADIUS Client on page Configuring a RADIUS Return Attributes Policy on page 45 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages by Pulse Secure, LLC. All rights reserved

57 Chapter 2: Examples To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 25 on page Complete the configuration as described in Table 14 on page Save the configuration. Figure 25: Location Group Configuration Page Table 14: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point by Pulse Secure, LLC. All rights reserved 43

58 Device Access Management Framework Feature Guide To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 26 on page Complete the configuration as described in Table 15 on page Save the configuration. Figure 26: RADIUS Client Configuration Page Table 15: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it by Pulse Secure, LLC. All rights reserved

59 Chapter 2: Examples Table 15: RADIUS Client Configuration Guidelines (continued) IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 27 on page Complete the configuration as described in Table 16 on page Save the configuration by Pulse Secure, LLC. All rights reserved 45

61 Chapter 2: Examples Table 16: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You can use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto a specific device platform in this example, Android devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. In this scenario, the role configuration and role mapping configuration create a classification for Android devices. Figure 28 on page 48 shows the user role configuration by Pulse Secure, LLC. All rights reserved 47

62 Device Access Management Framework Feature Guide Figure 28: User Role Configuration Page General Settings Figure 29 on page 49 shows the role mapping configuration by Pulse Secure, LLC. All rights reserved

63 Chapter 2: Examples Figure 29: Role Mapping Configuration Page To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 30 on page Complete the configuration as described in Table 17 on page Save the configuration by Pulse Secure, LLC. All rights reserved 49

65 Chapter 2: Examples Table 17: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Roles Select the roles to which the policy applies. In this example, Android is selected. Action Action In this example, we deny access from Android devices. Enforcer Options Enforcer Options Related Documentation Using Logs to Verify Proper Configuration on page 125 User and Policy Administration Overview on page 129 Using Policy Tracing and Debug Logs on page 133 Understanding the Device Access Management Framework on page 3 Deploying a BYOD Policy for MobileIron Managed Devices This example shows how to use Access Control Service policies to enable security based on device identity, device posture, or user identity in a bring your own device (BYOD) environment for an enterprise that uses MobileIron for mobile device management (MDM). It includes the following information: Solution Overview on page 52 Requirements on page 53 Configuring the MobileIron MDM on page 54 Configuring the Wireless Access Point on page by Pulse Secure, LLC. All rights reserved 51

66 Device Access Management Framework Feature Guide Configuring the Device Access Management Framework on page 60 Configuring an 802.1x Network Access Policy on page 82 Configuring a Resource Access Policy on page 87 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become commonly held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access the network and protected resources in the same way network access control solutions restrict user access? Mobile device management (MDM) companies have emerged to address the first issue. MDMs such as MobileIron provide enrollment and posture assessment services that prompt employees to enter data about their mobile devices. The MDM data records include device attributes and posture assessment status that can be used in the Access Control Service access management framework to enforce security policies. Figure 31 on page 52 shows a deployment with Access Control Service, a wireless access point, and the MobileIron MDM. Figure 31: Solution Topology The solution shown in this example leverages the Pulse Secure access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the MDM is a device authorization server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture by Pulse Secure, LLC. All rights reserved

67 Chapter 2: Examples assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. It is possible to use MAC address as the device identifier, and, indeed, this is supported as a fallback plan. We recommend, however, that you implement the solution as shown here, using client certificates. This example shows how to enable security with the familiar 802.1x framework. In this framework, a native supplicant is used to authenticate the user of the device. The device itself is identified using a client certificate that contains device identity. Client certificates provide a more secure way to identity a device than MAC address, which is vulnerable to spoofing. The 802.1x EAP methods that provide a TLS tunnel (PEAP, TLS and TTLS) can use a client certificate. The following behavior is illustrative: TTLS/MSCHAPv2 The client certificate presented during the TLS handshake is used to identify the device against the MDM records, and MSCHAPv2 is used to authenticate the user against an authentication server. PEAP/MSCHAPv2 Although PEAP does not allow for user authentication with a client certificate, the client certificate can still be presented during the TLS handshake and can be used to identify the device against the MDM records. MSCHAPv2 is used to authenticate the user against an authentication server. TLS The client certificate can be used to identify the device against the MDM records and authenticate the user against a certificate server. The Pulse Sercure solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. Requirements Table 18 on page 53 lists version information for the solution components shown in this example. Table 18: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. MobileIron MDM Release 5.6 is used in this example. Any version that supports the device ID and device attributes you plan to query is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point are used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible by Pulse Secure, LLC. All rights reserved 53

68 Device Access Management Framework Feature Guide Configuring the MobileIron MDM This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the MobileIron MDM, refer to its documentation and support resources. This section focused on the following elements of the MDM configuration that are important to this solution: Device identifier The primary key for device records. Your MDM configuration determines whether a Universal Unique Identifier (UUID), Unique Device Identifier (UDID), or serial number is used as the device identifier. For MobileIron, UUID is supported and recommended. Device attributes A standard set of data maintained for each device. For MobileIron, see Table 19 on page 54. When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee attributes related to device identity, user identity, and posture assessment against MDM policies. Table 19 on page 54 describes these attributes. In this solution, these attributes are used in the Access Control Service role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized ACS attribute name. Table 19: MobileIron Device Attributes deviceid Device identifier. String compliance iscompliant True if the device is in compliance with its MDM Boolean security policies; false otherwise. compliance iscompromised True if the device is compromised; false otherwise. Boolean countryname countryname Country name corresponding with the country String currentphonenumber phonenumber Phone number entered during registration. String address user address of device user. String employeeowned ownership Values: Employee, Corporate, or Shared. String homeoperator homeoperator The service operator for the device when it is not String roaming. iphone IMEI, ImeiOrMeid IMEI IMEI number of the device. String by Pulse Secure, LLC. All rights reserved

69 Table 19: MobileIron Device Attributes (continued) Chapter 2: Examples Description UDID UDID. String isblocked isblocked True if the device is blocked from accessing the ActiveSync server; false otherwise. Boolean isquarantined isquarantined True if the device is quarantined by the MDN; false Boolean otherwise. lastconnectat lastseen Date and time the device last made successful contact with the MDM. Timestamp manufacturer manufacturer String device during registration. mdmmanaged mdmmanaged Indicates that the MDM profile is enabled on the device. This field applies only to ios devices. For other devices, the value is always false. Boolean ModelName, model, device_model model String name devicename The concatenated name used to identify the device/user combination. String operator operator operator is associated with the device. String OSVersion, os_version osversion OS version. String platform, platform_name, platform Platform specified during registration. String principal, useruuid userid User ID. String SerialNumber serialnumber Serial number. String status, statuscode isenrolled True if the device has completed enrollment or registration; false otherwise. Boolean UUID UUID. String userdisplayname, userfirstname, userlastname username Name of device user. String macadress 2015 by Pulse Secure, LLC. All rights reserved 55

70 Device Access Management Framework Feature Guide To configure the MDM: 1. Enroll devices in the MDM using the methods supported by the MDM. 2. Create a Simple Certificate Enrollment Protocol (SCEP) configuration that specifies the field and type of identifier for client device certificates. See Figure 32 on page 57. The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate s subject or alternative subject. We recommend you include the user id in the certificate, so the certificate can identify both the user and the device. For example: CN=<DEVICE_UUID>, uid=<user_id>, o=company 3. Create a Wi-Fi configuration that specifies the SSID and security options. See Figure 33 on page 58. During the enrollment process, this profile is provisioned to the device. Select the SCEP configuration completed in Step Select the Wi-Fi Profile configuration and apply it to a group label you have provisioned to manage this group of devices. See Figure 34 on page Apply the group label to which the Wi-Fi Profile belongs to the devices. See Figure 35 on page by Pulse Secure, LLC. All rights reserved

73 Chapter 2: Examples Figure 35: Applying a Device Record to a Label Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 36 on page 59 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 36: WLC 802.1x Authentication Configuration 2015 by Pulse Secure, LLC. All rights reserved 59

74 Device Access Management Framework Feature Guide Figure 37 on page 60 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 37: WLC RADIUS Configuration Figure 38 on page 60 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 38: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page Configuring the MDM Authentication Server on page Configuring the Certificate Server on page Adding the MDM Certificate to the Trusted Client CA Configuration on page by Pulse Secure, LLC. All rights reserved

75 Chapter 2: Examples 5. Configuring User Roles on page Configuring a Realm and Role Mapping Rules on page Configuring a Sign-In Policy on page 80 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP method selected in the MDM Wi-Fi Profile. The predefined authentication protocol set named 802.1x shown in Figure 39 on page 61 can be used as-is since it includes all the EAP methods currently configurable on MDMs. Figure 39: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate by Pulse Secure, LLC. All rights reserved 61

76 Device Access Management Framework Feature Guide 3. Complete the configuration as described in Table 20 on page Save the configuration. Table 20: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it. Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring the MDM Authentication Server The MDM authentication server configuration is used by the system to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select MDM Server and click New Server to display the configuration page shown in Figure 40 on page Complete the configuration as described in Table 21 on page Save the configuration by Pulse Secure, LLC. All rights reserved

78 Device Access Management Framework Feature Guide Table 21: Authentication Server Configuration Guidelines Name Specify a name for the configuration. Server Specify the URL for your MobileIron server. This is the URL MobileIron has instructed you to use to access its RESTful web API (also called a RESTful web service). The URL for the MobileIron server used in this example has the following form: over port 443. Viewer Url Specify the URL for the MobileIron report viewer. This URL will be used to link record on the Active Users page to the MobieIron records. The URL for the MobileIron viewer for this example has the following form: seconds. Administrator Specify the username for an account that has privileges to access the MobileIron RESTful Password Specify the corresponding password. Device Identifier Require Certificate Require that the device certificate pushed to client devices during enrollment is used for device identification. If this option is selected, and the client device does not have a certificate, authentication fails. Use this option when certificate security is important to you. If this option is not selected, and the client does not have a certificate, the system uses the device MAC address as the device identifier. The Access Control Service obtains the MAC address from the Calling-Station-Id attribute in the RADIUS messages. Template for constructing device identifier from certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>. All of the certificate variables are available. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certdn.cn> by Pulse Secure, LLC. All rights reserved

79 Chapter 2: Examples Table 21: Authentication Server Configuration Guidelines (continued) ID Type Select the device identifier type that matches the selection in the MDM SCEP certificate configuration: UUID The device Universal Unique Identifier. This is the key device identifier supported by MobileIron MDM. Serial Number The device serial number. UDID The device Unique Device Identifier. Not supported by the MobileIron MDM. Configuring the Certificate Server The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials. To configure authentication with the certificate server: 1. Select Authentication > Auth. Servers. 2. Select Certificate Server and click New Server to display the configuration page shown in Figure 41 on page Complete the configuration as described in Table 22 on page Save the configuration by Pulse Secure, LLC. All rights reserved 65

80 Device Access Management Framework Feature Guide Figure 41: Certificate Server Configuration Page Table 22: Certificate Server Settings Name Specify a name to identify the server within the system. any combination of certificate variables contained in angle brackets and plain text. The user name template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the user name in the Access Control Service system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration. With this configuration, the certificate could identify both the user and the device. In this example, the user name template is <certdn.uid> by Pulse Secure, LLC. All rights reserved

81 Chapter 2: Examples Adding the MDM Certificate to the Trusted Client CA Configuration The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them. To import a trusted client CA certificate: 1. Select System > Configuration > Certificates > Trusted Client CAs to display the page shown in Figure 42 on page 67. Figure 42: Trusted Client CA Management Page 2. Click Import CA Certificate to display the page shown in Figure 43 on page 67. Figure 43: Import Trusted Client CA Page 3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation. 4. Click the link for the Trusted Client CA to display its details. Figure 44 on page 68 shows the configuration for this example by Pulse Secure, LLC. All rights reserved 67

83 Chapter 2: Examples Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or non-compliant; device is employee owned or company owned; device platform is ios, Android, or neither; and so forth. The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 45 on page Complete the configuration for general options as described in Table 23 on page Save the configuration. 5. Click UI options to display the configuration page shown in Figure 46 on page Complete the configuration for UI options as described in Table 23 on page Save the configuration. 8. Click Session Options to display the configuration page shown in Figure 47 on page Complete the configuration for session options as described in Table 23 on page Save the configuration. 11. Click Agentless to display the configuration page shown in Figure 48 on page Complete the configuration for agentless options as described in Table 23 on page Save the configuration by Pulse Secure, LLC. All rights reserved 69

87 Chapter 2: Examples Figure 48: User Role Configuration Page Agentless Access Table 23: User Role Configuration Guidelines Guidelines Overview tab Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Options role is applied. UI Options tab Personalized greeting (via the MDM API) after sign-in and this role has been applied, or after role reevaluation if it results in a role change to this role. In this example, we are using the system to enforce MDM enrollment, flagging compromised devices. The message, therefore, is: The message is forwarded to device using the MDM server Push Notification feature. NOTE: In the case that multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied. Session Options 2015 by Pulse Secure, LLC. All rights reserved 73

88 Device Access Management Framework Feature Guide Table 23: User Role Configuration Guidelines (continued) Guidelines alive. This option is useful for ios devices. Agentless Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the authentication server data and MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 49 on page Complete the configuration as described in Table 24 on page Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 50 on page Complete the configuration as described in Table 25 on page Save the configuration. 7. Click the Authentication Policy tab and then click the Certificate sub tab to display the certificate restriction configuration page shown in Figure 51 on page Complete the configuration as described in Table 27 on page Save the configuration by Pulse Secure, LLC. All rights reserved

89 Chapter 2: Examples Figure 49: Realm Configuration Page Table 24: Realm Configuration Guidelines Name Specify a name for the realm. If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 33 on page 58. Describe the purpose of the realm so that other administrators are aware of it. Servers 2015 by Pulse Secure, LLC. All rights reserved 75

90 Device Access Management Framework Feature Guide Table 24: Realm Configuration Guidelines (continued) Guidelines Authentication Select the user authentication server for this realm s users. This example uses the certificate User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the MDM server configured in the earlier step. Device Check Interval remediation VLAN. Specify the interval at which to query the MDM for updated attribute data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is minutes (7 days). Specify an interval that is appropriate for the MDM. Some MDMs, for example, update records every 4 hours, so a 10 minute interval would not be productive. MobileIron suggests polling every 60 minutes. Dynamic Policy Evaluation the queries return changed attribute values. Refresh interval Do not select. Refresh roles Do not select. Refresh resource policies Do not select. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this MDM example by Pulse Secure, LLC. All rights reserved

91 Chapter 2: Examples Figure 50: Role Mapping Configuration Page Table 25: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a device attribute (see Table 26 on page 78), a logical operator (is or is not), and type a matching value or value pattern. In this example, we select iscompromised, the logical operator is, and enter the value 1 (true). This means that devices with incomplete enrollment status match the rule. Role assignment Select the roles to apply if the data matches the rule by Pulse Secure, LLC. All rights reserved 77

92 Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Table 26 on page 78 describes the MobileIron record attributes that can be used in role mapping rules. Table 26: MobileIron Record Attributes Description countryname countryname Country name corresponding with the country code of the device. String deviceid Device identifier. devicename name The concatenated name used to identify the device/user combination. String homeoperator homeoperator The service operator for the device when it is not String roaming. isblocked isblocked True if the device is blocked from accessing the ActiveSync server; false otherwise. Boolean iscompliant compliance True if the device is in compliance with its MDM Boolean security policies; false otherwise. iscompromised compliance True if the device is compromised; false otherwise. Boolean isquarantined isquarantined True if the device is quarantined by the MDN; false Boolean otherwise. isenrolled status, statuscode True if the device has completed enrollment or registration; false otherwise. Boolean ImeiOrMeid String lastseen lastconnectat Date and time the device last made successful contact with the MDM. Timestamp macadress manufacturer manufacturer Manufacturer is automatically reported by the device during registration. String by Pulse Secure, LLC. All rights reserved

93 Chapter 2: Examples Table 26: MobileIron Record Attributes (continued) Description device. This field applies only to ios devices. For other devices, the value is always false. model ModelName, model, device_model Model is automatically reported by the device during registration. String operator operator operator is associated with the device. String osversion OSVersion, os_version OS version. String ownership phonenumber currentphonenumber Phone number entered during registration. String platform platform, platform_name, Platform specified during registration. String serialnumber SerialNumber Serial number. String UDID iphone UDID String UUID uuid UUID. String principal, useruuid User ID. String user address address of device user. String username userdisplayname, userfirstname, String NOTE: By design, you should be able to specify true or false, or 1 or 0, for Boolean data types, in your role mapping rules. Due to a issue in this release, you must use 1 for true and 0 for false by Pulse Secure, LLC. All rights reserved 79

94 Device Access Management Framework Feature Guide Figure 51: Realm Configuration Page Certificate Restrictions Table 27: Realm Configuration Certificate Restriction Guidelines Allow all users Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake. certificate certificate, the certificate attributes are placed in the session context. Only allow users with a client-side certificate If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 52 on page Complete the configuration as described in Table 28 on page Save the configuration by Pulse Secure, LLC. All rights reserved

96 Device Access Management Framework Feature Guide Table 28: Sign-In Policy Configuration Guidelines User type Select Users. Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol set you configured in the earlier step. suffix To use this option, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 33 on page 58. This configuration enables you to dedicate the realm to the MDM traffic. Non-MDM traffic passing through the same switch then belongs to a different realm. Remove realm suffix Remove the realm suffix within system processes, such as rule processing and logs. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not used in this scenario. Post-Auth Sign-in Notification Not used in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page Configuring a RADIUS Client on page Configuring a RADIUS Return Attributes Policy on page 85 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages by Pulse Secure, LLC. All rights reserved

97 Chapter 2: Examples To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 53 on page Complete the configuration as described in Table 29 on page Save the configuration. Figure 53: Location Group Configuration Page Table 29: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point by Pulse Secure, LLC. All rights reserved 83

98 Device Access Management Framework Feature Guide To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 54 on page Complete the configuration as described in Table 30 on page Save the configuration. Figure 54: RADIUS Client Configuration Page Table 30: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it by Pulse Secure, LLC. All rights reserved

99 Chapter 2: Examples Table 30: RADIUS Client Configuration Guidelines (continued) IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 55 on page Complete the configuration as described in Table 31 on page Save the configuration by Pulse Secure, LLC. All rights reserved 85

101 Chapter 2: Examples Table 31: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You can use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto a specific device platform in this example, Android devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. In this scenario, the role configuration and role mapping configuration create a classification for Android devices. Figure 56 on page 88 shows the user role configuration by Pulse Secure, LLC. All rights reserved 87

102 Device Access Management Framework Feature Guide Figure 56: User Role Configuration Page General Settings Figure 57 on page 89 shows the role mapping configuration by Pulse Secure, LLC. All rights reserved

103 Chapter 2: Examples Figure 57: Role Mapping Configuration Page To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 58 on page Complete the configuration as described in Table 32 on page Save the configuration by Pulse Secure, LLC. All rights reserved 89

105 Chapter 2: Examples Table 32: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Roles Select the roles to which the policy applies. In this example, Android is selected. Action Action In this example, we deny access from Android devices. Enforcer Options Enforcer Options Related Documentation Using Logs to Verify Proper Configuration on page 125 User and Policy Administration Overview on page 129 Using Policy Tracing and Debug Logs on page 133 Understanding the Device Access Management Framework on page 3 Deploying a BYOD Policy for Devices Discovered by Pulse Secure Endpoint Profiler This example shows how to use Access Control Service policies to enable security based on device identity in a bring your own device (BYOD) environment for an enterprise that uses the Pulse Secure Endpoint Profiler to catalog mobile devices that attempt to access the local network. It includes the following information: Solution Overview on page 92 Requirements on page 93 Configuring the Endpoint Profiler on page 93 Configuring the Wireless Access Point on page 97 Configuring the Device Access Management Framework on page by Pulse Secure, LLC. All rights reserved 91

106 Device Access Management Framework Feature Guide Configuring an 802.1x Network Access Policy on page 114 Configuring a Resource Access Policy on page 119 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become widely held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access to the network and protected resources in the same way network access control solutions restrict user access? The Pulse Secure Endpoint Profiler can be used to catalog information about mobile devices that attempt to access the local network. You configure the Endpoint Profiler to collect information about mobile devices that attempt to access the local network and store it in an LDAP database. The MAC address is stored as the session attribute callingstationid. This attribute is the filter that the Access Control Service uses to query the Endpoint Profiler LDAP database. The MAC address is the primary key for profiler records, and the record contains other device-related attributes. For mobile devices, the Endpoint Profiler memberofgroup attribute includes information about mobile device platforms (such as Apple or Android). This attribute is useful for role mapping in the familiar Pulse Secure access management framework. Figure 59 on page 92 shows a deployment with Access Control Service, a wireless access point, and the Pulse Secure Endpoint Profiler. Figure 59: Solution Topology by Pulse Secure, LLC. All rights reserved

107 Chapter 2: Examples The solution shown in this example leverages the Pulse Secure access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the Endpoint Profiler LDAP server is a device authentication server and the LDAP attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to Apple mobile devices. You can use the attributes maintained by the Endpoint Profiler in Access Control Service role-mapping rules to implement the policy. The Pulse Secure solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow BYOD Apple devices to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices. Requirements Table 33 on page 93 lists version information for the solution components shown in this example. Table 33: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. Endpoint Profiler Beacon Endpoint Profiler Release is used in this example. Any version that supports queries based on the callingstationid attribute and memberofgroup attribute is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point is used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible. Configuring the Endpoint Profiler The following elements of the Endpoint Profiler configuration are important to this solution: Network infrastructure In this example, we want the Endpoint Profiler to listen for traffic on the wireless access point. Endpoint profiles In this example, we are interested in profiles for mobile devices such as smart phones and tablets. LDAP The Access Control Service uses LDAP to communicate with the Endpoint Profiler. For information about the Endpoint Profiler, start with the documentation notes. The following procedure illustrates the key configuration steps for this solution by Pulse Secure, LLC. All rights reserved 93

108 Device Access Management Framework Feature Guide To configure the Endpoint Profiler: 1. Log into the Beacon Endpoint Profiler Web administrator console at IP address>/beacon/login.html. 2. Select Configuration > Network Devices > Add Network Infrastructure Device and complete configuration for the wireless access point. Figure 60 on page 94 shows the configuration for a device similar to the one used in this example. Figure 60: Network Infrastructure Device Configuration Page by Pulse Secure, LLC. All rights reserved

109 Chapter 2: Examples 3. Use the Endpoint Profiles management pages to configure profiles for mobile devices. For example: a. Select Configuration > Profiles > View/Edit Profiles to display the Endpoint Profiles management page. Figure 61: Endpoint Profiles Smartphone Listing Figure 61 on page 95 shows the Endpoint Profiles listing filtered for the group Smartphone. b. Select the profile you want and click Modify to display its configuration page. Figure 62 on page 95 shows the Apple iphone profile configuration page. Figure 62: Apple iphone Profile Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 95

110 Device Access Management Framework Feature Guide c. Select the Yes option to enable the profile and enable the LDAP setting, as shown in Figure 62 on page 95. d. Use Chapter 9 of the Great Bay Software Beacon Endpoint Profiler Configuration Guide to configure rules (if desired). e. Click Save Profile. 4. Enable the Beacon system to accept LDAP queries and automatically synchronize the LDAP directory with the Beacon database: a. Select Configuration > Integrations to display the Integrations management page. Figure 63 on page 96 shows the settings for LDAP integration. Figure 63: Integrations Management Page by Pulse Secure, LLC. All rights reserved

111 Chapter 2: Examples b. In the Internal LDAP Directory group of settings, select the Enable option. Verbose logging is optional. Leave the "Bind to endpoint" option disabled unless you are fully aware of the security implications of this option. 5. Update the Beacon Modules to apply the configuration changes. Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 64 on page 98 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example by Pulse Secure, LLC. All rights reserved 97

112 Device Access Management Framework Feature Guide Figure 64: WLC 802.1x Authentication Configuration Figure 65 on page 98 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 65: WLC RADIUS Configuration Figure 66 on page 99 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example by Pulse Secure, LLC. All rights reserved

113 Chapter 2: Examples Figure 66: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page Configuring an Authentication Server on page Configuring User Roles on page Configuring a Realm and Role Mapping Rules on page Configuring a Sign-In Policy on page 112 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP methods supported by the wireless access point for mobile client access. The predefined authentication protocol set named 802.1x shown in Figure 67 on page 100 includes most commonly used EAP methods by Pulse Secure, LLC. All rights reserved 99

114 Device Access Management Framework Feature Guide Figure 67: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate. 3. Complete the configuration as described in Table 34 on page Save the configuration. Table 34: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it by Pulse Secure, LLC. All rights reserved

115 Chapter 2: Examples Table 34: Authentication Protocol Set Configuration Guidelines (continued) Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring an Authentication Server The authentication server configuration is used by the system to communicate with the Endpoint Profiler. In the device access management framework, the Endpoint Profiler LDAP server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select LDAP Server and click New Server to display the configuration page shown in Figure 68 on page Complete the configuration as described in Table 35 on page Save the configuration by Pulse Secure, LLC. All rights reserved 101

117 Chapter 2: Examples Table 35: Authentication Server Configuration Guidelines Name Specify a name to identify the server within the system. LDAP Port Specify the LDAP port for the LDAP server. Default port number: 389 (unencrypted connection) Default port number: 636 (SSL connection) The specified backup LDAP server is used for failover processing. The authentication request is first routed to the primary LDAP server, and then to the specified backup servers if the primary server is unreachable. Backup LDAP Port1 Specify the parameters for backup LDAP port1. Backup LDAP Port2 Specify the parameters for backup LDAP port2. Connection Select one of the following options for the connection to the LDAP server: Unencrypted The device sends the username and password to the LDAP Directory Service in cleartext. LDAPS The device encrypts the data in the LDAP authentication session using the Secure Socket Layer (SSL) protocol before sending it to the LDAP Directory Service. Start TLS The device allows both secure and plain requests against an LDAP server on a single connection. NOTE: If you select LDAPS or Start TLS, the Validate Certificate option is displayed for the configured LDAP server(s) and its referral servers. Select this option if the SSL connection uses digital certificate security. If you enable validation for the referral servers, make sure your network DNS supports reverse lookup zone. If you want to verify the server certificates, the root CA and Intermediate CAs must be imported as trusted CAs. Default: 15 seconds Search Timeout (seconds) Specify the time to wait for search results from a connected LDAP server by Pulse Secure, LLC. All rights reserved 103

118 Device Access Management Framework Feature Guide Table 35: Authentication Server Configuration Guidelines (continued) Guidelines LDAP Server Configuration page. Authentication required? Authentication required to operations. Admin DN Specify the administrator DN for queries to the LDAP directory. For example, cn=root,o=beacon. Finding user entries Filter Specify a unique variable that can be used to do a fine search in the tree. For example, macaddress=<callingstationid>. NOTE: Specify the URL for the Endpoint Profiler viewer. This URL will be used to link record on the Active Users page to the Endpoint Profiler records. The URL for the Endpoint Profiler viewer for this example has the following form: Remove Domain from Windows users names? Enable Challenge-Response open protocols? open protocols Determining group membership Base DN Not supported in this release. Filter Not supported in this release. Member Attribute Not supported in this release. Reverse group search Not supported in this release. Query Attribute Not supported in this release by Pulse Secure, LLC. All rights reserved

119 Chapter 2: Examples Table 35: Authentication Server Configuration Guidelines (continued) Nested Group Level Not supported in this release. Nested Group Search Not supported in this release. NOTE: The Access Control Service uses the internal interface for traffic with the Endpoint Profiler. You must enable the internal interface and have a route to the Endpoint Profiler. Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: for example, device platform is ios, Android, or neither. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 69 on page Complete the configuration for general options as described in Table 36 on page Save the configuration. 5. Click Session Options to display the configuration page shown in Figure 70 on page Complete the configuration for session options as described in Table 36 on page Save the configuration. 8. Click Agentless to display the configuration page shown in Figure 71 on page Complete the configuration for agentless options as described in Table 36 on page Save the configuration by Pulse Secure, LLC. All rights reserved 105

122 Device Access Management Framework Feature Guide Figure 71: User Role Configuration Page Agentless Access Table 36: User Role Configuration Guidelines Guidelines General Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Session Options Allow VPN Through Firewall Enable this option to allow Infranet Enforcer traffic to act as a heartbeat and keep the session alive. This option is useful for especially for ios devices. Agentless Enable agentless access Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 72 on page Complete the configuration as described in Table 37 on page Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 73 on page by Pulse Secure, LLC. All rights reserved

123 Chapter 2: Examples 5. Complete the configuration as described in Table 38 on page Save the configuration. Figure 72: Realm Configuration Page Table 37: Realm Configuration Guidelines Name Specify a name for the realm. Describe the purpose of the realm so that other administrators are aware of it by Pulse Secure, LLC. All rights reserved 109

124 Device Access Management Framework Feature Guide Table 37: Realm Configuration Guidelines (continued) Guidelines Servers Authentication Select the user authentication server for this realm s users. The local authentication server is shown in this example. You can select the authentication server used for your employees. If you do not want to prompt users for credentials, you can select a certificate server. In this case, complete the following steps: Create a certificate authority to use for authenticating your enterprise BYOD devices. Add the certificate to the Trusted Client CA configuration. Select the certificate server in the realm configuration. User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the Profiler LDAP server configured in the earlier step. Device Check Interval data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is minutes (7 days). This option enhances security by enabling device posture reevaluation. Consider a use case where an attacker is faking the MAC address. The attacker might gain access based on prior classification, for example as an IP phone. By the next device check interval, the Profiler has already detected it and reclassified the device. When the Device Check Interval option is selected, the Access Control Service system polls the user and device information again and reevaluates the role mapping to interrupt such an attack. Here, the device can be assigned a role that places it in a remediation VLAN. Dynamic Policy Evaluation Not recommended. Refresh interval Not recommended. Not recommended. Refresh resource policies Not recommended. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this example by Pulse Secure, LLC. All rights reserved

125 Chapter 2: Examples Figure 73: Role Mapping Configuration Page Table 38: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a memberofgroup, a logical operator (is or is not), and type a matching value or value pattern. The pattern used in this example matches Apple devices: cn=*apple ipad/iphone/ipod* Role assignment Select the roles to apply if the data matches the rule by Pulse Secure, LLC. All rights reserved 111

126 Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 74 on page Complete the configuration as described in Table 39 on page Save the configuration by Pulse Secure, LLC. All rights reserved

128 Device Access Management Framework Feature Guide Table 39: Sign-In Policy Configuration Guidelines (continued) Guidelines Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol set you configured in the earlier step. suffix Not applicable in this scenario. Remove realm suffix Not applicable in this scenario. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not applicable in this scenario. Post-Auth Sign-in Notification Not applicable in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page Configuring a RADIUS Client on page Configuring a RADIUS Return Attributes Policy on page 117 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages. To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 75 on page Complete the configuration as described in Table 40 on page Save the configuration by Pulse Secure, LLC. All rights reserved

129 Chapter 2: Examples Figure 75: Location Group Configuration Page Table 40: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point. To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 76 on page Complete the configuration as described in Table 41 on page Save the configuration by Pulse Secure, LLC. All rights reserved 115

130 Device Access Management Framework Feature Guide Figure 76: RADIUS Client Configuration Page Table 41: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it. IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support by Pulse Secure, LLC. All rights reserved

131 Chapter 2: Examples Table 41: RADIUS Client Configuration Guidelines (continued) Guidelines Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 77 on page Complete the configuration as described in Table 42 on page Save the configuration by Pulse Secure, LLC. All rights reserved 117

133 Chapter 2: Examples Table 42: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this example, in order to place Apple devices in the normal employee VLAN. Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto employee-owned devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 78 on page by Pulse Secure, LLC. All rights reserved 119

134 Device Access Management Framework Feature Guide 3. Complete the configuration as described in Table 43 on page Save the configuration. Figure 78: Resource Access Policy Configuration Page by Pulse Secure, LLC. All rights reserved

135 Chapter 2: Examples Table 43: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Action Action Enforcer Options Enforcer Options Related Documentation Understanding the Device Access Management Framework on page by Pulse Secure, LLC. All rights reserved 121

139 CHAPTER 3 Verifying Proper Configuration Using Logs to Verify Proper Configuration on page 125 Using Logs to Verify Proper Configuration During initial configuration, enable event logs for MDM API calls. You can use these logs to verify proper configuration. After you have verified proper configuration, you can disable logging for these events. Then, enable only for troubleshooting. To enable logging for MDM API calls: 1. Select System Log/Monitoring. 2. Click the Events tab. 3. Click the Settings tab to display the configuration page shown in Figure 79 on page Enable logging for MDM API events and save the configuration by Pulse Secure, LLC. All rights reserved 125

140 Device Access Management Framework Feature Guide Figure 79: Events Log Settings After you have completed the MDM server configuration, you can view system event logs to verify that the polling is occurring by Pulse Secure, LLC. All rights reserved

141 Chapter 3: Verifying Proper Configuration To display the Events log: 1. Select System Log/Monitoring. 2. Click the Events tab. 3. Click the Log tab. Figure 80 on page 127 shows the Events log. Figure 80: Events Log Next, to verify user access, you can attempt to connect to a wireless access point with your smart phone, and then view the user access logs. To display the User Access log: 1. Select System Log/Monitoring. 2. Click the User Access tab. 3. Click the Log tab. Figure 81 on page 128 shows the User Access log by Pulse Secure, LLC. All rights reserved 127

142 Device Access Management Framework Feature Guide Figure 81: User Access Log Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page by Pulse Secure, LLC. All rights reserved

143 CHAPTER 4 Tuning the Configuration User and Policy Administration Overview on page 129 User and Policy Administration Overview After you have verified proper configuration, you are not likely to need to tune the authentication server configuration, the 802.1x framework, or the enforcement points. However, based on user experience, MDM capabilities, or new security threats, there are a few configuration elements you might want to tune from time to time. Table 44 on page 129 describes these configuration elements. Table 44: Tuning the Configuration Remediation In a network access control solution, non-compliant endpoints are typically placed in a remediation VLAN that serves a Web page that explains the steps users can take to make their endpoints compliant so that they can access the network. Your reasons for denying access might change from time to time. For example, your initial policy might be based on compliance with an MDM policy, and you can give steps on how to bring a device into compliance. You might want to set an expectation on how long it takes for the MDM to reassess compliance. You might want to factor in the Access Control Service device check interval to estimate how long until the device can access the network. When there are new threats that exploit vulnerabilities in specific mobile platforms, you might create rules on the fly that deny access from specific platforms. If events like this occur, you might want to update your remediation message so that users can understand why access is denied. Interval You might want to tune this setting as you learn how frequently the MDM updates device records, or if the standard practice of the MDM changes. If the MDM records are updated every four hours, it does not make sense to poll every 10 minutes. If the MDM records are updated in real time, it might make sense to poll every 10 minutes by Pulse Secure, LLC. All rights reserved 129

144 Device Access Management Framework Feature Guide Table 44: Tuning the Configuration (continued) Roles and role mapping rules As you learn about mobile security threats and vulnerabilities, you might make changes to roles and role mapping rules or create new classifications. In general, you list restrictive rules first and set the stop flag. For example, if a device is non-compliant and maps to a non-compliant role, you would list it near the top of the rules for the realm and set the stop flag. Classification based on device type or platform can be more complicated. When you initially role out your BYOD solution, you might want to use roles to merely classify the devices, and so the rule classifying it would not need to be near the top of the list and would not need to have a stop flag. In response to a threat, however, you might want to use the role and role mapping configuration to deny access from a specific device platform. If events like this occur, you can edit your rules to map the vulnerable platform to an appropriate role and set the stop flag so that permissive roles are not assigned. policy Likewise, in response to threats and vulnerabilities, you can edit your rules to place formerly trusted device types into a remediation or guest VLAN instead of an employee VLAN; and then allow access again when you are no longer concerned with the threat. Infranet Enforcer resource access policy Likewise, in response to threats and vulnerabilities, you can edit your rules to deny access from formerly trusted device types; and then allow access again when you are no longer concerned with the threat. Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page by Pulse Secure, LLC. All rights reserved

147 CHAPTER 5 Tools Using Policy Tracing and Debug Logs Using Policy Tracing and Debug Logs on page 133 This topic describes the troubleshooting tools available to diagnose issues. It includes the following information: Using Policy Tracing to Troubleshoot Access Issues on page 133 Using the Debug Log on page 134 Using Policy Tracing to Troubleshoot Access Issues It is common to encounter a situation where the system denies a user access to the network or to resources, and the user logs a trouble ticket. You can use the policy tracing utility and log to determine whether the system is working as expected and properly restricting access, or whether the user configuration or policy configuration needs to be updated to enable access in the user s case. To create a policy trace log: 1. Select Troubleshooting > User Sessions > Policy Tracing to display the configuration page. 2. Select the events to trace, typically all but Host Enforcer and IF-MAP, unless you have enabled those features. 3. Click Start Recording. 4. Initiate the action you want to trace, such as a user sign in. 5. Click View Log to display the policy trace results log. 6. Click Stop Recording when you have enough information. Figure 82 on page 134 shows policy trace results by Pulse Secure, LLC. All rights reserved 133

148 Device Access Management Framework Feature Guide Figure 82: Policy Tracing Results Using the Debug Log The Pulse Secure Global Support Center (PSGSC) might direct you to create a debug log to assist them in helping you debug an issue with the system. The debug log is used only by PSGSC. To use debug logging: 1. Select Troubleshooting > Monitoring > Debug Log to display the configuration page shown in Figure 83 on page Complete the configuration as described in Table 45 on page Click Save Changes. When you save changes with Debug Logging On selected, the system begins generating debug log entries. 4. Initiate the action you want to debug, such as a user sign in. You can reset the debug log file to restart debug logging if it takes you too long to initiate the action. 5. Click Save Debug Log to save the debug log to a file that you can send to PSGSC. You can clear the log after you have saved it to a file. 6. Unselect Debug Logging On and click Save Changes to turn off debug logging by Pulse Secure, LLC. All rights reserved

149 Chapter 5: Tools Figure 83: Debug Logging Configuration Page Table 45: Debug Log Configuration Guidelines Current Log Size Displays the size of the current log file. If it is large, use the controls to save, reset, or clear the log file. Debug Logging On Specify the source IP address if you know it. If you are able to provide the source IP address, the policy trace log can include events that occur before the user ID is entered into the system. Debug Log Size Specify a maximum debug logfile size. The default is 2 MB. The maximum is 250 MB. Debug Log Detail Level Specify the debug log detail level. Obtain this from PSGSC. Include logs Select this option to include system logs in the debug log file. Recommended. Event Codes Specify the event code. Obtain this from PSGSC. For MDM integration issues, PSGSC typically likes to collect debugging information for codes MDM, Auth, agentman, and Realm. The text is not case sensitive. Related Documentation Using Logs to Verify Proper Configuration on page 125 Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page by Pulse Secure, LLC. All rights reserved 135