Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 110
Registered: ‎06-27-2008

Re: Apple iPAD and iPhone Support


haas wrote:

Anyone know if the pulse client has added a new user-agent string with the release of 3.0 here in late October? I am having problems with this version connecting and I am using browser restrictions. I have been successfully using the two listed below and have had no problems till now with an ipod touch and 3.0 of the pulse client.

 

*JunosPulseiPad*

*JunosPulseIphone*

 

Thanks


Here is the other one I was missing.

*JunosPulseiPod*

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Apple iPAD and iPhone Support

Anyone faced junos pulse with intermittent disconnection?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Contributor
Posts: 40
Registered: ‎01-18-2012
0

Re: Apple iPAD and iPhone Support

Hi

 

i have a problem with the IPAD. when the users press "back" button on iPad's Safari the CSS styles get lost. What this happens???

 

Thanks

Contributor
Posts: 11
Registered: ‎02-02-2010
0

Re: Apple iPAD and iPhone Support

Hi all, i'm trying to make certificate authentication ( by that i mean the client must have the cert to log-in )  works on ipad/iphone with pulse. It seem that each time i configure the connection in the pulse client on the ipad, the only cert available to me for certificate authentication is one that not correpond to the one i put in the SSL box. I used the iphone configuration utility ( ipcu ) to put the profile on the ipad, and it look like the ipcu "sign" the cert that i used. Now eve if i dont used the ipcu utilty and send the certificate by email, install it, and look into the profile, it's not the same has in the junos pulse client.

 

i did try with a new device that did not have junos pulse install before, and use the cert send by email. In that case, there is no cert available in junos pulse to use in the connection configuration. 

 

I know the config on the ssl box is good, with android, ( even if it's not exactly the same procedure ) the certificate check is working. 

 

Is there a trcik i'm missing here or do i need like an apple cert to import in the ssl box ? 

 

hope i'm clear here. 

 

thanks.

 

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support

You need to use the iPCU to install the user certificate and set it as the credential to use for the Pulse application. Installing via email does not work to allow Pulse access to use it.

Contributor
Posts: 11
Registered: ‎02-02-2010
0

Re: Apple iPAD and iPhone Support

i did use the ipcu. In fact i did try both way's. via email on a fresh device, the cert does not appears in junos pulse.

 

So do i need the apple cert that is available to developper or somenthing like that. I know for a fact that you need it for exemple on mcafee EMM wich is the mobilty manager.

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support

No, you should not need that.

 

You need to create a VPN profile that has BOTH the VPN client config for certificate authentication and the certificate installed. I have done this several times without an issue. You cannot install one or the other; you have to install both at the same time with the VPN on Demand flag configured

Contributor
Posts: 11
Registered: ‎02-02-2010
0

Re: Apple iPAD and iPhone Support

[ Edited ]

Still no luck, with this error msg ( see attached ) 

 

Let try to get it the basic check up again if you dont mind: 

Here is what i've done :

 

1) sign-in page : made a /ipad that point to a ipad realm.

2) auth server :  made a test.ipad auth server that is a certificate server that looks for certDN.CN

3) Realm ipad : configure with the auth server test.ipad and with a authentication policy that has a certificate restriction allowing only the trusted client CA to sign in.  ( role mapping is also made etc etc.. ) 

4) Truted CA config : In the trusted CA config , i uploded the home made CA from our compagny certificate server. During test i also put in one that i made with openssl. They both work on the android platform.

 

On the ipad / iphone device running version 5 of iOS, i download and install junos pulse client. 

 

Here two things:

 

1) i try emailing myself the certificate and openning it and installing it on the ipad. The certificate did not show up in junos pulse config to bu used. 

 

2) i used the apple iphone configuration utility

a) in this utility, i created a configuration profile that has credential configure with the same cert uploaded on the SSL box.

b) Installed the config on the iphone / ipad, installed the certificate. In junos pulse the is a cert available tha show a string of number instead of name, and in profile i got two thing. IPCU profile, and the certificate that i want. 

 

Now when i look in the log on the ssl box, it says that the the status of the cert xxxx ( wich is the string of number in the junos pulse cert ) cannot be verified because the cert yyyy is not trusted. That yyy cert, i dont know where is coming from.... i wold like very much to install it like a intermediate cert....

 

I dont know if i made a lot of sense. Sorry for my english also.

 

I will appreciated a little help. I did open a couple of ticket with support, but nothing went very far. 

 

Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008

Re: Apple iPAD and iPhone Support

I am not very good with certificates and I struggled with this for ages in my test lab. Finally got it working and created a document. Not sure if it will help but send me your email in a private message and I will send to you to try.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
Posts: 196
Registered: ‎11-16-2007
0

Re: Apple iPAD and iPhone Support

You say " in this utility, i created a configuration profile that has credential configure with the same cert uploaded on the SSL box". Do you mean you used exactly the same certificate? For the iPhone you need a certificate issued by the Certificate Authority not the CAs certificate itself. The CA certificate won't appear in the list of available certificates on the iPhone because it is not a valid device authenitcation certificate.

The certificate you see with numbers and letters name is an internal certifcate on the device and should be ignored.

Recognized Expert
Posts: 420
Registered: ‎03-24-2008

Re: Apple iPAD and iPhone Support

Could I suggest that people stop adding onto this thread and start new ones for what are clearly different questions?  There is a lot of good information in this thread which is a little lost because the subject of the thread is so broad.  For example, if the last few posts had been under a subject heading of "Using Certificates for iOS Device Authentication", I bet more people would have seen the conversation and added to it (or learned from it).

 

Ken

Contributor
Posts: 11
Registered: ‎02-02-2010
0

Re: Apple iPAD and iPhone Support

Yes you are right. I will start a new thread for this particular topic. I had a very good debugging session with support  and found new info in the apple documentation. I think it may help others. Stay tuned.... 

 

thanks 

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Apple iPAD and iPhone Support

Can we have some links to the threads so that we can follow-up on?
Smiley Very Happy
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Contributor
Posts: 110
Registered: ‎06-27-2008
0

Re: Apple iPAD and iPhone Support

Anyone know if the pulse client has added a new user-agent string with the release of 3.2.0.20175? Clients break immediatly when moving to this client. If I remove the browser restriction they get right in. Gotta be a new string. Now if I could just figure out what it is?!?!

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0

Re: Apple iPAD and iPhone Support

Can't you get it by running a policy trace for pre-authentication and authentication?

 

Ken

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support

[ Edited ]

haas wrote:

Anyone know if the pulse client has added a new user-agent string with the release of 3.2.0.20175? Clients break immediatly when moving to this client. If I remove the browser restriction they get right in. Gotta be a new string. Now if I could just figure out what it is?!?!



yes, it has. it is now JunosPulse(version...); i will post the kb i am working on this here once it is published

Contributor
Posts: 110
Registered: ‎06-27-2008
0

Re: Apple iPAD and iPhone Support

I changed it to the following and it seemed to resolve the issue.

 

*iPad*

*Iphone*

*iPod*

Also added android 4.X acces *Android*

 

Life is good again.

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Trusted Contributor
Posts: 108
Registered: ‎07-27-2010
0

Re: Apple iPAD and iPhone Support

Has there been any update?  I have a user who is not able to stay connected from an iPhone.  The client connects and then immediatly disconnects.  I've had the user remove the profile and re add it.  I've checked realm and role restrictions and I'm not enforcing browser strings.  I've checked the role and Junos Pulse is not enabled.

 

My gateway is an SA4500 running 7.2.1r1

 

Client is:

iOS 5.1

Junos pulse 3.2

 

Log shows a successful login followed by a log out.

InfoAUT226732012-05-16 17:00:05 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Logout from 166.147.115.243 (session:357e104c)
InfoAUT226702012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Login succeeded for anjohnso/Pulse_Mobile (session:357e104c) from 166.147.115.243.
InfoAUT243262012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - Primary authentication successful for anjohnso/rsa-srv6 from 166.147.115.243
InfoAUT232782012-05-16 17:00:02 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - User Limit realm restrictions successfully passed for anjohnso/Pulse_Mobile

 

policy trace shows the login and role map are all successfull.

 

InfoPTR102122012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Mapped to roles Users-NC-Client by rule 'user = '*''
InfoPTR102132012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role mapping stopped by Stop rule
InfoPTR102052012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Realm Pulse_Mobile mapped user anjohnso to roles Users-NC-Client
InfoPTR233532012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role restrictions successfully passed for roles: Users-NC-Client
InfoPTR233622012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Sign-in successful, creating session
InfoPTR233632012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Session created, redirecting user to start page. Sign-in done.
InfoPTR245592012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.
Highlighted
Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0

Re: Apple iPAD and iPhone Support

What I find curious is that there is no message concerning the start of Network Connect and the assignment of an IP address.  I wonder if the session is logging out because no Network Connect session is started.  You might look at your role and the associate NC connection profile.

 

Ken

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support


mattspierce wrote:

Has there been any update?  I have a user who is not able to stay connected from an iPhone.  The client connects and then immediatly disconnects.  I've had the user remove the profile and re add it.  I've checked realm and role restrictions and I'm not enforcing browser strings.  I've checked the role and Junos Pulse is not enabled.

 

My gateway is an SA4500 running 7.2.1r1

 

Client is:

iOS 5.1

Junos pulse 3.2

 

Log shows a successful login followed by a log out.

Info AUT22673 2012-05-16 17:00:05 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Logout from 166.147.115.243 (session:357e104c)
Info AUT22670 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Login succeeded for anjohnso/Pulse_Mobile (session:357e104c) from 166.147.115.243.
Info AUT24326 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - Primary authentication successful for anjohnso/rsa-srv6 from 166.147.115.243
Info AUT23278 2012-05-16 17:00:02 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - User Limit realm restrictions successfully passed for anjohnso/Pulse_Mobile

 

policy trace shows the login and role map are all successfull.

 

Info PTR10212 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Mapped to roles Users-NC-Client by rule 'user = '*''
Info PTR10213 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role mapping stopped by Stop rule
Info PTR10205 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Realm Pulse_Mobile mapped user anjohnso to roles Users-NC-Client
Info PTR23353 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role restrictions successfully passed for roles: Users-NC-Client
Info PTR23362 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Sign-in successful, creating session
Info PTR23363 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Session created, redirecting user to start page. Sign-in done.
Info PTR24559 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.

do you have the web option enabled? if yes, can you disable it and test again? does the user connect successfully on different roles?