Pulse Policy Secure Device Access Management Framework Feature Guide Product Release 5.1 Document Revision 1.0 Published: 2015-02-10 2015 by Pulse Secure, LLC. All rights reserved
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net 2015 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Policy Secure Device Access Management Framework Feature Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. 2015 by Pulse Secure, LLC. All rights reserved II
Table of Contents About the Documentation... xi Documentation and Release Notes... xi Supported Platforms... xi Documentation Conventions... xi Documentation Feedback... xiii Requesting Technical Support... xiii Self-Help Online Tools and Resources... xiv Opening a Case with PSGSC... xiv Part 1 Overview Chapter 1 Feature Overview... 3 Understanding the Device Access Management Framework... 3 Part 2 Configuration Chapter 2 Examples... 9 Deploying a BYOD Policy for AirWatch Managed Devices... 9 Solution Overview... 9 Requirements... 11 Configuring the AirWatch MDM Service...11 Configuring the Wireless Access Point... 18 Configuring the Device Access Management Framework... 20 Configuring an Authentication Protocol Set... 20 Configuring the MDM Authentication Server... 22 Configuring the Certificate Server... 25 Adding the MDM Certificate to the Trusted Client CA Configuration... 27 Configuring User Roles... 29 Configuring a Realm and Role Mapping Rules... 34 Configuring a Sign-In Policy... 40 Configuring an 802.1x Network Access Policy... 42 Configuring a Location Group...42 Configuring a RADIUS Client...43 Configuring a RADIUS Return Attributes Policy... 45 2015 by Pulse Secure, LLC. All rights reserved III
Device Access Management Framework Feature Guide Configuring a Resource Access Policy... 47 Deploying a BYOD Policy for MobileIron Managed Devices... 51 Solution Overview...52 Requirements... 53 Configuring the MobileIron MDM...54 Configuring the Wireless Access Point... 59 Configuring the Device Access Management Framework... 60 Configuring an Authentication Protocol Set... 61 Configuring the MDM Authentication Server... 62 Configuring the Certificate Server... 65 Adding the MDM Certificate to the Trusted Client CA Configuration... 67 Configuring User Roles... 69 Configuring a Realm and Role Mapping Rules... 74 Configuring a Sign-In Policy... 80 Configuring an 802.1x Network Access Policy... 82 Configuring a Location Group... 82 Configuring a RADIUS Client...83 Configuring a RADIUS Return Attributes Policy... 85 Configuring a Resource Access Policy... 87 Deploying a BYOD Policy for Devices Discovered by Pulse Secure Endpoint Profiler. 91 Solution Overview...92 Requirements... 93 Configuring the Endpoint Profiler... 93 Configuring the Wireless Access Point... 97 Configuring the Device Access Management Framework... 99 Configuring an Authentication Protocol Set... 99 Configuring an Authentication Server... 101 Configuring User Roles... 105 Configuring a Realm and Role Mapping Rules... 108 Configuring a Sign-In Policy... 112 Configuring an 802.1x Network Access Policy... 114 Configuring a Location Group... 114 Configuring a RADIUS Client... 115 Configuring a RADIUS Return Attributes Policy... 117 Configuring a Resource Access Policy... 119 Part 3 Administration Chapter 3 Verifying Proper Configuration... 125 Using Logs to Verify Proper Configuration... 125 Chapter 4 Tuning the Configuration... 129 User and Policy Administration Overview... 129 Part 4 Troubleshooting Chapter 5 Tools... 133 Using Policy Tracing and Debug Logs... 133 Using Policy Tracing to Troubleshoot Access Issues... 133 Using the Debug Log... 134 IV 2015 by Pulse Secure, LLC. All rights reserved
List of Figures Part 1 Overview Chapter 1 Feature Overview... 3 Figure 1: User Access Management Framework and Device Access Management Framework... 4 Part 2 Configuration Chapter 2 Examples... 9 Figure 2: Solution Topology... 10 Figure 3: AirWatch Certificate Template Configuration... 14 Figure 4: AirWatch Credential Configuration... 15 Figure 5: AirWatch Wi-Fi Configuration... 16 Figure 6: Deploying a Profile to Your Organization s Managed Devices... 17 Figure 7: AirWatch API Tenant Code Configuration... 18 Figure 8: WLC 802.1x Authentication Configuration... 19 Figure 9: WLC RADIUS Configuration... 19 Figure 10: WLC VLAN Configuration... 20 Figure 11: Authentication Protocol Set Configuration Page...21 Figure 12: Authentication Server Configuration Page... 23 Figure 13: Certificate Server Configuration Page... 26 Figure 14: Trusted Client CA Management Page... 27 Figure 15: Import Trusted Client CA Page... 27 Figure 16: Trusted Client CA Configuration for AirWatch... 28 Figure 17: User Role Configuration Page General Settings... 30 Figure 18: User Role Configuration Page UI Options... 31 Figure 19: User Role Configuration Page Session Options... 32 Figure 20: User Role Configuration Page Agentless Access... 33 Figure 21: Realm Configuration Page... 35 Figure 22: Role Mapping Configuration Page... 37 Figure 23: Realm Configuration Page Certificate Restrictions... 40 Figure 24: Sign-In Policy Configuration Page... 41 Figure 25: Location Group Configuration Page... 43 Figure 26: RADIUS Client Configuration Page... 44 Figure 27: RADIUS Return Attributes Policy Configuration Page... 46 Figure 28: User Role Configuration Page General Settings...48 Figure 29: Role Mapping Configuration Page... 49 Figure 30: Resource Access Policy Configuration Page... 50 Figure 31: Solution Topology... 52 Figure 32: MobileIron SCEP Configuration... 57 Figure 33: MobileIron Wi-Fi Configuration... 58 2015 by Pulse Secure, LLC. All rights reserved V
Device Access Management Framework Feature Guide Figure 34: Applying the Wi-Fi Configuration to a Label...58 Figure 35: Applying a Device Record to a Label... 59 Figure 36: WLC 802.1x Authentication Configuration... 59 Figure 37: WLC RADIUS Configuration... 60 Figure 38: WLC VLAN Configuration... 60 Figure 39: Authentication Protocol Set Configuration Page... 61 Figure 40: Authentication Server Configuration Page... 63 Figure 41: Certificate Server Configuration Page... 66 Figure 42: Trusted Client CA Management Page... 67 Figure 43: Import Trusted Client CA Page... 67 Figure 44: Trusted Client CA Configuration for MobileIron...68 Figure 45: User Role Configuration Page General Settings... 70 Figure 46: User Role Configuration Page UI Options...71 Figure 47: User Role Configuration Page Session Options... 72 Figure 48: User Role Configuration Page Agentless Access... 73 Figure 49: Realm Configuration Page... 75 Figure 50: Role Mapping Configuration Page... 77 Figure 51: Realm Configuration Page Certificate Restrictions... 80 Figure 52: Sign-In Policy Configuration Page... 81 Figure 53: Location Group Configuration Page... 83 Figure 54: RADIUS Client Configuration Page... 84 Figure 55: RADIUS Return Attributes Policy Configuration Page... 86 Figure 56: User Role Configuration Page General Settings... 88 Figure 57: Role Mapping Configuration Page... 89 Figure 58: Resource Access Policy Configuration Page... 90 Figure 59: Solution Topology... 92 Figure 60: Network Infrastructure Device Configuration Page... 94 Figure 61: Endpoint Profiles Smartphone Listing... 95 Figure 62: Apple iphone Profile Configuration Page... 95 Figure 63: Integrations Management Page... 96 Figure 64: WLC 802.1x Authentication Configuration... 98 Figure 65: WLC RADIUS Configuration... 98 Figure 66: WLC VLAN Configuration... 99 Figure 67: Authentication Protocol Set Configuration Page... 100 Figure 68: Authentication Server Configuration Page... 102 Figure 69: User Role Configuration Page General Settings... 106 Figure 70: User Role Configuration Page Session Options... 107 Figure 71: User Role Configuration Page Agentless Access... 108 Figure 72: Realm Configuration Page... 109 Figure 73: Role Mapping Configuration Page... 111 Figure 74: Sign-In Policy Configuration Page... 113 Figure 75: Location Group Configuration Page... 115 Figure 76: RADIUS Client Configuration Page... 116 Figure 77: RADIUS Return Attributes Policy Configuration Page... 118 Figure 78: Resource Access Policy Configuration Page... 120 Part 3 Administration Chapter 3 Verifying Proper Configuration... 125 VI 2015 by Pulse Secure, LLC. All rights reserved
List of Figures Figure 79: Events Log Settings... 126 Figure 80: Events Log... 127 Figure 81: User Access Log... 128 Part 4 Troubleshooting Chapter 5 Tools... 133 Figure 82: Policy Tracing Results... 134 Figure 83: Debug Logging Configuration Page... 135 2015 by Pulse Secure, LLC. All rights reserved VII
Device Access Management Framework Feature Guide VIII 2015 by Pulse Secure, LLC. All rights reserved
List of Tables About the Documentation... xi Table 1: Notice Icons... xii Table 2: Text and Syntax Conventions... xii Part 2 Configuration Chapter 2 Examples... 9 Table 3: Component Version Information...11 Table 4: AirWatch Device Attributes... 12 Table 5: Authentication Protocol Set Configuration Guidelines...21 Table 6: Authentication Server Configuration Guidelines...24 Table 7: Certificate Server Settings... 26 Table 8: User Role Configuration Guidelines...33 Table 9: Realm Configuration Guidelines...35 Table 10: Role Mapping Configuration Guidelines...37 Table 11: AirWatch Device Attributes... 38 Table 12: Realm Configuration Certificate Restriction Guidelines...40 Table 13: Sign-In Policy Configuration Guidelines...42 Table 14: Location Group Configuration Guidelines...43 Table 15: RADIUS Client Configuration Guidelines...44 Table 16: RADIUS Return Attributes Policy Configuration Guidelines...47 Table 17: Resource Access Policy Configuration Guidelines...51 Table 18: Component Version Information...53 Table 19: MobileIron Device Attributes... 54 Table 20: Authentication Protocol Set Configuration Guidelines... 62 Table 21: Authentication Server Configuration Guidelines...64 Table 22: Certificate Server Settings... 66 Table 23: User Role Configuration Guidelines...73 Table 24: Realm Configuration Guidelines...75 Table 25: Role Mapping Configuration Guidelines...77 Table 26: MobileIron Record Attributes... 78 Table 27: Realm Configuration Certificate Restriction Guidelines...80 Table 28: Sign-In Policy Configuration Guidelines...82 Table 29: Location Group Configuration Guidelines...83 Table 30: RADIUS Client Configuration Guidelines...84 Table 31: RADIUS Return Attributes Policy Configuration Guidelines...87 Table 32: Resource Access Policy Configuration Guidelines...91 Table 33: Component Version Information...93 Table 34: Authentication Protocol Set Configuration Guidelines... 100 Table 35: Authentication Server Configuration Guidelines... 103 Table 36: User Role Configuration Guidelines... 108 2015 by Pulse Secure, LLC. All rights reserved IX
Device Access Management Framework Feature Guide Table 37: Realm Configuration Guidelines... 109 Table 38: Role Mapping Configuration Guidelines... 111 Table 39: Sign-In Policy Configuration Guidelines... 113 Table 40: Location Group Configuration Guidelines... 115 Table 41: RADIUS Client Configuration Guidelines... 116 Table 42: RADIUS Return Attributes Policy Configuration Guidelines... 119 Table 43: Resource Access Policy Configuration Guidelines... 121 Part 3 Administration Chapter 4 Tuning the Configuration... 129 Table 44: Tuning the Configuration... 129 Part 4 Troubleshooting Chapter 5 Tools... 133 Table 45: Debug Log Configuration Guidelines... 135 X 2015 by Pulse Secure, LLC. All rights reserved
About the Documentation Documentation and Release Notes on page xi Supported Platforms on page xi Documentation Conventions on page xi Documentation Feedback on page xiii Requesting Technical Support on page xiii Documentation and Release Notes To obtain the most current version of all Pulse Secure technical documentation, see the product documentation page at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Supported Platforms For the features described in this document, the following platforms are supported: IC4500 IC6500 FIPS IC6500 MAG Series Documentation Conventions Table 1 on page xii defines notice icons used in this guide. 2015 by Pulse Secure, LLC. All rights reserved XI
Device Access Management Framework Feature Guide Table 1: Notice Icons Icon Meaning Informational note Indicates important features or instructions. Caution Warning Alerts you to the risk of personal injury or death. Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page xii defines the text and syntax conventions used in this guide. Convention Description Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the terminal screen. user@host> show chassis alarms No alarms currently active Italic text like this Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>; XII 2015 by Pulse Secure, LLC. All rights reserved
About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Enclose a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@pulsesecure.net. Requesting Technical Support Technical product support is available through the Pulse Secure Global Support Center (PSGSC). If you have a support contract, then file a ticket with PSGSC. Product warranties For product warranty information, visit http://www.pulsesecure.net. 2015 by Pulse Secure, LLC. All rights reserved XIII
Device Access Management Framework Feature Guide Self-Help Online Tools and Resources For quick and easy problem resolution, Pulse Secure, LLC has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.pulsesecure.net/support Search for known bugs: http://www.pulsesecure.net/support Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://www.pulsesecure.net/support Download the latest versions of software and review release notes: http://www.pulsesecure.net/support Search technical bulletins for relevant hardware and software notifications: http://www.pulsesecure.net/support Open a case online in the CSC Case Management tool: http://www.pulsesecure.net/support To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: http://www.pulsesecure.net/support Opening a Case with PSGSC You can open a case with PSGSC on the Web or by telephone. Use the Case Management tool in the PSGSC at http://www.pulsesecure.net/support. Call 1-888-314-5822 (toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see http://www.pulsesecure.net/support. XIV 2015 by Pulse Secure, LLC. All rights reserved
PART 1 Overview Feature Overview on page 3 2015 by Pulse Secure, LLC. All rights reserved 1
Device Access Management Framework Feature Guide 2 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 1 Feature Overview Understanding the Device Access Management Framework on page 3 Understanding the Device Access Management Framework The device access management framework enables you to leverage mobile device management (MDM) services so that you can use familiar Access Control Service 802.1x network access control and Infranet Enforcer policies to enforce your security objectives in bring your own device (BYOD) environments. In this simple framework, the MDM is a device authentication server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. The framework simply extends the user access management framework to include use of device attributes as a factor in role mapping rules. Figure 1 on page 4 illustrates the similarities. 2015 by Pulse Secure, LLC. All rights reserved 3
Device Access Management Framework Feature Guide Figure 1: User Access Management Framework and Device Access Management Framework The Juniper solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. The Access Control Service queries the MDM database for updates at an interval you specify. This feature enables you to leverage the MDM posture assessment checks and enforce compliance. For example, the MDM might detect that a device is out of compliance with its security policies, such as a password policy. At the next device check interval, the Access Control Service queries the MDM for updated attribute data. In this example, it learns that a formerly compliant device is now noncompliant. It assigns the device the non-compliant role and sends the 802.1x authenticator the corresponding RADIUS attribute to place it in a remediation VLAN. This release supports integration with the following MDM solutions as device attribute servers: AirWatch MDM 4 2015 by Pulse Secure, LLC. All rights reserved
Chapter 1: Feature Overview MobileIron MDM In addition, you can integrate with Juniper Networks Endpoint Profiler as a device attribute server. The Endpoint Profiler catalogues mobile device platform information. Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 Deploying a BYOD Policy for Devices Discovered by Juniper Endpoint Profiler on page 91 2015 by Pulse Secure, LLC. All rights reserved 5
Device Access Management Framework Feature Guide 6 2015 by Pulse Secure, LLC. All rights reserved
PART 2 Configuration Examples on page 9 2015 by Pulse Secure, LLC. All rights reserved 7
Device Access Management Framework Feature Guide 8 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 2 Examples Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 Deploying a BYOD Policy for Devices Discovered by Juniper Endpoint Profiler on page 91 Deploying a BYOD Policy for AirWatch Managed Devices This example shows how to use Access Control Service policies to enable security based on device identity, device posture, or user identity in a bring your own device (BYOD) environment for an enterprise that uses AirWatch for mobile device management (MDM). It includes the following information: Solution Overview on page 9 Requirements on page 11 Configuring the AirWatch MDM Service on page 11 Configuring the Wireless Access Point on page 18 Configuring the Device Access Management Framework on page 20 Configuring an 802.1x Network Access Policy on page 42 Configuring a Resource Access Policy on page 47 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become commonly held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access the network and protected resources in the same way network access control solutions restrict user access? 2015 by Pulse Secure, LLC. All rights reserved 9
Device Access Management Framework Feature Guide MDM vendors have emerged to address the first issue. MDMs such as AirWatch provide enrollment and posture assessment services that prompt employees to enter data about their mobile devices. The MDM data records include device attributes and posture assessment status that can be used in the Access Control Service access management framework to enforce security policies. Figure 2 on page 10 shows a deployment with Access Control Service, a wireless access point, and the AirWatch MDM cloud service. Figure 2: Solution Topology The solution shown in this example leverages the Pulse access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the MDM is a device authentication server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. It is possible to use MAC address as the device identifier, and, indeed, this is supported as a fallback plan. We recommend, however, that you implement the solution as shown here, using client certificates. This example shows how to enable security with the familiar 802.1x framework. In this framework, a native supplicant is used to authenticate the user of the device. The device itself is identified using a client certificate that contains device identity. Client certificates provide a more secure way to identity a device than MAC address, which is vulnerable to spoofing. The 802.1x EAP methods that provide a TLS tunnel (PEAP, TLS and TTLS) can use a client certificate. The following behavior is illustrative: TTLS/MSCHAPv2 The client certificate presented during the TLS handshake is used to identify the device against the MDM records, and MSCHAPv2 is used to authenticate the user against an authentication server. 10 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples PEAP/MSCHAPv2 Although PEAP does not allow for user authentication with a client certificate, the client certificate can still be presented during the TLS handshake and can be used to identify the device against the MDM records. MSCHAPv2 is used to authenticate the user against an authentication server. TLS The client certificate can be used to identify the device against the MDM records and authenticate the user against a certificate server. The Juniper solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. Requirements Table 3 on page 11 lists version information for the solution components shown in this example. Table 3: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. Release 6.4.1.2 is used in this example. Any version that supports the device ID and device attributes you plan to query is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point are used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible. Configuring the AirWatch MDM Service This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the AirWatch MDM, refer to its documentation and support resources. This section focused on the following elements of the MDM configuration that are important to this solution: Device identifier The primary key for device records. Your MDM configuration determines whether a Universal Unique Identifier (UUID), Unique Device Identifier (UDID), or serial number is used as the device identifier. For AirWatch, UDID is supported and recommended. Device attributes A standard set of data maintained for each device. For AirWatch, see Table 4 on page 12. When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee attributes related to device identity, user identity, and posture assessment against MDM policies. Table 4 on page 12 describes these attributes. In this solution, these attributes are used 2015 by Pulse Secure, LLC. All rights reserved 11
Device Access Management Framework Feature Guide in the Access Control Service role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized ACS attribute name. Table 4: AirWatch Device Attributes Description assetnumber, id deviceid Device identifier. String blocklevelencryption blocklevelencryption True if block-level encryption is enabled; compliancestatus iscompliant Values: Compliant. String status reported. compromisedstatus iscompromised True if the device is compromised; false otherwise. Boolean status reported. dataprotectionenabled dataprotectionenabled True if data protection is enabled; false otherwise. Boolean devicefriendlyname device/user combination. String enrollmentstatus isenrolled Values: Enrolled String filelevelencryption filelevelencryption True if file-level encryption is enabled; false Boolean otherwise. imei IMEI IMEI number of the device. String MDM policy; false otherwise. ispasscodepresent ispasscodepresent True if a passcode has been configured on the device; false otherwise. Boolean locationgroupname locationgroupname MDM location group configuration value. String macaddress macadress model, modelid model Model is automatically reported by the device during registration. String 12 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 4: AirWatch Device Attributes (continued) Description osversion String ownership ownership Values: Employee, Corporate, or Shared. String phonenumber phonenumber Phone number entered during registration. String platform, platformid platform Platform specified during registration. String serialnumber serialnumber Serial number. String udid UDID UDID. String useremailaddress useremail Email address of device user. String username username Name of device user. String To configure the MDM: 1. Enroll devices in the MDM using the methods supported by the MDM. 2. Create a profile. The profile determines many MDM management options. The following are key to this solution: a. Certificate template. Create a configuration that specifies the field and type of identifier for client device certificates. See Figure 3 on page 14. The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate s subject or alternative subject. We recommend you include the user id in the certificate, so the certificate can identify both the user and the device. For example: CN=<DEVICE_UDID>, uid=<user_id>, o=company b. Credential profile. Create a configuration that specifies the certificate authority and certificate template configuration. See Figure 4 on page 15. c. Wi-Fi profile. Create a configuration that specifies the SSID, security options, and the credential configuration. See Figure 5 on page 16. 3. Save and deploy the profile to devices registered with your organization. See Figure 6 on page 17. 4. Enable API access and generate the AirWatch API key (tenant code). The tenant code is part of the REST API configuration. The tenant code must be included in the Access Control Service MDM server configuration. It is sent in the API call. See Figure 7 on page 18. 2015 by Pulse Secure, LLC. All rights reserved 13
Device Access Management Framework Feature Guide Figure 3: AirWatch Certificate Template Configuration 14 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 4: AirWatch Credential Configuration 2015 by Pulse Secure, LLC. All rights reserved 15
Device Access Management Framework Feature Guide Figure 5: AirWatch Wi-FI Configuration 16 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 6: Deploying a Profile to Your Organization s Managed Devices 2015 by Pulse Secure, LLC. All rights reserved 17
Device Access Management Framework Feature Guide Figure 7: AirWatch API Tenant Code Configuration Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 8 on page 19 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example. 18 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 8: WLC 802.1x Authentication Configuration Figure 9 on page 19 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 9: WLC RADIUS Configuration Figure 10 on page 20 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example. 2015 by Pulse Secure, LLC. All rights reserved 19
Device Access Management Framework Feature Guide Figure 10: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page 20 2. Configuring the MDM Authentication Server on page 22 3. Configuring the Certificate Server on page 25 4. Adding the MDM Certificate to the Trusted Client CA Configuration on page 27 5. Configuring User Roles on page 29 6. Configuring a Realm and Role Mapping Rules on page 34 7. Configuring a Sign-In Policy on page 40 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP method selected in the MDM Wi-Fi Profile. The predefined authentication protocol set named 802.1x shown in Figure 11 on page 21 can be used as-is since it includes all the EAP methods currently configurable on MDMs. 20 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 11: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate. 3. Complete the configuration as described in Table 5 on page 21. 4. Save the configuration. Table 5: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it. 2015 by Pulse Secure, LLC. All rights reserved 21
Device Access Management Framework Feature Guide Table 5: Authentication Protocol Set Configuration Guidelines (continued) Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring the MDM Authentication Server The MDM authentication server configuration is used by the system to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select MDM Server and click New Server to display the configuration page shown in Figure 12 on page 23. 3. Complete the configuration as described in Table 6 on page 24. 4. Save the configuration. 22 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 12: Authentication Server Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 23
Device Access Management Framework Feature Guide Table 6: Authentication Server Configuration Guidelines Name Specify a name for the configuration. Server Specify the URL for your AirWatch server. This is the URL AirWatch has instructed you to use over port 443. Viewer Url Specify the URL for the AirWatch report viewer. This URL will be used to link record on the Active Users page to the AirWatch records. The URL for the AirWatch MDM viewer for this example has the following form: https://apidev.awmdm.com/airwatch/devices/devicedetails/<deviceattr.deviceid> seconds. Administrator Password Specify the corresponding password. Tenant Code Copy and paste the AirWatch API tenant code. See Figure 7 on page 18. Device Identifier Require Certificate Require that the device certificate pushed to client devices during enrollment is used for If this option is not selected, and the client does not have a certificate, the system uses the ID Template Template for constructing device identifier from certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>. For example, suppose the certificate dn is: CN=<DEVICE_UDID>, uid=<user_id>, o=company. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certdn.cn>. 24 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 6: Authentication Server Configuration Guidelines (continued) Guidelines ID Type configuration: UDID The device Unique Device Identifier. This is supported by the AirWatch MDM. Configuring the Certificate Server The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials. To configure authentication with the certificate server: 1. Select Authentication > Auth. Servers. 2. Select Certificate Server and click New Server to display the configuration page shown in Figure 13 on page 26. 3. Complete the configuration as described in Table 7 on page 26. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 25
Device Access Management Framework Feature Guide Figure 13: Certificate Server Configuration Page Table 7: Certificate Server Settings Name Specify a name to identify the server within the system. any combination of certificate variables contained in angle brackets and plain text. The user name template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the user name in the Access Control Service system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration. With this configuration, the certificate could identify both the user and the device. In this example, the user name template is <certdn.uid>. 26 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Adding the MDM Certificate to the Trusted Client CA Configuration The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them. To import a trusted client CA certificate: 1. Select System > Configuration > Certificates > Trusted Client CAs to display the page shown in Figure 14 on page 27. Figure 14: Trusted Client CA Management Page 2. Click Import CA Certificate to display the page shown in Figure 15 on page 27. Figure 15: Import Trusted Client CA Page 3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation. 4. Click the link for the Trusted Client CA to display its details. Figure 16 on page 28 shows the configuration for this example. 2015 by Pulse Secure, LLC. All rights reserved 27
Device Access Management Framework Feature Guide Figure 16: Trusted Client CA Configuration for AirWatch 28 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or non-compliant; device is employee owned or company owned; device platform is ios, Android, or neither; and so forth. The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 17 on page 30. 3. Complete the configuration for general options as described in Table 8 on page 33. 4. Save the configuration. 5. Click UI options to display the configuration page shown in Figure 18 on page 31. 6. Complete the configuration for UI options as described in Table 8 on page 33. 7. Save the configuration. 8. Click Session Options to display the configuration page shown in Figure 19 on page 32. 9. Complete the configuration for session options as described in Table 8 on page 33. 10. Save the configuration. 11. Click Agentless to display the configuration page shown in Figure 20 on page 33. 12. Complete the configuration for agentless options as described in Table 8 on page 33. 13. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 29
Device Access Management Framework Feature Guide Figure 17: User Role Configuration Page General Settings 30 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 18: User Role Configuration Page UI Options 2015 by Pulse Secure, LLC. All rights reserved 31
Device Access Management Framework Feature Guide Figure 19: User Role Configuration Page Session Options 32 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 20: User Role Configuration Page Agentless Access Table 8: User Role Configuration Guidelines Guidelines Overview tab Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Options role is applied. UI Options tab Personalized greeting (via the MDM API) after sign-in and this role has been applied, or after role reevaluation if it results in a role change to this role. In this example, we are using the system to enforce MDM enrollment, flagging compromised devices. The message, therefore, is: The message is forwarded to device using the MDM server Push Notification feature. NOTE: In the case that multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied. Session Options 2015 by Pulse Secure, LLC. All rights reserved 33
Device Access Management Framework Feature Guide Table 8: User Role Configuration Guidelines (continued) Guidelines alive. This option is useful for ios devices. Agentless Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the authentication server data and MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 21 on page 35. 2. Complete the configuration as described in Table 9 on page 35. 3. Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 22 on page 37. 5. Complete the configuration as described in Table 10 on page 37. 6. Save the configuration. 7. Click the Authentication Policy tab and then click the Certificate sub tab to display the certificate restriction configuration page shown in Figure 23 on page 40. 8. Complete the configuration as described in Table 12 on page 40. 9. Save the configuration. 34 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 21: Realm Configuration Page Table 9: Realm Configuration Guidelines Name Specify a name for the realm. If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 5 on page 16. Describe the purpose of the realm so that other administrators are aware of it. Servers 2015 by Pulse Secure, LLC. All rights reserved 35
Device Access Management Framework Feature Guide Table 9: Realm Configuration Guidelines (continued) Guidelines Authentication Select the user authentication server for this realm s users. This example uses the certificate User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the MDM server configured in the earlier step. Device Check Interval remediation VLAN. Specify the interval at which to query the MDM for updated attribute data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is 10080 minutes (7 days). Specify an interval that is appropriate for the MDM. Some MDMs, for example, update records every 4 hours, so a 10 minute interval would not be productive. Dynamic Policy Evaluation the queries return changed attribute values. Refresh interval Do not select. Refresh roles Do not select. Refresh resource policies Do not select. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this MDM example. 36 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 22: Role Mapping Configuration Page Table 10: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a device attribute (see Table 11 on page 38), a logical operator (is or is not), and type a matching value or value pattern. In this example, we select iscompromised, the logical operator is, and enter the value 1 (true). This means that devices with a compromised status match the rule. Role assignment Select the roles to apply if the data matches the rule. 2015 by Pulse Secure, LLC. All rights reserved 37
Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Table 11 on page 38 describes the AirWatch record attributes that can be used in role mapping rules. Table 11: AirWatch Device Attributes Description blocklevelencryption blocklevelencryption True if block-level encryption is enabled; false otherwise Boolean compromisedstatustimestamp compromisedstatustimestamp The refresh date and timestamp of the last status reported. Timestamp True if data protection is enabled; Boolean deviceid assetnumber, id Device identifier. String devicefriendlyname identify the device/user combination. String filelevelencryption filelevelencryption True if file-level encryption is enabled; false otherwise. Boolean IMEI IMEI number of the device. String iscompliant compliancestatus Values: Compliant. String iscompromised True if the device is compromised; Boolean isenrolled enrollmentstatus True if MDM value is Enrolled; false otherwise. Boolean True if the passcode is compliant Boolean ispasscodepresent ispasscodepresent True if a passcode has been configured; false otherwise. Boolean 38 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 11: AirWatch Device Attributes (continued) Description locationgroupname locationgroupname MDM location group configuration value. String macadress macaddress model model, modelid Model is automatically reported by the device during registration. String osversion operatingsystem ownership ownership Values: Employee, Corporate, or Shared. String phonenumber phonenumber Phone number entered during registration. String platform platform, platformid Platform specified during registration. String serialnumber serialnumber Serial number. String UDID udid UDID. String useremail useremailaddress Email address of device user. String username username Name of device user. String NOTE: By design, you should be able to specify true or false, or 1 or 0, for Boolean data types, in your role mapping rules. Due to an issue in this release, you must use 1 for true and 0 for false. 2015 by Pulse Secure, LLC. All rights reserved 39
Device Access Management Framework Feature Guide Figure 23: Realm Configuration Page Certificate Restrictions Table 12: Realm Configuration Certificate Restriction Guidelines Allow all users Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake. certificate certificate, the certificate attributes are placed in the session context. Only allow users with a client-side certificate If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 24 on page 41. 3. Complete the configuration as described in Table 13 on page 42. 4. Save the configuration. 40 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 24: Sign-In Policy Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 41
Device Access Management Framework Feature Guide Table 13: Sign-In Policy Configuration Guidelines User type Select Users. Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol you configured in the earlier step. suffix To use this option, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 5 on page 16. This configuration enables you to dedicate the realm to the MDM traffic. Non-MDM traffic passing through the same switch then belongs to a different realm. Remove realm suffix Remove the realm suffix within system processes, such as rule processing and logs. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not used in this scenario. Post-Auth Sign-in Notification Not used in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page 42 2. Configuring a RADIUS Client on page 43 3. Configuring a RADIUS Return Attributes Policy on page 45 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages. 42 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 25 on page 43. 3. Complete the configuration as described in Table 14 on page 43. 4. Save the configuration. Figure 25: Location Group Configuration Page Table 14: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point. 2015 by Pulse Secure, LLC. All rights reserved 43
Device Access Management Framework Feature Guide To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 26 on page 44. 3. Complete the configuration as described in Table 15 on page 44. 4. Save the configuration. Figure 26: RADIUS Client Configuration Page Table 15: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it. 44 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 15: RADIUS Client Configuration Guidelines (continued) IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 27 on page 46. 3. Complete the configuration as described in Table 16 on page 47. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 45
Device Access Management Framework Feature Guide Figure 27: RADIUS Return Attributes Policy Configuration Page 46 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 16: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You can use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto a specific device platform in this example, Android devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. In this scenario, the role configuration and role mapping configuration create a classification for Android devices. Figure 28 on page 48 shows the user role configuration. 2015 by Pulse Secure, LLC. All rights reserved 47
Device Access Management Framework Feature Guide Figure 28: User Role Configuration Page General Settings Figure 29 on page 49 shows the role mapping configuration. 48 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 29: Role Mapping Configuration Page To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 30 on page 50. 3. Complete the configuration as described in Table 17 on page 51. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 49
Device Access Management Framework Feature Guide Figure 30: Resource Access Policy Configuration Page 50 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 17: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Roles Select the roles to which the policy applies. In this example, Android is selected. Action Action In this example, we deny access from Android devices. Enforcer Options Enforcer Options Related Documentation Using Logs to Verify Proper Configuration on page 125 User and Policy Administration Overview on page 129 Using Policy Tracing and Debug Logs on page 133 Understanding the Device Access Management Framework on page 3 Deploying a BYOD Policy for MobileIron Managed Devices This example shows how to use Access Control Service policies to enable security based on device identity, device posture, or user identity in a bring your own device (BYOD) environment for an enterprise that uses MobileIron for mobile device management (MDM). It includes the following information: Solution Overview on page 52 Requirements on page 53 Configuring the MobileIron MDM on page 54 Configuring the Wireless Access Point on page 59 2015 by Pulse Secure, LLC. All rights reserved 51
Device Access Management Framework Feature Guide Configuring the Device Access Management Framework on page 60 Configuring an 802.1x Network Access Policy on page 82 Configuring a Resource Access Policy on page 87 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become commonly held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access the network and protected resources in the same way network access control solutions restrict user access? Mobile device management (MDM) companies have emerged to address the first issue. MDMs such as MobileIron provide enrollment and posture assessment services that prompt employees to enter data about their mobile devices. The MDM data records include device attributes and posture assessment status that can be used in the Access Control Service access management framework to enforce security policies. Figure 31 on page 52 shows a deployment with Access Control Service, a wireless access point, and the MobileIron MDM. Figure 31: Solution Topology The solution shown in this example leverages the Pulse Secure access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the MDM is a device authorization server and MDM record attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to mobile devices that have enrolled with the MDM or are compliant with the MDM posture 52 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples assessment policies. You can use the attributes and status maintained by the MDM in Access Control Service role-mapping rules to implement the policy. It is possible to use MAC address as the device identifier, and, indeed, this is supported as a fallback plan. We recommend, however, that you implement the solution as shown here, using client certificates. This example shows how to enable security with the familiar 802.1x framework. In this framework, a native supplicant is used to authenticate the user of the device. The device itself is identified using a client certificate that contains device identity. Client certificates provide a more secure way to identity a device than MAC address, which is vulnerable to spoofing. The 802.1x EAP methods that provide a TLS tunnel (PEAP, TLS and TTLS) can use a client certificate. The following behavior is illustrative: TTLS/MSCHAPv2 The client certificate presented during the TLS handshake is used to identify the device against the MDM records, and MSCHAPv2 is used to authenticate the user against an authentication server. PEAP/MSCHAPv2 Although PEAP does not allow for user authentication with a client certificate, the client certificate can still be presented during the TLS handshake and can be used to identify the device against the MDM records. MSCHAPv2 is used to authenticate the user against an authentication server. TLS The client certificate can be used to identify the device against the MDM records and authenticate the user against a certificate server. The Pulse Sercure solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow devices that have a clean MDM posture assessment and are compliant with MDM policies to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices or to a particular platform that might be vulnerable. Requirements Table 18 on page 53 lists version information for the solution components shown in this example. Table 18: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. MobileIron MDM Release 5.6 is used in this example. Any version that supports the device ID and device attributes you plan to query is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point are used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible. 2015 by Pulse Secure, LLC. All rights reserved 53
Device Access Management Framework Feature Guide Configuring the MobileIron MDM This solution assumes you know how to configure and use the features of your MDM, and that you can enroll employees and their devices. For more information about the MobileIron MDM, refer to its documentation and support resources. This section focused on the following elements of the MDM configuration that are important to this solution: Device identifier The primary key for device records. Your MDM configuration determines whether a Universal Unique Identifier (UUID), Unique Device Identifier (UDID), or serial number is used as the device identifier. For MobileIron, UUID is supported and recommended. Device attributes A standard set of data maintained for each device. For MobileIron, see Table 19 on page 54. When the user installs the MDM application on the device and completes enrollment, the MDM pushes the device certificate to the device. After enrollment, the MDM maintains a database record that includes information about the enrollee attributes related to device identity, user identity, and posture assessment against MDM policies. Table 19 on page 54 describes these attributes. In this solution, these attributes are used in the Access Control Service role mapping that is the basis for network access and resource access policies. When you configure role-mapping rules, you specify the normalized ACS attribute name. Table 19: MobileIron Device Attributes Description @id deviceid Device identifier. String compliance iscompliant True if the device is in compliance with its MDM Boolean security policies; false otherwise. compliance iscompromised True if the device is compromised; false otherwise. Boolean countryname countryname Country name corresponding with the country String currentphonenumber phonenumber Phone number entered during registration. String emailaddress useremail Email address of device user. String employeeowned ownership Values: Employee, Corporate, or Shared. String homeoperator homeoperator The service operator for the device when it is not String roaming. iphone IMEI, ImeiOrMeid IMEI IMEI number of the device. String 54 2015 by Pulse Secure, LLC. All rights reserved
Table 19: MobileIron Device Attributes (continued) Chapter 2: Examples Description UDID UDID. String isblocked isblocked True if the device is blocked from accessing the ActiveSync server; false otherwise. Boolean isquarantined isquarantined True if the device is quarantined by the MDN; false Boolean otherwise. lastconnectat lastseen Date and time the device last made successful contact with the MDM. Timestamp manufacturer manufacturer String device during registration. mdmmanaged mdmmanaged Indicates that the MDM profile is enabled on the device. This field applies only to ios devices. For other devices, the value is always false. Boolean ModelName, model, device_model model String name devicename The concatenated name used to identify the device/user combination. String operator operator operator is associated with the device. String OSVersion, os_version osversion OS version. String platform, platform_name, platform Platform specified during registration. String principal, useruuid userid User ID. String SerialNumber serialnumber Serial number. String status, statuscode isenrolled True if the device has completed enrollment or registration; false otherwise. Boolean UUID UUID. String userdisplayname, userfirstname, userlastname username Name of device user. String macadress 2015 by Pulse Secure, LLC. All rights reserved 55
Device Access Management Framework Feature Guide To configure the MDM: 1. Enroll devices in the MDM using the methods supported by the MDM. 2. Create a Simple Certificate Enrollment Protocol (SCEP) configuration that specifies the field and type of identifier for client device certificates. See Figure 32 on page 57. The MDM configuration templates provide flexibility in how the device identifier can be placed in the device certificate s subject or alternative subject. We recommend you include the user id in the certificate, so the certificate can identify both the user and the device. For example: CN=<DEVICE_UUID>, uid=<user_id>, o=company 3. Create a Wi-Fi configuration that specifies the SSID and security options. See Figure 33 on page 58. During the enrollment process, this profile is provisioned to the device. Select the SCEP configuration completed in Step 1. 4. Select the Wi-Fi Profile configuration and apply it to a group label you have provisioned to manage this group of devices. See Figure 34 on page 58. 5. Apply the group label to which the Wi-Fi Profile belongs to the devices. See Figure 35 on page 59. 56 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 32: MobileIron SCEP Configuration 2015 by Pulse Secure, LLC. All rights reserved 57
Device Access Management Framework Feature Guide Figure 33: MobileIron Wi-FI Configuration Figure 34: Applying the Wi-Fi Configuration to a Label 58 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 35: Applying a Device Record to a Label Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 36 on page 59 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 36: WLC 802.1x Authentication Configuration 2015 by Pulse Secure, LLC. All rights reserved 59
Device Access Management Framework Feature Guide Figure 37 on page 60 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 37: WLC RADIUS Configuration Figure 38 on page 60 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 38: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page 61 2. Configuring the MDM Authentication Server on page 62 3. Configuring the Certificate Server on page 65 4. Adding the MDM Certificate to the Trusted Client CA Configuration on page 67 60 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples 5. Configuring User Roles on page 69 6. Configuring a Realm and Role Mapping Rules on page 74 7. Configuring a Sign-In Policy on page 80 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP method selected in the MDM Wi-Fi Profile. The predefined authentication protocol set named 802.1x shown in Figure 39 on page 61 can be used as-is since it includes all the EAP methods currently configurable on MDMs. Figure 39: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate. 2015 by Pulse Secure, LLC. All rights reserved 61
Device Access Management Framework Feature Guide 3. Complete the configuration as described in Table 20 on page 62. 4. Save the configuration. Table 20: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it. Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring the MDM Authentication Server The MDM authentication server configuration is used by the system to communicate with the MDM. In the device access management framework, the MDM server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select MDM Server and click New Server to display the configuration page shown in Figure 40 on page 63. 3. Complete the configuration as described in Table 21 on page 64. 4. Save the configuration. 62 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 40: Authentication Server Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 63
Device Access Management Framework Feature Guide Table 21: Authentication Server Configuration Guidelines Name Specify a name for the configuration. Server Specify the URL for your MobileIron server. This is the URL MobileIron has instructed you to use to access its RESTful web API (also called a RESTful web service). The URL for the MobileIron server used in this example has the following form: over port 443. Viewer Url Specify the URL for the MobileIron report viewer. This URL will be used to link record on the Active Users page to the MobieIron records. The URL for the MobileIron viewer for this example has the following form: https://m.mobileiron.net/junipertest/admin/admin.html#smartphones:all seconds. Administrator Specify the username for an account that has privileges to access the MobileIron RESTful Password Specify the corresponding password. Device Identifier Require Certificate Require that the device certificate pushed to client devices during enrollment is used for device identification. If this option is selected, and the client device does not have a certificate, authentication fails. Use this option when certificate security is important to you. If this option is not selected, and the client does not have a certificate, the system uses the device MAC address as the device identifier. The Access Control Service obtains the MAC address from the Calling-Station-Id attribute in the RADIUS messages. Template for constructing device identifier from certificate attributes. The template can contain textual characters as well as variables for substitution. The variables are the same as those used in role mapping custom expressions and policy conditions. Enclose variables in angle brackets like this <variable>. All of the certificate variables are available. With this configuration, the certificate could identify both the user and the device. In this example, the device ID template is <certdn.cn>. 64 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 21: Authentication Server Configuration Guidelines (continued) ID Type Select the device identifier type that matches the selection in the MDM SCEP certificate configuration: UUID The device Universal Unique Identifier. This is the key device identifier supported by MobileIron MDM. Serial Number The device serial number. UDID The device Unique Device Identifier. Not supported by the MobileIron MDM. Configuring the Certificate Server The certificate server configuration enables device users to authenticate using the certificate pushed to the device by the MDM. The certificates are used for user authentication, and the users do not have to enter user credentials. To configure authentication with the certificate server: 1. Select Authentication > Auth. Servers. 2. Select Certificate Server and click New Server to display the configuration page shown in Figure 41 on page 66. 3. Complete the configuration as described in Table 22 on page 66. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 65
Device Access Management Framework Feature Guide Figure 41: Certificate Server Configuration Page Table 22: Certificate Server Settings Name Specify a name to identify the server within the system. any combination of certificate variables contained in angle brackets and plain text. The user name template you configure must be consistent with the MDM certificate template configuration. Your goal is to identify the values specified in the MDM certificate that are to be used as the user name in the Access Control Service system. This value populates the <USER> and <USERNAME> session variables for use throughout the rest of the system configuration. With this configuration, the certificate could identify both the user and the device. In this example, the user name template is <certdn.uid>. 66 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Adding the MDM Certificate to the Trusted Client CA Configuration The system uses the uploaded certificate to verify that the browser-submitted certificate is valid. You must upload the MDM certificate that signed the client certificate that was pushed to the mobile devices. Typically, you obtain this certificate from the MDM when your company establishes its account with them. To import a trusted client CA certificate: 1. Select System > Configuration > Certificates > Trusted Client CAs to display the page shown in Figure 42 on page 67. Figure 42: Trusted Client CA Management Page 2. Click Import CA Certificate to display the page shown in Figure 43 on page 67. Figure 43: Import Trusted Client CA Page 3. Browse to the certificate file, select it, and click Import Certificate to complete the import operation. 4. Click the link for the Trusted Client CA to display its details. Figure 44 on page 68 shows the configuration for this example. 2015 by Pulse Secure, LLC. All rights reserved 67
Device Access Management Framework Feature Guide Figure 44: Trusted Client CA Configuration for MobileIron 68 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: device status is MDM enrollment complete or incomplete; device status is MDM-policy compliant or non-compliant; device is employee owned or company owned; device platform is ios, Android, or neither; and so forth. The user role configuration also includes options to customize user interface features that are appropriate for a particular role. For MDM deployments, you can use the Personalized Greeting UI option to send a notification message to the device when the role has been applied. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 45 on page 70. 3. Complete the configuration for general options as described in Table 23 on page 73. 4. Save the configuration. 5. Click UI options to display the configuration page shown in Figure 46 on page 71. 6. Complete the configuration for UI options as described in Table 23 on page 73. 7. Save the configuration. 8. Click Session Options to display the configuration page shown in Figure 47 on page 72. 9. Complete the configuration for session options as described in Table 23 on page 73. 10. Save the configuration. 11. Click Agentless to display the configuration page shown in Figure 48 on page 73. 12. Complete the configuration for agentless options as described in Table 23 on page 73. 13. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 69
Device Access Management Framework Feature Guide Figure 45: User Role Configuration Page General Settings 70 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 46: User Role Configuration Page UI Options 2015 by Pulse Secure, LLC. All rights reserved 71
Device Access Management Framework Feature Guide Figure 47: User Role Configuration Page Session Options 72 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 48: User Role Configuration Page Agentless Access Table 23: User Role Configuration Guidelines Guidelines Overview tab Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Options role is applied. UI Options tab Personalized greeting (via the MDM API) after sign-in and this role has been applied, or after role reevaluation if it results in a role change to this role. In this example, we are using the system to enforce MDM enrollment, flagging compromised devices. The message, therefore, is: The message is forwarded to device using the MDM server Push Notification feature. NOTE: In the case that multiple roles are assigned, UI options are not merged. The UI options for the first role that matches are applied. Session Options 2015 by Pulse Secure, LLC. All rights reserved 73
Device Access Management Framework Feature Guide Table 23: User Role Configuration Guidelines (continued) Guidelines alive. This option is useful for ios devices. Agentless Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the authentication server data and MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 49 on page 75. 2. Complete the configuration as described in Table 24 on page 75. 3. Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 50 on page 77. 5. Complete the configuration as described in Table 25 on page 77. 6. Save the configuration. 7. Click the Authentication Policy tab and then click the Certificate sub tab to display the certificate restriction configuration page shown in Figure 51 on page 80. 8. Complete the configuration as described in Table 27 on page 80. 9. Save the configuration. 74 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 49: Realm Configuration Page Table 24: Realm Configuration Guidelines Name Specify a name for the realm. If you enable sign-in using a realm suffix in the sign-in policy configuration, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 33 on page 58. Describe the purpose of the realm so that other administrators are aware of it. Servers 2015 by Pulse Secure, LLC. All rights reserved 75
Device Access Management Framework Feature Guide Table 24: Realm Configuration Guidelines (continued) Guidelines Authentication Select the user authentication server for this realm s users. This example uses the certificate User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the MDM server configured in the earlier step. Device Check Interval remediation VLAN. Specify the interval at which to query the MDM for updated attribute data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is 10080 minutes (7 days). Specify an interval that is appropriate for the MDM. Some MDMs, for example, update records every 4 hours, so a 10 minute interval would not be productive. MobileIron suggests polling every 60 minutes. Dynamic Policy Evaluation the queries return changed attribute values. Refresh interval Do not select. Refresh roles Do not select. Refresh resource policies Do not select. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this MDM example. 76 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 50: Role Mapping Configuration Page Table 25: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a device attribute (see Table 26 on page 78), a logical operator (is or is not), and type a matching value or value pattern. In this example, we select iscompromised, the logical operator is, and enter the value 1 (true). This means that devices with incomplete enrollment status match the rule. Role assignment Select the roles to apply if the data matches the rule. 2015 by Pulse Secure, LLC. All rights reserved 77
Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Table 26 on page 78 describes the MobileIron record attributes that can be used in role mapping rules. Table 26: MobileIron Record Attributes Description countryname countryname Country name corresponding with the country code of the device. String deviceid Device identifier. devicename name The concatenated name used to identify the device/user combination. String homeoperator homeoperator The service operator for the device when it is not String roaming. isblocked isblocked True if the device is blocked from accessing the ActiveSync server; false otherwise. Boolean iscompliant compliance True if the device is in compliance with its MDM Boolean security policies; false otherwise. iscompromised compliance True if the device is compromised; false otherwise. Boolean isquarantined isquarantined True if the device is quarantined by the MDN; false Boolean otherwise. isenrolled status, statuscode True if the device has completed enrollment or registration; false otherwise. Boolean ImeiOrMeid String lastseen lastconnectat Date and time the device last made successful contact with the MDM. Timestamp macadress manufacturer manufacturer Manufacturer is automatically reported by the device during registration. String 78 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 26: MobileIron Record Attributes (continued) Description device. This field applies only to ios devices. For other devices, the value is always false. model ModelName, model, device_model Model is automatically reported by the device during registration. String operator operator operator is associated with the device. String osversion OSVersion, os_version OS version. String ownership phonenumber currentphonenumber Phone number entered during registration. String platform platform, platform_name, Platform specified during registration. String serialnumber SerialNumber Serial number. String UDID iphone UDID String UUID uuid UUID. String principal, useruuid User ID. String useremail emailaddress Email address of device user. String username userdisplayname, userfirstname, String NOTE: By design, you should be able to specify true or false, or 1 or 0, for Boolean data types, in your role mapping rules. Due to a issue in this release, you must use 1 for true and 0 for false. 2015 by Pulse Secure, LLC. All rights reserved 79
Device Access Management Framework Feature Guide Figure 51: Realm Configuration Page Certificate Restrictions Table 27: Realm Configuration Certificate Restriction Guidelines Allow all users Do not select this option. If you select this option, the system does not request a client certificate during the TLS handshake. certificate certificate, the certificate attributes are placed in the session context. Only allow users with a client-side certificate If you select this option, the system requests a client certificate during the TLS handshake. It does not allow endpoints to authenticate without a valid client certificate. If the realm is configured with a certificate server, like this example, this option is the only option that can be selected. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 52 on page 81. 3. Complete the configuration as described in Table 28 on page 82. 4. Save the configuration. 80 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 52: Sign-In Policy Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 81
Device Access Management Framework Feature Guide Table 28: Sign-In Policy Configuration Guidelines User type Select Users. Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol set you configured in the earlier step. suffix To use this option, the realm name must match the user name realm suffix configured in the MDN Wi-Fi profile. See Figure 33 on page 58. This configuration enables you to dedicate the realm to the MDM traffic. Non-MDM traffic passing through the same switch then belongs to a different realm. Remove realm suffix Remove the realm suffix within system processes, such as rule processing and logs. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not used in this scenario. Post-Auth Sign-in Notification Not used in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page 82 2. Configuring a RADIUS Client on page 83 3. Configuring a RADIUS Return Attributes Policy on page 85 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages. 82 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 53 on page 83. 3. Complete the configuration as described in Table 29 on page 83. 4. Save the configuration. Figure 53: Location Group Configuration Page Table 29: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point. 2015 by Pulse Secure, LLC. All rights reserved 83
Device Access Management Framework Feature Guide To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 54 on page 84. 3. Complete the configuration as described in Table 30 on page 84. 4. Save the configuration. Figure 54: RADIUS Client Configuration Page Table 30: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it. 84 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 30: RADIUS Client Configuration Guidelines (continued) IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 55 on page 86. 3. Complete the configuration as described in Table 31 on page 87. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 85
Device Access Management Framework Feature Guide Figure 55: RADIUS Return Attributes Policy Configuration Page 86 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 31: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You can use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto a specific device platform in this example, Android devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. In this scenario, the role configuration and role mapping configuration create a classification for Android devices. Figure 56 on page 88 shows the user role configuration. 2015 by Pulse Secure, LLC. All rights reserved 87
Device Access Management Framework Feature Guide Figure 56: User Role Configuration Page General Settings Figure 57 on page 89 shows the role mapping configuration. 88 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 57: Role Mapping Configuration Page To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 58 on page 90. 3. Complete the configuration as described in Table 32 on page 91. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 89
Device Access Management Framework Feature Guide Figure 58: Resource Access Policy Configuration Page 90 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 32: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Roles Select the roles to which the policy applies. In this example, Android is selected. Action Action In this example, we deny access from Android devices. Enforcer Options Enforcer Options Related Documentation Using Logs to Verify Proper Configuration on page 125 User and Policy Administration Overview on page 129 Using Policy Tracing and Debug Logs on page 133 Understanding the Device Access Management Framework on page 3 Deploying a BYOD Policy for Devices Discovered by Pulse Secure Endpoint Profiler This example shows how to use Access Control Service policies to enable security based on device identity in a bring your own device (BYOD) environment for an enterprise that uses the Pulse Secure Endpoint Profiler to catalog mobile devices that attempt to access the local network. It includes the following information: Solution Overview on page 92 Requirements on page 93 Configuring the Endpoint Profiler on page 93 Configuring the Wireless Access Point on page 97 Configuring the Device Access Management Framework on page 99 2015 by Pulse Secure, LLC. All rights reserved 91
Device Access Management Framework Feature Guide Configuring an 802.1x Network Access Policy on page 114 Configuring a Resource Access Policy on page 119 Solution Overview In the past, in order to ensure security and manageability of the corporate network, enterprise information technology (IT) departments had restricted network access to company-issued equipment. For mobile phones, the classic example was the company-issued BlackBerry handset. As powerful mobile smart phones and tablets have become widely held personal possessions, the trend in enterprise IT has been to stop issuing mobile equipment and instead allow employees to use their personal smart phones and tablets to conduct business activities. This has lowered equipment costs, but BYOD environments pose capacity planning and security challenges: how can an enterprise track network access by non-company-issued devices? Can an enterprise implement policies that can restrict the mobile devices that can access to the network and protected resources in the same way network access control solutions restrict user access? The Pulse Secure Endpoint Profiler can be used to catalog information about mobile devices that attempt to access the local network. You configure the Endpoint Profiler to collect information about mobile devices that attempt to access the local network and store it in an LDAP database. The MAC address is stored as the session attribute callingstationid. This attribute is the filter that the Access Control Service uses to query the Endpoint Profiler LDAP database. The MAC address is the primary key for profiler records, and the record contains other device-related attributes. For mobile devices, the Endpoint Profiler memberofgroup attribute includes information about mobile device platforms (such as Apple or Android). This attribute is useful for role mapping in the familiar Pulse Secure access management framework. Figure 59 on page 92 shows a deployment with Access Control Service, a wireless access point, and the Pulse Secure Endpoint Profiler. Figure 59: Solution Topology 92 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples The solution shown in this example leverages the Pulse Secure access management framework to support attribute-based network access control for mobile devices. In the device access management framework, the Endpoint Profiler LDAP server is a device authentication server and the LDAP attributes are the basis for access policy determinations. For example, suppose your enterprise wants to enforce a policy that allows access only to Apple mobile devices. You can use the attributes maintained by the Endpoint Profiler in Access Control Service role-mapping rules to implement the policy. The Pulse Secure solution supports attribute-based Layer 2 network access control through familiar RADIUS return attribute policies, and Layer 3 enforcement through resource access policies. For example, you can implement policies that allow BYOD Apple devices to access the network, but deny access to servers when you want to prevent downloads to employee-owned devices. Requirements Table 33 on page 93 lists version information for the solution components shown in this example. Table 33: Component Version Information Component ACS 4.4 R4-MDM or 5.0r1 or later is required. Endpoint Profiler Beacon Endpoint Profiler Release 4.1.0-20 is used in this example. Any version that supports queries based on the callingstationid attribute and memberofgroup attribute is compatible. Wireless access point Juniper Networks WLC2 wireless LAN controller and WLA322 access point is used in this example. Any wireless access point that supports deployment as an 802.1x authenticator is compatible. Configuring the Endpoint Profiler The following elements of the Endpoint Profiler configuration are important to this solution: Network infrastructure In this example, we want the Endpoint Profiler to listen for traffic on the wireless access point. Endpoint profiles In this example, we are interested in profiles for mobile devices such as smart phones and tablets. LDAP The Access Control Service uses LDAP to communicate with the Endpoint Profiler. For information about the Endpoint Profiler, start with the documentation notes. The following procedure illustrates the key configuration steps for this solution. 2015 by Pulse Secure, LLC. All rights reserved 93
Device Access Management Framework Feature Guide To configure the Endpoint Profiler: 1. Log into the Beacon Endpoint Profiler Web administrator console at https://<eth0 IP address>/beacon/login.html. 2. Select Configuration > Network Devices > Add Network Infrastructure Device and complete configuration for the wireless access point. Figure 60 on page 94 shows the configuration for a device similar to the one used in this example. Figure 60: Network Infrastructure Device Configuration Page 94 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples 3. Use the Endpoint Profiles management pages to configure profiles for mobile devices. For example: a. Select Configuration > Profiles > View/Edit Profiles to display the Endpoint Profiles management page. Figure 61: Endpoint Profiles Smartphone Listing Figure 61 on page 95 shows the Endpoint Profiles listing filtered for the group Smartphone. b. Select the profile you want and click Modify to display its configuration page. Figure 62 on page 95 shows the Apple iphone profile configuration page. Figure 62: Apple iphone Profile Configuration Page 2015 by Pulse Secure, LLC. All rights reserved 95
Device Access Management Framework Feature Guide c. Select the Yes option to enable the profile and enable the LDAP setting, as shown in Figure 62 on page 95. d. Use Chapter 9 of the Great Bay Software Beacon Endpoint Profiler Configuration Guide to configure rules (if desired). e. Click Save Profile. 4. Enable the Beacon system to accept LDAP queries and automatically synchronize the LDAP directory with the Beacon database: a. Select Configuration > Integrations to display the Integrations management page. Figure 63 on page 96 shows the settings for LDAP integration. Figure 63: Integrations Management Page 96 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples b. In the Internal LDAP Directory group of settings, select the Enable option. Verbose logging is optional. Leave the "Bind to endpoint" option disabled unless you are fully aware of the security implications of this option. 5. Update the Beacon Modules to apply the configuration changes. Configuring the Wireless Access Point The following wireless access point settings are important in this solution: 802.1x authentication RADIUS authenticator communication with the Access Control Service RADIUS server VLANs, if you want to be able to assign user roles to VLANs Refer to your vendor s documentation for information about the wireless access point 802.1x configuration. For information about Juniper Networks wireless access controllers, refer to the Juniper Networks wireless LAN services documentation. Figure 64 on page 98 shows the 802.1x configuration for a Juniper Networks WLC deployment similar to the one used in this example. 2015 by Pulse Secure, LLC. All rights reserved 97
Device Access Management Framework Feature Guide Figure 64: WLC 802.1x Authentication Configuration Figure 65 on page 98 shows the RADIUS configuration for a Juniper Networks WLC deployment similar to the one used in this example. Figure 65: WLC RADIUS Configuration Figure 66 on page 99 shows the VLAN configuration for a Juniper Networks WLC deployment similar to the one used in this example. 98 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 66: WLC VLAN Configuration Configuring the Device Access Management Framework This section describes the basic steps for configuring the device access management framework: 1. Configuring an Authentication Protocol Set on page 99 2. Configuring an Authentication Server on page 101 3. Configuring User Roles on page 105 4. Configuring a Realm and Role Mapping Rules on page 108 5. Configuring a Sign-In Policy on page 112 Configuring an Authentication Protocol Set The authentication protocol set associated with the sign-in page must include the EAP methods supported by the wireless access point for mobile client access. The predefined authentication protocol set named 802.1x shown in Figure 67 on page 100 includes most commonly used EAP methods. 2015 by Pulse Secure, LLC. All rights reserved 99
Device Access Management Framework Feature Guide Figure 67: Authentication Protocol Set Configuration Page If you want to define a custom set for this solution, complete the following procedure. To configure the authentication protocol set: 1. Select Signing In > Authentication Protocols to display the configuration page. 2. Click New Authentication Protocol or select the predefined 802.1x set and click Duplicate. 3. Complete the configuration as described in Table 34 on page 100. 4. Save the configuration. Table 34: Authentication Protocol Set Configuration Guidelines Name Specify a name for the protocol set. Describe the purpose of the set so that other administrators are aware of it. 100 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 34: Authentication Protocol Set Configuration Guidelines (continued) Authentication Protocol Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. list the selected protocols in the preferred order. TLS Use the Add/Remove buttons to select protocols to be used. Use the up/down arrows to list the selected protocols in the preferred order. Configuring an Authentication Server The authentication server configuration is used by the system to communicate with the Endpoint Profiler. In the device access management framework, the Endpoint Profiler LDAP server is used as the device authorization server. To configure the authentication server: 1. Select Authentication > Auth Servers to navigate to the authentication server configuration pages. 2. Select LDAP Server and click New Server to display the configuration page shown in Figure 68 on page 102. 3. Complete the configuration as described in Table 35 on page 103. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 101
Device Access Management Framework Feature Guide Figure 68: Authentication Server Configuration Page 102 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 35: Authentication Server Configuration Guidelines Name Specify a name to identify the server within the system. LDAP Port Specify the LDAP port for the LDAP server. Default port number: 389 (unencrypted connection) Default port number: 636 (SSL connection) The specified backup LDAP server is used for failover processing. The authentication request is first routed to the primary LDAP server, and then to the specified backup servers if the primary server is unreachable. Backup LDAP Port1 Specify the parameters for backup LDAP port1. Backup LDAP Port2 Specify the parameters for backup LDAP port2. Connection Select one of the following options for the connection to the LDAP server: Unencrypted The device sends the username and password to the LDAP Directory Service in cleartext. LDAPS The device encrypts the data in the LDAP authentication session using the Secure Socket Layer (SSL) protocol before sending it to the LDAP Directory Service. Start TLS The device allows both secure and plain requests against an LDAP server on a single connection. NOTE: If you select LDAPS or Start TLS, the Validate Certificate option is displayed for the configured LDAP server(s) and its referral servers. Select this option if the SSL connection uses digital certificate security. If you enable validation for the referral servers, make sure your network DNS supports reverse lookup zone. If you want to verify the server certificates, the root CA and Intermediate CAs must be imported as trusted CAs. Default: 15 seconds Search Timeout (seconds) Specify the time to wait for search results from a connected LDAP server. 2015 by Pulse Secure, LLC. All rights reserved 103
Device Access Management Framework Feature Guide Table 35: Authentication Server Configuration Guidelines (continued) Guidelines LDAP Server Configuration page. Authentication required? Authentication required to operations. Admin DN Specify the administrator DN for queries to the LDAP directory. For example, cn=root,o=beacon. Finding user entries Filter Specify a unique variable that can be used to do a fine search in the tree. For example, macaddress=<callingstationid>. NOTE: Specify the URL for the Endpoint Profiler viewer. This URL will be used to link record on the Active Users page to the Endpoint Profiler records. The URL for the Endpoint Profiler viewer for this example has the following form: Remove Domain from Windows users names? Enable Challenge-Response open protocols? open protocols Determining group membership Base DN Not supported in this release. Filter Not supported in this release. Member Attribute Not supported in this release. Reverse group search Not supported in this release. Query Attribute Not supported in this release. 104 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 35: Authentication Server Configuration Guidelines (continued) Nested Group Level Not supported in this release. Nested Group Search Not supported in this release. NOTE: The Access Control Service uses the internal interface for traffic with the Endpoint Profiler. You must enable the internal interface and have a route to the Endpoint Profiler. Configuring User Roles User roles are classifiers for network access control policies. You create a set of roles to use in your classification scheme: for example, device platform is ios, Android, or neither. To configure user roles: 1. Select Users > User Role to navigate to the role configuration page. 2. Click New Role to display the configuration page shown in Figure 69 on page 106. 3. Complete the configuration for general options as described in Table 36 on page 108. 4. Save the configuration. 5. Click Session Options to display the configuration page shown in Figure 70 on page 107. 6. Complete the configuration for session options as described in Table 36 on page 108. 7. Save the configuration. 8. Click Agentless to display the configuration page shown in Figure 71 on page 108. 9. Complete the configuration for agentless options as described in Table 36 on page 108. 10. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 105
Device Access Management Framework Feature Guide Figure 69: User Role Configuration Page General Settings 106 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 70: User Role Configuration Page Session Options 2015 by Pulse Secure, LLC. All rights reserved 107
Device Access Management Framework Feature Guide Figure 71: User Role Configuration Page Agentless Access Table 36: User Role Configuration Guidelines Guidelines General Name Specify a name for the configuration. Description Describe the purpose of the role so that other administrators are aware of it. Session Options Allow VPN Through Firewall Enable this option to allow Infranet Enforcer traffic to act as a heartbeat and keep the session alive. This option is useful for especially for ios devices. Agentless Enable agentless access Select this option for roles that you provision to access the network from BYOD devices. The solution that integrates with MDMs depends on the native supplicant, not a Pulse Secure agent. Configuring a Realm and Role Mapping Rules The user realm configuration associates the MDM server data with user roles. To configure the realm and role mapping rules: 1. Select Users > User Realms > New User Realm to display the configuration page shown in Figure 72 on page 109. 2. Complete the configuration as described in Table 37 on page 109. 3. Save the configuration. Upon saving the new realm, the system displays the role mapping rules page. 4. Click New Rule to display the configuration page shown in Figure 73 on page 111. 108 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples 5. Complete the configuration as described in Table 38 on page 111. 6. Save the configuration. Figure 72: Realm Configuration Page Table 37: Realm Configuration Guidelines Name Specify a name for the realm. Describe the purpose of the realm so that other administrators are aware of it. 2015 by Pulse Secure, LLC. All rights reserved 109
Device Access Management Framework Feature Guide Table 37: Realm Configuration Guidelines (continued) Guidelines Servers Authentication Select the user authentication server for this realm s users. The local authentication server is shown in this example. You can select the authentication server used for your employees. If you do not want to prompt users for credentials, you can select a certificate server. In this case, complete the following steps: Create a certificate authority to use for authenticating your enterprise BYOD devices. Add the certificate to the Trusted Client CA configuration. Select the certificate server in the realm configuration. User Directory/Attribute Do not select. Accounting Do not select. Device Attributes Select the Profiler LDAP server configured in the earlier step. Device Check Interval data. Specify 0 to disable periodic queries. The minimum is 10 minutes and the maximum is 10080 minutes (7 days). This option enhances security by enabling device posture reevaluation. Consider a use case where an attacker is faking the MAC address. The attacker might gain access based on prior classification, for example as an IP phone. By the next device check interval, the Profiler has already detected it and reclassified the device. When the Device Check Interval option is selected, the Access Control Service system polls the user and device information again and reevaluates the role mapping to interrupt such an attack. Here, the device can be assigned a role that places it in a remediation VLAN. Dynamic Policy Evaluation Not recommended. Refresh interval Not recommended. Not recommended. Refresh resource policies Not recommended. Session Migration Session Migration Do not select this option. Session migration is useful for endpoints running Pulse Secure client software, which is not the case for the endpoints in this example. 110 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 73: Role Mapping Configuration Page Table 38: Role Mapping Configuration Guidelines Rule based on Select Device Attribute and click Update to update the configuration page so that it displays settings for role mapping using device attributes. Name Specify a name for the configuration. Rule Select a memberofgroup, a logical operator (is or is not), and type a matching value or value pattern. The pattern used in this example matches Apple devices: cn=*apple ipad/iphone/ipod* Role assignment Select the roles to apply if the data matches the rule. 2015 by Pulse Secure, LLC. All rights reserved 111
Device Access Management Framework Feature Guide TIP: You likely are to create multiple roles and role-mapping rules to assign roles for different policy purposes. Your realm can have a set of rules based on user attribute, group membership, and device attribute. Be mindful that the user and device can map to multiple roles. Use stop rules and order your rules carefully to implement the policy you intend. Configuring a Sign-In Policy A sign-in policy associates devices with a realm. To configure a sign-in policy: 1. Select Authentication > Signing In > Sign-In Policies to navigate to the sign-in policies configuration page. 2. Click New URL to display the configuration page shown in Figure 74 on page 113. 3. Complete the configuration as described in Table 39 on page 113. 4. Save the configuration. 112 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 74: Sign-In Policy Configuration Page Table 39: Sign-In Policy Configuration Guidelines User type Select Users. 2015 by Pulse Secure, LLC. All rights reserved 113
Device Access Management Framework Feature Guide Table 39: Sign-In Policy Configuration Guidelines (continued) Guidelines Description Describe the purpose of the sign-in policy so that other administrators are aware of it. Authentication Realm Realm Select the realm you configured in the earlier step. Authentication Protocol Set Select the protocol set you configured in the earlier step. suffix Not applicable in this scenario. Remove realm suffix Not applicable in this scenario. Configure Sign-in Notifications Pre-Auth Sign-in Notification Not applicable in this scenario. Post-Auth Sign-in Notification Not applicable in this scenario. Configuring an 802.1x Network Access Policy The 802.1x network access policy framework is used for network communication between the wireless access point and the Access Control Service. This section describes the key configuration elements: 1. Configuring a Location Group on page 114 2. Configuring a RADIUS Client on page 115 3. Configuring a RADIUS Return Attributes Policy on page 117 Configuring a Location Group A location group associates the RADIUS framework with sign-in pages. To configure a location group: 1. Select UAC > Network Access > Location Group to navigate to the location group configuration pages. 2. Click New Location Group to display the configuration page shown in Figure 75 on page 115. 3. Complete the configuration as described in Table 40 on page 115. 4. Save the configuration. 114 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Figure 75: Location Group Configuration Page Table 40: Location Group Configuration Guidelines Name Specify a name for the configuration. Description Describe the purpose of the location group so that other administrators Sign-In Policy Select the sign-in policy you configured in the earlier step. Do not select for this solution. Configuring a RADIUS Client The RADIUS client configuration is used for communication with the 802.1x authenticator in this case, the wireless access point. To configure a RADIUS client: 1. Select UAC > Network Access > RADIUS client to display the RADIUS client configuration pages. 2. Click New RADIUS Client to display the configuration page shown in Figure 76 on page 116. 3. Complete the configuration as described in Table 41 on page 116. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 115
Device Access Management Framework Feature Guide Figure 76: RADIUS Client Configuration Page Table 41: RADIUS Client Configuration Guidelines Guidelines RADIUS Client Name Specify a name for the configuration. Description Describe the purpose of the configuration so that other administrators are aware of it. IP Address Range Specify the number of IP Addresses for the RADIUS authenticator. authenticator configuration. Make/Model Select the Make/Model of the RADIUS authenticator. Location Group Select the location group you configured in the earlier step. Dynamic Authorization Support 116 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 41: RADIUS Client Configuration Guidelines (continued) Guidelines Send disconnect messages to supplicants if access is no longer authorized. Configuring a RADIUS Return Attributes Policy The RADIUS return attributes policy is a framework for role-based assignment of traffic to VLANs. The policy specifies the return list attributes to send to an 802.1X network access device, such as which VLAN endpoints must use to access the network. If no policy applies, Open Port is the default action. To configure a RADIUS return attributes policy: 1. Select UAC > Network Access > RADIUS Attributes > Return Attributes to display the RADIUS return attributes policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 77 on page 118. 3. Complete the configuration as described in Table 42 on page 119. 4. Save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 117
Device Access Management Framework Feature Guide Figure 77: RADIUS Return Attributes Policy Configuration Page 118 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 42: RADIUS Return Attributes Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Location Group Select the location groups for which this policy applies. In this example scenario, select the location group you configured in the earlier step. RADIUS Attributes Open port Return authorization to open the port. This option does not restrict access to a particular VLAN. Return a VLAN ID for the VLAN in which to place the traffic. This is the option used in this example, in order to place Apple devices in the normal employee VLAN. Return Attribute Select and configure other RADIUS attributes to send in the return message. None are configured for this example. Add Termination-Action attribute Add the Termination-Action attribute with value equal 1 to attempt reauthentication after session termination. Interface Interface Select the interface to which endpoints on this VLAN use to connect to the system. Roles Roles Select the roles to which the policy applies. Configuring a Resource Access Policy A resource policy enforces role-based access to resources protected by an Infranet Enforcer firewall. You use the device access management framework to assign roles to devices, and use the resource policy to deny access to resources that should not be downloaded onto employee-owned devices. This solution example assumes you have deployed Infranet Enforcers to protect Web servers in your network. This example does not explain how to deploy an Infranet Enforcer. For information on Infranet Enforcer, refer to its documentation. To configure a resource access policy: 1. Select UAC > Infranet Enforcer > Resource Access to display the resource access policy configuration pages. 2. Click New Policy to display the configuration page shown in Figure 78 on page 120. 2015 by Pulse Secure, LLC. All rights reserved 119
Device Access Management Framework Feature Guide 3. Complete the configuration as described in Table 43 on page 121. 4. Save the configuration. Figure 78: Resource Access Policy Configuration Page 120 2015 by Pulse Secure, LLC. All rights reserved
Chapter 2: Examples Table 43: Resource Access Policy Configuration Guidelines Name Specify a name for the configuration. Describe the purpose of the configuration so that other administrators are aware of it. Resources Resources Specify the resources for which this policy applies, one per line. Infranet Enforcer Infranet Enforcer Roles Action Action Enforcer Options Enforcer Options Related Documentation Understanding the Device Access Management Framework on page 3 2015 by Pulse Secure, LLC. All rights reserved 121
Device Access Management Framework Feature Guide 122 2015 by Pulse Secure, LLC. All rights reserved
PART 3 Administration Verifying Proper Configuration on page 125 Tuning the Configuration on page 129 2015 by Pulse Secure, LLC. All rights reserved 123
Device Access Management Framework Feature Guide 124 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 3 Verifying Proper Configuration Using Logs to Verify Proper Configuration on page 125 Using Logs to Verify Proper Configuration During initial configuration, enable event logs for MDM API calls. You can use these logs to verify proper configuration. After you have verified proper configuration, you can disable logging for these events. Then, enable only for troubleshooting. To enable logging for MDM API calls: 1. Select System Log/Monitoring. 2. Click the Events tab. 3. Click the Settings tab to display the configuration page shown in Figure 79 on page 126. 4. Enable logging for MDM API events and save the configuration. 2015 by Pulse Secure, LLC. All rights reserved 125
Device Access Management Framework Feature Guide Figure 79: Events Log Settings After you have completed the MDM server configuration, you can view system event logs to verify that the polling is occurring. 126 2015 by Pulse Secure, LLC. All rights reserved
Chapter 3: Verifying Proper Configuration To display the Events log: 1. Select System Log/Monitoring. 2. Click the Events tab. 3. Click the Log tab. Figure 80 on page 127 shows the Events log. Figure 80: Events Log Next, to verify user access, you can attempt to connect to a wireless access point with your smart phone, and then view the user access logs. To display the User Access log: 1. Select System Log/Monitoring. 2. Click the User Access tab. 3. Click the Log tab. Figure 81 on page 128 shows the User Access log. 2015 by Pulse Secure, LLC. All rights reserved 127
Device Access Management Framework Feature Guide Figure 81: User Access Log Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 128 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 4 Tuning the Configuration User and Policy Administration Overview on page 129 User and Policy Administration Overview After you have verified proper configuration, you are not likely to need to tune the authentication server configuration, the 802.1x framework, or the enforcement points. However, based on user experience, MDM capabilities, or new security threats, there are a few configuration elements you might want to tune from time to time. Table 44 on page 129 describes these configuration elements. Table 44: Tuning the Configuration Remediation In a network access control solution, non-compliant endpoints are typically placed in a remediation VLAN that serves a Web page that explains the steps users can take to make their endpoints compliant so that they can access the network. Your reasons for denying access might change from time to time. For example, your initial policy might be based on compliance with an MDM policy, and you can give steps on how to bring a device into compliance. You might want to set an expectation on how long it takes for the MDM to reassess compliance. You might want to factor in the Access Control Service device check interval to estimate how long until the device can access the network. When there are new threats that exploit vulnerabilities in specific mobile platforms, you might create rules on the fly that deny access from specific platforms. If events like this occur, you might want to update your remediation message so that users can understand why access is denied. Interval You might want to tune this setting as you learn how frequently the MDM updates device records, or if the standard practice of the MDM changes. If the MDM records are updated every four hours, it does not make sense to poll every 10 minutes. If the MDM records are updated in real time, it might make sense to poll every 10 minutes. 2015 by Pulse Secure, LLC. All rights reserved 129
Device Access Management Framework Feature Guide Table 44: Tuning the Configuration (continued) Roles and role mapping rules As you learn about mobile security threats and vulnerabilities, you might make changes to roles and role mapping rules or create new classifications. In general, you list restrictive rules first and set the stop flag. For example, if a device is non-compliant and maps to a non-compliant role, you would list it near the top of the rules for the realm and set the stop flag. Classification based on device type or platform can be more complicated. When you initially role out your BYOD solution, you might want to use roles to merely classify the devices, and so the rule classifying it would not need to be near the top of the list and would not need to have a stop flag. In response to a threat, however, you might want to use the role and role mapping configuration to deny access from a specific device platform. If events like this occur, you can edit your rules to map the vulnerable platform to an appropriate role and set the stop flag so that permissive roles are not assigned. policy Likewise, in response to threats and vulnerabilities, you can edit your rules to place formerly trusted device types into a remediation or guest VLAN instead of an employee VLAN; and then allow access again when you are no longer concerned with the threat. Infranet Enforcer resource access policy Likewise, in response to threats and vulnerabilities, you can edit your rules to deny access from formerly trusted device types; and then allow access again when you are no longer concerned with the threat. Related Documentation Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 130 2015 by Pulse Secure, LLC. All rights reserved
PART 4 Troubleshooting Tools on page 133 2015 by Pulse Secure, LLC. All rights reserved 131
Device Access Management Framework Feature Guide 132 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 5 Tools Using Policy Tracing and Debug Logs Using Policy Tracing and Debug Logs on page 133 This topic describes the troubleshooting tools available to diagnose issues. It includes the following information: Using Policy Tracing to Troubleshoot Access Issues on page 133 Using the Debug Log on page 134 Using Policy Tracing to Troubleshoot Access Issues It is common to encounter a situation where the system denies a user access to the network or to resources, and the user logs a trouble ticket. You can use the policy tracing utility and log to determine whether the system is working as expected and properly restricting access, or whether the user configuration or policy configuration needs to be updated to enable access in the user s case. To create a policy trace log: 1. Select Troubleshooting > User Sessions > Policy Tracing to display the configuration page. 2. Select the events to trace, typically all but Host Enforcer and IF-MAP, unless you have enabled those features. 3. Click Start Recording. 4. Initiate the action you want to trace, such as a user sign in. 5. Click View Log to display the policy trace results log. 6. Click Stop Recording when you have enough information. Figure 82 on page 134 shows policy trace results. 2015 by Pulse Secure, LLC. All rights reserved 133
Device Access Management Framework Feature Guide Figure 82: Policy Tracing Results Using the Debug Log The Pulse Secure Global Support Center (PSGSC) might direct you to create a debug log to assist them in helping you debug an issue with the system. The debug log is used only by PSGSC. To use debug logging: 1. Select Troubleshooting > Monitoring > Debug Log to display the configuration page shown in Figure 83 on page 135. 2. Complete the configuration as described in Table 45 on page 135. 3. Click Save Changes. When you save changes with Debug Logging On selected, the system begins generating debug log entries. 4. Initiate the action you want to debug, such as a user sign in. You can reset the debug log file to restart debug logging if it takes you too long to initiate the action. 5. Click Save Debug Log to save the debug log to a file that you can send to PSGSC. You can clear the log after you have saved it to a file. 6. Unselect Debug Logging On and click Save Changes to turn off debug logging. 134 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Tools Figure 83: Debug Logging Configuration Page Table 45: Debug Log Configuration Guidelines Current Log Size Displays the size of the current log file. If it is large, use the controls to save, reset, or clear the log file. Debug Logging On Specify the source IP address if you know it. If you are able to provide the source IP address, the policy trace log can include events that occur before the user ID is entered into the system. Debug Log Size Specify a maximum debug logfile size. The default is 2 MB. The maximum is 250 MB. Debug Log Detail Level Specify the debug log detail level. Obtain this from PSGSC. Include logs Select this option to include system logs in the debug log file. Recommended. Event Codes Specify the event code. Obtain this from PSGSC. For MDM integration issues, PSGSC typically likes to collect debugging information for codes MDM, Auth, agentman, and Realm. The text is not case sensitive. Related Documentation Using Logs to Verify Proper Configuration on page 125 Deploying a BYOD Policy for AirWatch Managed Devices on page 9 Deploying a BYOD Policy for MobileIron Managed Devices on page 51 2015 by Pulse Secure, LLC. All rights reserved 135
Device Access Management Framework Feature Guide 136 2015 by Pulse Secure, LLC. All rights reserved