Pulse Policy Secure RADIUS Server Management Guide Product Release 5.1 Document Revision 1.0 Published: 2015-02-10 2015 by Pulse Secure, LLC. All rights reserved iii
Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net 2015 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Policy Secure RADIUS Server Management Guide The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. 2015 by Pulse Secure, LLC. All rights reserved iii
Table of Contents Chapter 1 Features of the RADIUS Appliance... 5 RADIUS Appliance Overview... 5 RADIUS Features Added with a RADIUS License... 7 Supported EAP Types... 8 UAC Features Not Available with a RADIUS License... 8 Chapter 2 Configuring the RADIUS Server... 11 RADIUS Server Configuration Overview... 11 Configuring the RADIUS Server... 11 Chapter 3 Upgrading from the RADIUS Server to UAC... 13 Upgrading from a RADIUS-Only System... 13 Chapter 4 RADIUS License FAQ... 15 FAQ... 15 Chapter 5 Feature Comparison... 17 Pulse Policy Secure RADIUS Server and Steel-Belted RADIUS Feature Comparison. 17 Chapter 6 Index... 21 Index... 23 2015 by Pulse Secure, LLC. All rights reserved iii
Pulse Policy Secure RADIUS Server Management Guide iv 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 1 Features of the RADIUS Appliance RADIUS Appliance Overview RADIUS Appliance Overview on page 5 RADIUS Features Added with a RADIUS License on page 7 Supported EAP Types on page 8 UAC Features Not Available with a RADIUS License on page 8 A RADIUS license allows you to use the Pulse Policy Secure series device as a RADIUS appliance with all other unrelated UAC features disabled on the system. NOTE: The term Pulse Policy Secure series Device replaces the term Infranet Controller. Both terms refer to the same device. To apply your initial license or to upgrade your license, select System > Configuration > Licensing in the left navigation pane. You can upgrade to a fully functional UAC at any time with the addition of an endpoint user license. As a RADIUS appliance, the Pulse Policy Secure series device receives the endpoint connection request, authenticates the user, and then returns the configuration parameters required to provision the connection using RADIUS attributes. The Pulse Policy Secure series device can also serve as a proxy client to external RADIUS servers to offload authentication requests. RADIUS is an industry-standard protocol for providing authentication, authorization, and accounting services. Authentication is the process of verifying a user s identity and associating additional information (attributes) to the user s login session. Authorization is the process of determining whether the user is allowed on the network and of controlling network access values based on a defined security policy. Accounting is the process of generating log files that record session statistics to be used for billing, system diagnosis, and usage planning. A RADIUS-based remote access environment typically involves the following four types of components: 2015 by Pulse Secure, LLC. All rights reserved 5
Pulse Policy Secure RADIUS Server Management Guide An access client is a user who initiates a network connection. An access client might be a user dialing in to a service provider network, a router at a small office or home office connecting to an enterprise network to provide network access, or a wireless client connecting to an 802.1X access point. Supported supplicant access clients include Odyssey Access Client, Pulse Secure client, and non- Pulse Secure supplicants. A network access device (NAD), also called a RADIUS client, is a device that recognizes and processes connection requests from outside the network edge. A NAD can be a wireless access point, a modem pool, a network firewall, or any other device that authenticates users. When the NAD receives a user s connection request, it might perform an initial access negotiation with the user to obtain identity/password information. The NAD then passes this information to the RADIUS server as part of an authentication and authorization request. The RADIUS server (in this case, the Pulse Policy Secure series device) matches data from the authentication and authorization request with information in a trusted database. If a match is found and the user s credentials are correct, the RADIUS server sends an Access-Accept message to the NAD. If a match is not found or if a problem is found with the user s credentials, the server returns an Access-Reject message. The NAD then establishes or terminates the user s connection. The NAD might also forward accounting information to the RADIUS server to document the transaction, and the RADIUS server might store or forward this information as needed to support billing for the services provided. In some networks, a back-end authentication server, such as RSA or SecurID (an LDAP database) stores the information against which the authentication request is compared. In some cases, the back-end server passes information to the RADIUS server, which determines whether a match exists. In other cases, the matching is performed on the back-end server, which then passes accept or reject result to the RADIUS server. Figure 1 on page 7 illustrates a simple RADIUS environment. 6 2015 by Pulse Secure, LLC. All rights reserved
Chapter 1: Features of the RADIUS Appliance Figure 1: Pulse Policy Secure Series Device as a RADIUS Appliance RADIUS Features Added with a RADIUS License When you apply your RADIUS appliance license, the applicable Pulse Policy Secure Series Device screens become available. You access most of the RADIUS configuration pages from the Network Access menu item available from the UAC category. Table 1 on page 7 describes the features on the main RADIUS configuration pages: Table 1: Main RADIUS Configuration Pages Feature Description RADIUS Dictionary The RADIUS server uses dictionary files to store lists of RADIUS attributes, and to parse authentication and accounting requests and generate responses. RADIUS Vendor Vendor-specific dictionary files often help complete connections. The RADIUS server supports a large number of NADs that use vendor-specific dictionary files. Location Group RADIUS location groups allow you to assign a sign-in policy to a user based on the NAD through which the user is connecting. RADIUS Client A RADIUS client is a network device or software application that contacts the RADIUS server in order to authenticate a user or to record accounting information about a network connection. 2015 by Pulse Secure, LLC. All rights reserved 7
Pulse Policy Secure RADIUS Server Management Guide Table 1: Main RADIUS Configuration Pages (continued) Feature Description RADIUS Attributes Return Attributes: RADIUS return attributes specify the return list attributes to an 802.1X NAD. Request Attributes: RADIUS request attributes enforce the ability to process authentication requests based on information in the RADIUS packet before a connection can be authenticated. You assign RADIUS request attribute policies as a realm restriction. Attribute Logging: RADIUS attribute logging allows you to enable or disable authentication reporting for RADIUS authentication events. Some RADIUS configuration options are available only when the RADIUS license is applied and are not available in the main UAC RADIUS functionality. These configuration options are in addition to the RADIUS features that are included in the main UAC product but not documented in Pulse Policy Secure. Table 2 on page 8 describes these RADIUS license-only configuration options: Table 2: RADIUS License Only Features Feature Description Host Checker Custom: Statement of Health policy When you apply both a RADIUS license and an MS-NAP license, you can configure an Endpoint Security policy by way of the Host Checker policy. If you have only a RADIUS license, the Endpoint Security menu is not available. RADIUS User Count This feature allows you to create RADIUS users. To view the number of RADIUS users, select System > Status. The number of RADIUS users does not count against the concurrent user license if you have both a RADIUS license and a user license installed. Supported EAP Types RADIUS features that are not described in Table 2 on page 8 are part of the main UAC product and appear in RADIUS Server. The RADIUS appliance supports all EAP types and supplicants supported by the full-feature UAC product except EAP-JUAC. EAP-JUAC is the proprietary protocol used by clients. For a list of supported authentication protocols, see RADIUS Server. UAC Features Not Available with a RADIUS License In the Pulse Policy Secure, disregard sections that refer to unavailable UAC features. Instead, see Table 3 on page 9 for features that are not available if you have only a RADIUS license. 8 2015 by Pulse Secure, LLC. All rights reserved
Chapter 1: Features of the RADIUS Appliance Table 3: UAC Features Not Available with Only a RADIUS License Unavailable Feature Description IF-MAP Federation The Interface for the Metadata Access Point client and the server for sharing session information between connected devices are unavailable. Infranet Enforcer The part of UAC that enforces access policies is unavailable. Host Enforcer The part of UAC that specifies the types of traffic the Odyssey Access Client allows or denies on endpoints is unavailable. UAC Agent The UAC Agent download link is unavailable, along with all corresponding agent functionality. Sensors System > Configuration > Sensors is unavailable. Agent and Agentless User Roles (Users>User Roles><user role name> > General > Overview) Agent and Agentless tabs do not appear on the Overview page. Also unavailable are the following check boxes: UI options, Odyssey Settings for IC Access, Odyssey Settings for Preconfigured Installer, Enable Guest User Account Management Rights. Browser (Users>User Roles><user role name>>general>restrictions) The Browser tab does not appear on the Restrictions page. Session Options (Users>User Roles><user role name>>general>session Options) Heartbeat Interval, Heartbeat Timeout, Enable Session Extension check box, and the Roaming session section are removed from the Session Options screen. Session Migration (Users>User Realms><user realm name>>users>general) The Session Migration check box does not appear on the General tab. Browser (Users>User Realms>Users>Authentication Policy) The Browser tab does to appear on the Authentication Policy page. 2015 by Pulse Secure, LLC. All rights reserved 9
Pulse Policy Secure RADIUS Server Management Guide 10 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 2 Configuring the RADIUS Server RADIUS Server Configuration Overview on page 11 Configuring the RADIUS Server on page 11 RADIUS Server Configuration Overview This topic describes the features that are enabled when you apply the RADIUS license. It does not provide configuration or setup instructions. Because the RADIUS license enables a subset of features that are part of the larger UAC product, RADIUS server instructions are documented in RADIUS Server. You can also refer to Task Guidance in the UAC admin console which directs you through the basic steps of configuring the device. Table 4 on page 11 outlines the general steps to configure the Infranet Controller as a RADIUS server. Refer to RADIUS Server for full configuration instructions. Table 4: Summary of Actions for Configuring the RADIUS Server Action Configure authentication servers (or use the local server) Configure sign-in pages Configure roles and realms Configure sign-in policies, add realms and authentication protocols Configure RADIUS policies Configuring the RADIUS Server To configure the RADIUS Server: 1. If you have not already done so, install the Pulse Policy Secure Series Device. For installation instructions, see Deployment Scenario. 2. If you have not already done so, apply a RADIUS license to the Pulse Policy Secure Series Device. 2015 by Pulse Secure, LLC. All rights reserved 11
Pulse Policy Secure RADIUS Server Management Guide 3. Configure user authentication and authorization on the Pulse Policy Secure Series Device by setting up roles, authentication and authorization servers, and authentication realms. a. Define user and administrator roles. Roles define user session parameters or agent options. The Pulse Policy Secure Series Device is preconfigured with one user role (Users) and two administrator roles (Administrators and Read-Only). b. Define authentication and authorization servers. Authentication and authorization servers authenticate user credentials and determine user privileges within the system. The Pulse Policy Secure Series Device is preconfigured with one local authentication server (System Local) to authenticate users and one local authentication server (Administrators) to authenticate administrators. You must add users either to the local authentication server or to external authentication servers. c. Define authentication realms. Authentication realms contain policies specifying conditions the user or administrator must meet to sign in to the Pulse Policy Secure Series Device. When configuring an authentication realm, you must create rules to map users to roles and specify which server (or servers) the Pulse Policy Secure Series Device must use to authenticate and authorize realm members. The Pulse Policy Secure Series Device is preconfigured with one realm (Users) that maps all users authenticated through the System Local server to the Users role. The Pulse Policy Secure Device Series is also preconfigured with one realm (Admin Users) that maps all users authenticated through the Administrators server to the Administrators role. NOTE: The Pulse Policy Secure Series Device modifies user names that contain spaces or characters that are not valid for UAC. For example, user names with spaces appear in auth table entries as one word, and user names with quotation marks appear without the quotes. 4. Configure policies to allow the Pulse Policy Secure Series Device RADIUS server to work with your NAD. If you have not already done so, install and configure the 802.1X NADs on your network. To determine compatible devices, see 4.2R1 Supported Platforms. 12 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 3 Upgrading from the RADIUS Server to UAC Upgrading from a RADIUS-Only System on page 13 Upgrading from a RADIUS-Only System Upgrading from a RADIUS-only appliance to a full-featured UAC system requires only that you add a valid UAC user license to the system. After you add the license, all UAC features become available. After you upgrade to UAC, be sure to review your system configuration. For example, for realms and roles, you now have many more features available. Default settings are automatically assigned to those features after the upgrade, and you must ensure that those defaults are appropriate for your system. Also, authentication protocol sets can support EAP-JUAC after you add the UAC license. Therefore, consider updating your configured authentication protocols sets to include EAP-JUAC for concurrent user sessions. 2015 by Pulse Secure, LLC. All rights reserved 13
Pulse Policy Secure RADIUS Server Management Guide 14 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 4 RADIUS License FAQ FAQ FAQ on page 15 Can OAC EE, OAC FE and OAC UE licenses all work with the RADIUS license? Yes, with only standards-based protocols (no JUAC). Do any of the clients named in the previous question require OAC-ADD-UAC licenses? No, OAC-ADD-UAC licenses only add features needed by UAC. Does the RADIUS license support all EAP types including JUAC? It supports all protocols except JUAC. Since JUAC is not supported, does the RADIUS license require a protocol change if there is an existing OAC running EAP JUAC over TTLS? Yes, but only if JUAC is the only configured inner protocol. The server will NAK any attempt to do JUAC. 2015 by Pulse Secure, LLC. All rights reserved 15
Pulse Policy Secure RADIUS Server Management Guide 16 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 5 Feature Comparison Pulse Policy Secure RADIUS Server and Steel-Belted RADIUS Feature Comparison on page 17 Pulse Policy Secure RADIUS Server and Steel-Belted RADIUS Feature Comparison Feature Fully Licensed Infranet Controller UAC 4.1 RADIUS Server Licensed Infranet Controller UAC 4.1 Steel-Belted Radius/EE Version 6.1 Steel-Belted Radius/GEE version 6.1 Authentication Methods RSA Authentication Manager Yes Yes Yes Yes Windows Active Directory or Domains Yes Yes Yes Yes Windows Machine Authentication AD generated Credentials Yes Yes Yes Yes Windows Machine Authentication Certificate based Yes Yes Yes Yes User certificates Yes Yes Yes Yes UNIX users: Solaris and Linux Yes Yes Yes Yes SQL No No Yes Yes LDAP Yes Yes Yes Yes LDAP Java Scripting No No No Optional add-on Proxy RADIUS Authentication Yes Yes Yes Yes Novell edirectory Yes Yes Yes Yes RADIUS authentication* Yes Yes No No Native MAC Authentication Yes Yes No No 2015 by Pulse Secure, LLC. All rights reserved 17
Pulse Policy Secure RADIUS Server Management Guide Authentication Protocols PAP Yes Yes Yes Yes CHAP, MS-CHAP, MS-CHAP-V2 Yes Yes Yes Yes EAP-TTLS Yes (EAP- JUAC, PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) Yes (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) Yes (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) Yes (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) EAP-PEAP Yes (EAP-JUAC, Yes (MD5, GTC, GTC, MS-CHAPV2 MS-CHAPV2 as as inner methods) inner methods) Yes (MD5, GTC, MS-CHAPV2 as inner methods) Yes (MD5, GTC, MS-CHAPV2 as inner methods) EAP-POTP (32) No No Yes Yes EAP-FAST No No Yes Yes EAP-MD5 Yes Yes Yes Yes EAP-LEAP No No Yes Yes EAP-TLS Yes Yes Yes Yes Host Checking Layer 2 Yes Optional via SOH No No Feature License Layer 3 Yes No No No Session Management RADIUS Disconnect Yes Yes No No Message support Yes No No No Session Extension Mechanism Yes No No No Administration Tools Administration Client Yes Yes Yes Yes Centralized Configuration Management Yes (NSM Based) Yes (NSM Based) Yes Yes LDAP Configuration Interface (LCI) No No Optional add-on Yes SNMP-based management Yes Yes No Yes 18 2015 by Pulse Secure, LLC. All rights reserved
Chapter 5: Feature Comparison Dynamic Delivery of OAC/Pulse Yes requires user license No No No Server Statistics Server Statistics Via the Administration GUI Yes Yes Yes Yes Server Statistics Via LCI No No Yes, if LCI is purchased Yes Reporting Reports Yes including User and administrator access logs. L2 User logs include Configurable Reject, Accept and Accounting Log messages Yes including User and administrator access logs. User logs include Configurable Reject, Accept and Accounting Log messages Yes including Current Sessions, Successful/Failed Authentication Requests, Unknown Client Requests, Invalid Shared Secret Requests Yes including Current Sessions, Successful/Failed Authentication Requests, Unknown Client Requests, Invalid Shared Secret Requests, Locked Accounts Sys Log reporting Yes Yes No No Attribute Support Multi-vendor RADIUS client support Yes Yes Yes Yes Authentication Realm Selection using RADIUS Request Attributes Yes Yes No Yes Address Management IP address pools No No Yes Yes IPX address pools No No Yes Yes DHCP No No No Yes Logging Configurable local accounting Yes Yes Yes Yes Configurable debug logging, to a local text file Yes Yes Yes Yes SQL accounting No No Yes Yes Report logs Yes Yes Yes Yes RADIUS accounting Yes Yes Yes Using Proxy RADIUS Yes Using Proxy RADIUS 2015 by Pulse Secure, LLC. All rights reserved 19
Pulse Policy Secure RADIUS Server Management Guide Reliability Round robin authentication and accounting across SQL and LDAP databases, and directed realms, for redundancy and load balancing No No No Yes Failover to backup RADIUS/NAC server with session continuity Yes Yes No No * The Pulse Policy Secure will generate a RADIUS request using PAP as an authentication protocol, using RADIUS as another authentication method. This is different to forwarding a RADIUS request to another RADIUS server, which is known as RADIUS proxy. 20 2015 by Pulse Secure, LLC. All rights reserved
CHAPTER 6 Index Index on page 23 2015 by Pulse Secure, LLC. All rights reserved 21
Pulse Policy Secure RADIUS Server Management Guide 22 2015 by Pulse Secure, LLC. All rights reserved
Index E EAP types, supported... 8 F FAQ... 15 Features added by the RADIUS license... 7 removed by the RADIUS license... 8 R RADIUS appliance configuration requirements... 11 RADIUS Server summary of steps for configuring... 11 U upgrading... 13 2015 by Pulse Secure, LLC. All rights reserved 23
Pulse Policy Secure RADIUS Server Management Guide 24 2015 by Pulse Secure, LLC. All rights reserved