![]() ![]() In the first scenario, the Pulse client delivered a full host check, before Joe could enter his credentials. Host Check Prior to Authentication (Pre-admission Control How does Pulse Client add value when compared with native/third-party 802.1X supplicant? The compliance check can be done using integration with MDM/EMM such as Pulse WorkSpace (PWS), Airwatch, MobileIron, and Microsoft Intune. The IPS receives the authentication and authorization information from the backend AD server, and pushes the appropriate policy rules to the WLAN controller. In this scenario, the WLC acts as the authenticator and the IPS server functions as the RADIUS server. As the device is owned by Joe, the entire 802.1X authentication process is done using the mobile phone’s native 802.1X supplicant. In the personal mobile phone scenario, the process works a little differently. If Joe’s laptop becomes non-complaint at any point, Pulse client shares this information with the IPS and server either disconnects the device by sending RADIUS disconnect or quarantines it by sending RADIUS CoA depending on the corporate policy. After getting the access to the network, Pulse client installed on Joe’s laptop creates a 元 connection directly with IPS and periodically monitors the device health and provides this information to the IPS. The Switch port is opened, and Joe has access to network resources. The attributes could be a VLAN ID, a filter ID (ACL), or other attributes. Based on the User Role assigned to Joe in AD, the IPS sends the RADIUS attributes back to the Switch. Once Joe’s device passes the host check, IPS communicates with AD server for authentication and authorization. If not, Joe’s device may be quarantined and could be subject to automatic or manual remediation, depending on the situation or issue. If Joe’s device is deemed healthy and compliant. IPS first performs a host check to ensure that Joe’s laptop is healthy and complies with the corporate security policies. Host Checker information is collected by the Pulse client and then sent to IPS inside a proprietary EAP-JUAC protocol. User authentication is done by exchanging the credentials in an encrypted TLS tunnel (EAP-TTLS). When Joe’s corporate laptop is connected to the office wired/wireless network, it is connected to a Switch/WLC that is 802.1X enabled. Joe may also want to access the Internet on his personal mobile phone using office wireless network while he is away from the laptop. In our first scenario, an employee, Joe, wants to access the office network resources using his corporate laptop by connecting to either corporate wired or wireless network. Scenario 1: Corporate Laptop on Wired/Wireless Network and personal device on Wireless Network (Corporate Access) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |