Configuration Examples for Machine and User Authentication
These examples show how to configure machine and user authentication using the trac.defaults
file on the client.
Configuring machine and user authentication:
Establish a user and machine tunnel after a user logs in to the endpoint computer:
-
Create a site and choose the user authentication method.
-
Set
enable_machine_auth
totrue
.
Configuring machine authentication before users log in to the endpoint computer, and user and machine authentication after users log in to the endpoint computer:
This procedure explains how to configure:
-
Machine authentication before a user logs in to the endpoint computer.
-
User and machine authentication after a user logs in to the endpoint computer.
A VPN tunnel is established automatically when the machine starts, and a machine certificate is used for authentication. After a user logs in to the endpoint computer, the VPN tunnel is disconnected. If always connect is enabled, a new VPN tunnel is established automatically using the user authentication method and machine certificate. This tunnel is established to the last site to which the user connected from the endpoint computer. When a user logs off from the endpoint computer, the VPN tunnel is disconnected, and a new VPN tunnel authenticated with a machine certificate is established.
-
Set
enable_machine_auth
totrue
. -
Set
machine_tunnel_before_logon
totrue
. -
Set
machine_tunnel_after_logon
tofalse
. -
Create the default site for the tunnel. (If this site is already defined, skip this step.)
-
Set the authentication method for the user (will be used after users log in to the endpoint computer).
-
Set
machine_tunnel_site
to the display name of the default site.
Configuring Machine tunnel authentication ('Terminal' mode):
A VPN tunnel is established automatically before the user logs in to the endpoint computer. The tunnel is maintained after the user logs in to the endpoint computer and after the user logs out of the endpoint computer.
-
Define a site and choose the user authentication method.
-
Set
enable_machine_auth
to true. -
Set
machine_tunnel_before_logon
to true. -
Set
machine_tunnel_after_logon
to true. -
Create the default site for the tunnel. (If this site is already defined, skip this step.)
It is not necessary to configure the authentication method. The default setting can be used. -
Set
machine_tunnel_site
to the display name of the default site
Notes for machine tunnel authentication:
-
It is important to create the machine site before you configure the default site in the configuration file.
-
In the Security Gateway object, in the VPN Clients > Authentication page, configure the authentication method as Defined on user record (Legacy authentication).
-
The only way to disconnect the Machine only tunnel is to run the command
trac disconnect
from the CMD window. To prevent users from disrupting the Machine tunnel, some actions from the GUI are not permitted, for example: create site and connection buttons. -
Best Practice - Enable Always Connect when working with a Machine only tunnel.
To enable Always Connect:
-
Open the VPN Client.
-
Go to VPN Options > Sites
-
Select a default site for machine only connection.
-
Click Properties > Settings.
-
Select Enable Always Connect.
-