Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 4
Registered: ‎02-03-2009
0 Kudos
Accepted Solution

Info. needed on Certificate-only Authentication

Hi All, 

 I'm new to the IVE and forum so excuse the ignorance.  I presently have 2 factor auth.(cert and AD)  and SSO to Outlook2007/OWA working great on 6.3R2. I have created a different realm for users that I want to use certificate-only authentication.   I cannot get it to work, I still get the login page. Appearently I'm missing something.  Can I do SSO with Cert-only auth. ?

Some direction would be appreciated and remember I'm new to the IVE so don't worry about insulting me. All info. is appreciated.

Highlighted
Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008

Re: Info. needed on Certificate-only Authentication

Hey Powerman - welcome to the forum - SSO w/certs - three steps:

 

#1- Create a client side side from your internal cert server and import it into the SA box. This will be the cert that resides on client PCs and that the SA unit will match against.  Import is done under the Config/Certs/Trusted Client CA's tab.

#2- Define an auth server for the certificate login process.

#3 - Define a user realm that uses that auth server for the auth process.

 

Very simple, straightforward - if you run into any issues post away.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 4
Registered: ‎02-03-2009
0 Kudos

Re: Info. needed on Certificate-only Authentication

Thanks for the info. and that confirms I was on the right track.  Still having the same trouble so I'm missing something.  Should the user cert be a browser cert or machine cert?  I created a Certificate server for auth w/default settings on the IVE.  Should I use authoration or authentication?    Any suggestion?
Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008

Re: Info. needed on Certificate-only Authentication

[ Edited ]

1- User cert should be a browser cert

2- Use the auth-server you defined for authentication to the realm. Then user whatever else for authorization / role mapping IE - LDAP....

3- When you downloaded the CA certificate for installing into the IVE did you use an encoding method of
"Base 64"?

4- Does it read "trusted for client authentication?

 

If you are still stuck I can send you the documentation (screen shots) that I did for my customers. We are resellers on this product so I put together a high level "how to" for my end user customers.

 

I am out of the office today but could pull it off my documentation server tomorrow and send it if would help.

Message Edited by muttbarker on 02-03-2009 02:49 PM
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
Posts: 4
Registered: ‎02-03-2009
0 Kudos

Re: Info. needed on Certificate-only Authentication

I'm embarassed to say it but "I'm not smarter than a fith grader".  When I read the email you sent I realized that I was forgetting to change my sign-in page so it would not show the login page. If I had entered the realm only it would have worked. Thanks for the assistance and I'll get back to you about the file you sent. 

 

You desrve KUDOS for this and as soon as I find how to do it, I will. Thanks Again

drf
Contributor
Posts: 46
Registered: ‎09-23-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Powerman,

 

You said that "I still get the login page." Are you saying that you cannot login to the IVE with your certificate realm or that the SSO is not working and you get the OWA login page?

 

Make sure that your browser contains the correct Certificate Authorities and the "Trusted Client CA" in the IVE is set to allow Client Authentication

Visitor
Posts: 6
Registered: ‎01-26-2010
0 Kudos

Re: Info. needed on Certificate-only Authentication

Kevin,

 

Wondering if you'd be able to shoot me a copy of your how-to/screenshot document for setting up Certificate authentication on the SSL platform. I've not done it before and it sounds like your doc would be a great help.

 

Thanks in advance.

 

Colin McGuire

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Sure - send me your email via private message and I will shoot you a copy.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
MRK
Visitor
Posts: 3
Registered: ‎11-09-2009
0 Kudos

Re: Info. needed on Certificate-only Authentication

 

Hi I have same problem, can you forward me the documentation to kkd_mrk@yahoo.com ?

 

Thanks in advance.

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Check your inbox!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 11
Registered: ‎08-03-2009
0 Kudos

Re: Info. needed on Certificate-only Authentication

I'm having some issues with the certificate process as well.  Can you send me your document too.   Thanks in advance.  co.n8ive@gmail.com

 

Mike

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Hey Mike - I have been absent from the Forums for the last few weeks - stuck deep in a data center doing a big install. I am emailing you the document today in case it will still be helpful.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Regular Visitor
Posts: 5
Registered: ‎04-24-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Hi Kevin.

Could you send me a copy as well?  I'd really appreciate it.

Distinguished Expert
Posts: 2,405
Registered: ‎01-29-2008
0 Kudos

Re: Info. needed on Certificate-only Authentication

Sure - send me your email address via the private message feature and I will shoot it out to you tomorrow.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.