Reset Search
 

 

Article

KB21321 - How to configure Pulse Connect Secure (PCS) for IKEv2 and MSCHAPv2 authentication in Windows 7

« Go Back

Information

 
Last Modified Date10/24/2016 4:35 PM
Synopsis
This article provides information on how to configure the Pulse Connect Secure (PCS) for IKEv2 and MSCHAPv2 Authentication in Windows 7.
Problem or Goal
User fails to authenticate via PCS IKEv2 and MSCHAPv2 in Windows 7. Typical errors are:
  • Policy Mismatch
  • IKE authentication credentials are unacceptable
Note: This is supported only in Pulse Connect Secure software 7.1Rx or later.
Cause
Solution
For IKEv2 limitations and initial setup, refer to the the latest admin guides for Pulse Connect Secure devices. In addition to the Admin Guide information, adhere to the following requirements for MSCHAPv2 authentication to work properly.


Pulse Connect Secure Configuration:

  1. Make sure that the PCS Device Certificate has EKU (Enhanced Key Usage) support for
    • Web Server Authentication
    • Web Client Authentication:

  2. Create a new PCS Local Auth Server and select the Password stored as clear text check box.

 
  1. Create a User Realm and use the Local Auth Server for Authentication, which was created in Step 2, to create a Role Mapping rule for username as *.
  2. To configure IKEv2, go to Configuration > IKEv2, assign the proper port to the User Realm, and set the User Realm to use EAP-MSCHAP-V2:
   
  1. Under the User Role, make sure that the VPN tunneling check box is selected:

     
 

Windows 7 Configuration:

  1. Install the Root CA certificate from the certificate server/CA  which issued the device certificate for the SA, under the Trusted Root Certification Authorities > Certificates folder on the Local Computer (Computer Account). Use MMC.exe to import it to the proper folder. Ignore this step if root CA  certificate is already present

    The following image illustrates the MMC console for the Local Computer (Computer Account) certificate store:

 
  1. Create a new VPN connection and configure it for IKEv2 (select the option to create but not connect immediately). After the VPN is on the system, modify the security policies as below: 

    The following image illustrates the Windows 7 IKEv2 configuration:

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255