SSL VPN
Reply
Visitor
Suroot
Posts: 4
Registered: ‎02-19-2012
0

Junos pulse using certificate authentication issue

Hi, I'm having some issues deploying a remote access solution using a juniper 2500 sa series (7.1r6) and junos pulse client on various platforms (iOS, windows etc) using certificate authentication.

I have created a w2k8 r2 certificate authority and a client certificate using sha1 for the root and client Certs. I have issued and exported these certificates and imported them by email to an iPhone and iPad (running 5.0.1) and installed them so they appear as trusted. I downloaded the latest junos pulse client (3.0) for ios but when I start junos pulse and click on certificates option there are no Certs in the list to select. why isn't the client cert there if it is installed and trusted? Is it because I have created the client cert incorrectly? Or is there an incompatibility issue? So currently when I try to login I get 'missing certificate'. Any ideas?

Thanks Alex
Moderator Moderator
Moderator
VVJ
Posts: 75
Registered: ‎07-07-2011
0

Re: Junos pulse using certificate authentication issue

Are you seeing the same issue on Windows platforms as well? Do you see any errors in the User Access Logs on the SA?

 

I hope you have already imported the cert into the Trusted Client CA list on the SA as well. 

 

Visitor
Suroot
Posts: 4
Registered: ‎02-19-2012
0

Re: Junos pulse using certificate authentication issue

Yes same issue with windows xp junos pulse client. Although I can't even see the option for certificates in the client. In the user access logs 'no cert' error msg every time which is right because I can't choose the client certificate in the pulse client.

Yes root certificate has been imported into trusted Client CA list. I'm going to try generating different client certificates using different ciphers on the CA to see if that's the issue why they don't appear in the cert list
Recognized Expert
Kita
Posts: 485
Registered: ‎12-23-2010
0

Re: Junos pulse using certificate authentication issue

The easiest way to test is install the certificate in firefox or internet explorer and try to authenticate to the SA using the browser.  If the certificate does not appear in the browser, then the certificate was issued incorrectly.  In most cases, you'll want to make sure the key usage of 'client authentication' is enabled on the end user certificate.

Visitor
Suroot
Posts: 4
Registered: ‎02-19-2012
0

Re: Junos pulse using certificate authentication issue

Thanks all for your input, have resolved the issue! The problem was that I exported the root certificate in der format to upload to the juniper sa series appliance. so I also exported the created client certificates in der format which didn't include the private key. Resolution - i exported the client certificate in pfx format with a password which worked fine. I found the best way to install the certificates on the iPad/iPhone for junos pulse was via the IPCU, so created a configuration profile with the root and client cert included and emailed it. Notes. I removed and re-installed junos pulse when adding or removing a profile (testing) so it found the new client cert. Another issue I found with the IPCU was if I created a VPN profile with juniper ssl and certificate authentication and chose the client cert from the payload was that when I open it in the email it would say 'invalid profile', after removing the VPN profile it worked fine. when installing the IPCU config profile on the ipad/iphone it will say 'not verified' but this still works fine.
Recognized Expert
Kita
Posts: 485
Registered: ‎12-23-2010
0

Re: Junos pulse using certificate authentication issue

Good to hear, Suroot.  I'm glad the issue is resolved.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.