SSL VPN
Reply
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008

Re: Apple iPAD and iPhone Support

Could I suggest that people stop adding onto this thread and start new ones for what are clearly different questions?  There is a lot of good information in this thread which is a little lost because the subject of the thread is so broad.  For example, if the last few posts had been under a subject heading of "Using Certificates for iOS Device Authentication", I bet more people would have seen the conversation and added to it (or learned from it).

 

Ken

Contributor
msimard@converge-net.com
Posts: 11
Registered: ‎02-02-2010
0

Re: Apple iPAD and iPhone Support

Yes you are right. I will start a new thread for this particular topic. I had a very good debugging session with support  and found new info in the apple documentation. I think it may help others. Stay tuned.... 

 

thanks 

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Apple iPAD and iPhone Support

Can we have some links to the threads so that we can follow-up on?
:smileyvery-happy:
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Contributor
haas
Posts: 110
Registered: ‎06-27-2008
0

Re: Apple iPAD and iPhone Support

Anyone know if the pulse client has added a new user-agent string with the release of 3.2.0.20175? Clients break immediatly when moving to this client. If I remove the browser restriction they get right in. Gotta be a new string. Now if I could just figure out what it is?!?!

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Apple iPAD and iPhone Support

Can't you get it by running a policy trace for pre-authentication and authentication?

 

Ken

Moderator
zanyterp
Posts: 2,332
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support

[ Edited ]

haas wrote:

Anyone know if the pulse client has added a new user-agent string with the release of 3.2.0.20175? Clients break immediatly when moving to this client. If I remove the browser restriction they get right in. Gotta be a new string. Now if I could just figure out what it is?!?!



yes, it has. it is now JunosPulse(version...); i will post the kb i am working on this here once it is published

Contributor
haas
Posts: 110
Registered: ‎06-27-2008
0

Re: Apple iPAD and iPhone Support

I changed it to the following and it seemed to resolve the issue.

 

*iPad*

*Iphone*

*iPod*

Also added android 4.X acces *Android*

 

Life is good again.

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Trusted Contributor
mattspierce
Posts: 107
Registered: ‎07-27-2010
0

Re: Apple iPAD and iPhone Support

Has there been any update?  I have a user who is not able to stay connected from an iPhone.  The client connects and then immediatly disconnects.  I've had the user remove the profile and re add it.  I've checked realm and role restrictions and I'm not enforcing browser strings.  I've checked the role and Junos Pulse is not enabled.

 

My gateway is an SA4500 running 7.2.1r1

 

Client is:

iOS 5.1

Junos pulse 3.2

 

Log shows a successful login followed by a log out.

InfoAUT226732012-05-16 17:00:05 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Logout from 166.147.115.243 (session:357e104c)
InfoAUT226702012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Login succeeded for anjohnso/Pulse_Mobile (session:357e104c) from 166.147.115.243.
InfoAUT243262012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - Primary authentication successful for anjohnso/rsa-srv6 from 166.147.115.243
InfoAUT232782012-05-16 17:00:02 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - User Limit realm restrictions successfully passed for anjohnso/Pulse_Mobile

 

policy trace shows the login and role map are all successfull.

 

InfoPTR102122012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Mapped to roles Users-NC-Client by rule 'user = '*''
InfoPTR102132012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role mapping stopped by Stop rule
InfoPTR102052012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Realm Pulse_Mobile mapped user anjohnso to roles Users-NC-Client
InfoPTR233532012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role restrictions successfully passed for roles: Users-NC-Client
InfoPTR233622012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Sign-in successful, creating session
InfoPTR233632012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Session created, redirecting user to start page. Sign-in done.
InfoPTR245592012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Apple iPAD and iPhone Support

What I find curious is that there is no message concerning the start of Network Connect and the assignment of an IP address.  I wonder if the session is logging out because no Network Connect session is started.  You might look at your role and the associate NC connection profile.

 

Ken

Moderator
zanyterp
Posts: 2,332
Registered: ‎11-19-2007
0

Re: Apple iPAD and iPhone Support


mattspierce wrote:

Has there been any update?  I have a user who is not able to stay connected from an iPhone.  The client connects and then immediatly disconnects.  I've had the user remove the profile and re add it.  I've checked realm and role restrictions and I'm not enforcing browser strings.  I've checked the role and Junos Pulse is not enabled.

 

My gateway is an SA4500 running 7.2.1r1

 

Client is:

iOS 5.1

Junos pulse 3.2

 

Log shows a successful login followed by a log out.

Info AUT22673 2012-05-16 17:00:05 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Logout from 166.147.115.243 (session:357e104c)
Info AUT22670 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[Users-NC-Client] - Login succeeded for anjohnso/Pulse_Mobile (session:357e104c) from 166.147.115.243.
Info AUT24326 2012-05-16 17:00:04 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - Primary authentication successful for anjohnso/rsa-srv6 from 166.147.115.243
Info AUT23278 2012-05-16 17:00:02 - j4500-b1cr - [166.147.115.243anjohnso(Pulse_Mobile)[] - User Limit realm restrictions successfully passed for anjohnso/Pulse_Mobile

 

policy trace shows the login and role map are all successfull.

 

Info PTR10212 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Mapped to roles Users-NC-Client by rule 'user = '*''
Info PTR10213 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role mapping stopped by Stop rule
Info PTR10205 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Realm Pulse_Mobile mapped user anjohnso to roles Users-NC-Client
Info PTR23353 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[] - Role restrictions successfully passed for roles: Users-NC-Client
Info PTR23362 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Sign-in successful, creating session
Info PTR23363 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Session created, redirecting user to start page. Sign-in done.
Info PTR24559 2012/05/16 17:00:04 - j4500-b1cr - [166.147.115.243] - anjohnso(Pulse_Mobile)[Users-NC-Client] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.

do you have the web option enabled? if yes, can you disable it and test again? does the user connect successfully on different roles?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.