SSL VPN
Reply
Contributor
doug_fir
Posts: 24
Registered: ‎01-07-2009
0
Accepted Solution

Mac OS X Pulse Client Certificates

Great to see a Junos Pulse Mac OS X client now.  We would love to use it, but it doesn't seem to allow for client certificate auth + user/pass.  Does it check the user's keychain for a client cert, or is this not an available feature yet?  Does everyone just do user/pass auth for their SA's?  We want to keep our cert + user/pass config.

 

Thanks!

Contributor
Lilja
Posts: 88
Registered: ‎12-02-2009
0

Re: Mac OS X Pulse Client Certificates

Are you talking about machine cert or user cert?

I have no problems with user cert + LDAP  as a secondary auth..

---------------------------------------------------
Please mark this post as 'accepted solution' if my input answers your question!
A kudo would be nice if you think I deserve it.
---------------------------------------------------
2 A/P clustered 6500, 7.4R9.1
2 A/P clustered 2500, 8.0R3.1 LAB
Moderator
zanyterp
Posts: 2,270
Registered: ‎11-19-2007
0

Re: Mac OS X Pulse Client Certificates

It does use keychain. Does the login through safari work?
Contributor
doug_fir
Posts: 24
Registered: ‎01-07-2009
0

Re: Mac OS X Pulse Client Certificates

Thanks so much for the replies, sorry it has taken a bit for me to reply.

 

Yes, Safari works fine with a client cert installed in the keychain, and Network Connect has no problem with it.  If I purposefully remove the cert+key I get rejected from the SA, so I know it's referencing it in Safari.  The response I get in Junos Pulse (v3.0) is "Missing or invalid client certificate".  This is in Mac OS X 10.7.4, connecting to an SA2500.  Is there a way to see more detailed debug logs for the client app?

 

Thanks for the help.

Contributor
doug_fir
Posts: 24
Registered: ‎01-07-2009
0

Re: Mac OS X Pulse Client Certificates

[ Edited ]

Just to add, I can see in /var/log/system.log:

 

dsAccessService[93]: COdCertLib::OpenCertStore: opening CA/Root store 'Current User/Library/Keychains/login.keychain'

 

So it looks like Junos Pulse is attempting to look in the keychain, just not seeing my client certificate.  Again, this certificate works fine for Safari.

 

Disabling the cert requirement makes Junos Pulse connect successfully.  I have duplicated the issue on 10.6.8 on a separate system.

Moderator
zanyterp
Posts: 2,270
Registered: ‎11-19-2007
0

Re: Mac OS X Pulse Client Certificates

If you do only cert auth, does it succeed?
Please open a case with JTAC to work further on this to confirm failure point (probably) or design implementation change needed
Contributor
doug_fir
Posts: 24
Registered: ‎01-07-2009
0

Re: Mac OS X Pulse Client Certificates

[ Edited ]

Cert-only auth does not succeed.  However, it does succeed with Network Connect.

 

The support contract on this unit has expired so I can't open a case, but I think I have encountered a bug with the Junos Pulse client for Mac OS X.  I am getting an issuer cert mis-match, possibly due to the fact the O= organization component of the RDN has a comma in the name, which seems to trigger a set of double quotes around the value when compared.  I'm not certain that's all that is wrong, but Junos Pulse is calling it an RDN mismatch and Network Connect and SSL browsers have no problem with it.

 

Below is the cert search output from the debug log on the client:

 

00225,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:346 - 'JamCertLib' 1) Processing Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] ...
00172,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Users/test_user/Library/Keychains/login.keychain)
00155,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Library/Keychains/System.keychain)
00244,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1259 - 'JamCertLib' Private key  found for certificate: Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE]
00194,09 2012/07/21 15:01:29.976 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1074 - 'JamCertLib' SecTrustEvaluate() succeeded with SecTrustResultType (1: kSecTrustResultProceed (Always Trust))
00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,emailAddress=ca@example.com)...
00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)...
00313,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:743 - 'JamCertLib' Cert doesn't have matching issuer-RDN: 1.2.840.113549.1.9.1=ca@example.com; 2.5.4.3=ca.example.com; 2.5.4.11=Information Systems; 2.5.4.10="Example Company, Inc."; 2.5.4.7=Anytown; 2.5.4.8=State; 2.5.4.6=US
00284,09 2012/07/21 15:01:29.977 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:407 - 'JamCertLib' Filtering out Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] based on its issuer name not matching in server specified list
00532,09 2012/07/21 15:01:29.977 5 test_user PulseTray Pulse p1654 t40B pluginListener.cpp:804 - 'JamUI' UiPlugin-PostJob xid = 32, kPromptAllowSave = 1, kPromptLoginName = '', kPromptServerName = 'EXAMPLE', kPromptSSID = '', kPromptServerURL = 'connect.example.com', kPromptServerType = 'ive', kPromptConnectionId = 'd61c590912e74ebf990fafa3ff57603a', kPromptProxyURL = '', kPromptCertificateErrorStatus = 0, kPromptRetryAuth = 0, kPromptSecondAuth = 0, kPromptProxyAuth = 0, kPromptSecurId = 0, kRequestedUserName = '', kPromptChallenge = ''
00135,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:45 - 'JamUI' postmessage received  from main thread 
00168,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:26 - 'JamUI' PostMessageToUI post message received for window 65535 , commandtype 50 
00166,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:29 - 'JamUI' PostMessageToUI posted successfully for window 65535 , commandtype 50 
00180,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:387 - 'JamUI' postmessageReceiver post message received for window 65535 , commandtype 50 
00173,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:402 - 'JamUI' OnJamCommand post message received for window 65535 , commandtype 50 
00220,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:266 - 'JamUI' Prompt request kPromptTypeGetClientCertificate, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32
00206,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:1017 - 'JamUI' Prompt reply kUIStatusCompleted, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32
00141,09 2012/07/21 15:01:29.978 1 root dsAccessService eapService p1691 t8DFF JNPRClient.cpp:3291 - 'eapService' No valid client certificate found.
00146,09 2012/07/21 15:01:29.978 4 root dsAccessService eapService p1691 t8DFF EapService.cpp:28 - 'eapService' processUserCertRequest - no cert selected

 

These being the pertinent lines:

 

00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,emailAddress=ca@example.com)...
00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (emailAddress=ca@example.com,CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)...

 

 

Contributor
doug_fir
Posts: 24
Registered: ‎01-07-2009

Re: Mac OS X Pulse Client Certificates

Just to update this in case anyone encounters it in the future, I recreated a test private certificate authority which did not include a comma in the O= section.  Certificates signed by this authority work fine with the Junos Pulse Mac OS X client now.  I'm not certain there was not some other misconfiguration in my previous cert authority besides the comma, but this solved the problem.

 

Strangely, this error did not occur using the Junos Pulse iOS client with certs signed by the previous cert authority.

 

Regards.

Moderator
zanyterp
Posts: 2,270
Registered: ‎11-19-2007
0

Re: Mac OS X Pulse Client Certificates

Hi doug_fir, Thank you for the update; I will try to do the same testing in-house to see if I can get the same results (comma in OU == cert auth failure) so further investigation can be done if needed (as it sounds).
Visitor
gilmaro
Posts: 3
Registered: ‎02-23-2011
0

Re: Mac OS X Pulse Client Certificates

Hi, i had a similar problem with MacOC 10.8.2 with Junos pulse 4.0 and authentication: cert+AD.

We have machine certificates on client (stored in system.keychain on MacOS while it seems that Pulse only checks login.keychain and since it founds nothing in it it says "missing or invalid certificate".

Moving certificate from system.keychain to login.keychain everything is ok.

The problem is that it's a machine certificate, not a user certificate so for us is not possible to go that way. With network connect client everything is OK.

 

Any ideas?

 

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.