Re: Authentication Failed error from JunOS Pulse ...

Billy_ · ‎10-24-2010

Hi all.
I've tested the SSLVPN connection with iPhone based JunOS pulse and SA2000.
Authentication method is the Client Certificate authentication in order to use of "On demand VPN".
But it didn't work.
There was an "Authentication Fail" errer message on my iPhone when I try to connect.
I couldn't find any log regrading this error in the SA2000.
It seemed this error occured within SSL negotiation.
I'm sure all coditions for Client Certificate Authentication was satisfied
- Certificate of the SA2000 is self-signed certificate.
- SA2000's certificate was installed in the iPhone as "Trusted root authority"
- Client Certificate was issued by my local CA server.
- Client Certificate was installed in the iPhone.
- Certificate of my local CA was installed in the SA2000 as "Trusted Client CAs".
This SA2000 has been used for Netconnect user via "*/" URL in the "sign-in policies".
I added the specific URL in the "sign-in policies" for this test.
I also added virtual port in order to isolate SA2000's certificate(one is for NC, another is for JunOS Pulse).

Strange symptom is that it worked find when I connect to another SA2500 my local test device.
IVE version(6.5R6) and entire configuration was almost same except sign-in policies.
SA2000 had the specific url for junos pulse against sa2500 has only "*/" url.
What can be problem? and which part I have to check?
It is very difficult for me to investigate the logs of JunOS pulse from iphone.
Following informations are Junos pules's log from iPhone and TCP dump from SA2000.

## Junos Pulse's log ###
20101015210828.462056 Pulse Mobile[p659.t775] info Connection status changed to Connecting (SSLVPNControllerImpl.m:549)
20101015210828.515695 Pulse Mobile[p659.t775] error Calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:400)
20101015210828.545631 Pulse Mobile[p659.t775] error Done calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:417)
20101015210829.98831 Pulse Mobile[p659.t775] info Connection status changed to Disconnecting (SSLVPNControllerImpl.m:549)
20101015210829.244517 Pulse Mobile[p659.t775] error VPNConfigurationSendMessage failed: Error Domain=com.apple.SystemConfiguration Code=0 "The operation couldna€?t be completed. (com.apple.SystemConfiguration error 0 - Success!)" UserInfo=0x1741e0 {NSDescription=Success!} (ConfigurationController.m:730)
20101015210829.266019 Pulse Mobile[p659.t775] info Connection status changed to Disconnected (SSLVPNControllerImpl.m:549)
20101015211239.281546 Pulse Mobile[p659.t775] info Connection status changed to Connecting (SSLVPNControllerImpl.m:549)
20101015211239.333389 Pulse Mobile[p659.t775] error Calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:400)
20101015211239.360438 Pulse Mobile[p659.t775] error Done calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:417)
20101015211239.900365 Pulse Mobile[p659.t775] info Connection status changed to Disconnecting (SSLVPNControllerImpl.m:549)
20101015211240.74977 Pulse Mobile[p659.t775] error VPNConfigurationSendMessage failed: Error Domain=com.apple.SystemConfiguration Code=0 "The operation couldna€?t be completed. (com.apple.SystemConfiguration error 0 - Success!)" UserInfo=0x80127c0 {NSDescription=Success!} (ConfigurationController.m:730)
20101015211240.95669 Pulse Mobile[p659.t775] info Connection status changed to Disconnected (SSLVPNControllerImpl.m:549)
20101015212533.877219 Pulse Mobile[p723.t775] info Control App started at 2010-10-15 12:25:33 GMT (SSLVPNControllerImpl.m:47)
20101015212533.877709 Pulse Mobile[p723.t775] info Reloading configurations (ConfigurationController.m:382)
20101015212533.922086 Pulse Mobile[p723.t775] info Got configuration named cert_vpn2 (ConfigurationController.m:399)
20101015212533.948905 Pulse Mobile[p723.t775] info Got configuration named cert_vpn1 (ConfigurationController.m:399)
20101015212533.977691 Pulse Mobile[p723.t775] info Got configuration named ttt (ConfigurationController.m:399)
20101015212533.999779 Pulse Mobile[p723.t775] info Configuration ttt is enabled (ConfigurationController.m:404)
20101015212533.999954 Pulse Mobile[p723.t775] info Loaded 3 configurations (ConfigurationController.m:415)
20101015212534.4578 Pulse Mobile[p723.t775] info Connection status changed to Disconnected (SSLVPNControllerImpl.m:549)
20101015212534.4810 Pulse Mobile[p723.t775] info Registering for updates from config ttt (ConfigurationController.m:551)
20101015212534.7425 Pulse Mobile[p723.t775] info Config state changed from 1 to 2 (ConfigurationController.m:778)
20101015212534.43747 Pulse Mobile[p723.t775] info Application did finish launching (ControlAppMobileDelegate.m:60)
20101015212534.55361 Pulse Mobile[p723.t775] info Adding splash screen (ControlAppMobileDelegate.m:90)
20101015212534.350418 Pulse Mobile[p723.t775] info Removing splash screen (ControlAppMobileDelegate.m:460)
20101015212534.654194 Pulse Mobile[p723.t775] info Got 0 cookies from the plugin (ConfigurationController.m:670)
20101015212534.654447 Pulse Mobile[p723.t775] info Config state changed from 2 to 0 (ConfigurationController.m:778)
20101015213959.240783 Pulse Mobile[p780.t775] info Control App started at 2010-10-15 12:39:59 GMT (SSLVPNControllerImpl.m:47)
20101015213959.241516 Pulse Mobile[p780.t775] info Reloading configurations (ConfigurationController.m:382)
20101015213959.287410 Pulse Mobile[p780.t775] info Got configuration named cert_vpn2 (ConfigurationController.m:399)
20101015213959.314067 Pulse Mobile[p780.t775] info Got configuration named cert_vpn1 (ConfigurationController.m:399)
20101015213959.340601 Pulse Mobile[p780.t775] info Got configuration named ttt (ConfigurationController.m:399)
20101015213959.369557 Pulse Mobile[p780.t775] info Got configuration named Test_VPN (ConfigurationController.m:399)
20101015213959.391917 Pulse Mobile[p780.t775] info Configuration Test_VPN is enabled (ConfigurationController.m:404)
20101015213959.392083 Pulse Mobile[p780.t775] info Loaded 4 configurations (ConfigurationController.m:415)
20101015213959.396687 Pulse Mobile[p780.t775] info Connection status changed to Disconnected (SSLVPNControllerImpl.m:549)
20101015213959.396859 Pulse Mobile[p780.t775] info Registering for updates from config Test_VPN (ConfigurationController.m:551)
20101015213959.399466 Pulse Mobile[p780.t775] info Config state changed from 1 to 2 (ConfigurationController.m:778)
20101015213959.432753 Pulse Mobile[p780.t775] info Application did finish launching (ControlAppMobileDelegate.m:60)
20101015213959.446169 Pulse Mobile[p780.t775] info Adding splash screen (ControlAppMobileDelegate.m:90)
20101015213959.770075 Pulse Mobile[p780.t775] info Removing splash screen (ControlAppMobileDelegate.m:460)
20101015213959.969240 Pulse Mobile[p780.t775] info Got 0 cookies from the plugin (ConfigurationController.m:670)
20101015213959.969394 Pulse Mobile[p780.t775] info Config state changed from 2 to 0 (ConfigurationController.m:778)
20101015214002.119299 Pulse Mobile[p780.t775] info Connection status changed to Connecting (SSLVPNControllerImpl.m:549)
20101015214002.174946 Pulse Mobile[p780.t775] error Calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:400)
20101015214002.202351 Pulse Mobile[p780.t775] error Done calling VPNConfigurationConnectionStart (SSLVPNControllerImpl.m:417)
20101015214002.882411 Pulse Mobile[p780.t775] info Connection status changed to Disconnecting (SSLVPNControllerImpl.m:549)
20101015214003.63918 Pulse Mobile[p780.t775] error VPNConfigurationSendMessage failed: Error Domain=com.apple.SystemConfiguration Code=0 "The operation couldna€?t be completed. (com.apple.SystemConfiguration error 0 - Success!)" UserInfo=0x1af510 {NSDescription=Success!} (ConfigurationController.m:730)
20101015214003.82285 Pulse Mobile[p780.t775] info Connection status changed to Disconnected (SSLVPNControllerImpl.m:549)

## TCP dump (SSL negotication part) ##

Attached..

Steffen_ · ‎10-27-2010

Hi Billy,

is our iPhone sign-in URL defined in the SA something like

"my-juniper-sa.mycompany.com/iPhone" (with specific hostname)

or

"*/iPhone" (with wildcard hostname).

The first method does not work with iPhone pulse due to a bug.

The Pulse app resolves the hostname and used the resulting IP address to connect to the SA.

Due to this the SA will reject the connection before client certificate authentication will take place.

No client authentication = no authentication failure log within the SA.

The bug is know to Juniper and they promise to fix it.

Up to then you must use the wildcard for a hostname in the sign-in URL.

Hope this matches your problem.

- Steffen

hulk_ · ‎11-18-2010

Ihave come across this as well.

If one uses the default "Users" url, as I suspect most do, defining multiple realms under that particular url, the Junos Pulse fails. If you create another URL, and add multiple realms to the url definition, then the Pulse client prompts the user for the Realm to log into. Even if you define the Realm, as you can with Windows mobile devices, pointing it at the default URL for USERS, causes the same issue, the client fails to connect.

Synopsis: the default url "*/" is not recognized by the Pulse Client whereas "*/Mobile/" will be recognized.

I have posted this before, as it was fairly early in the release code, I have not followed up with Juniper.

MH

zanyterp_ · ‎11-20-2010

Just to confirm: you installed the certificate and VPN-on-demand option with the Apple Config Utility, right?

Are you seeing the failure with any cert auth or just the on-demand attempt (e.g. from Mobile Safari or in the Pulse UI itself)?

NicolasBedard_ · ‎03-29-2011

We are running into the same issue.

When we use the Pulse app directly, VPN works wonderfully with cert auth.

But when We define an on-deman VPN policy, it's not working and give us the same error.

id this (vpn-on-deman) should be working on iOS with Pulse ?

zanyterp_ · ‎03-29-2011

Yes, it is expected to be working successfully.

Steffen_ · ‎05-09-2011

Hello,

wie experience a similar behaviour:

We define a configuration profile though "Apple's iPhone Configuration Utiliry".
It contains a cert auth VPN definition connecting to an own URL (*/iphone) and VPN on-demand.
Manually connecting to the SA useing this VPN definition works fine.

On-demand connections do not work: If I try to access one of the on-demand domains (connect allways), Pulse accesses the SA and logs in successfully but it does not make a network connection.

The show active users list shows the connection but now IP address assigned.

The Pulse client status says disconnected.

Do to the fact that manual connections with the very same VPN-profile works well and the on-demand connection gert stuck in the middle, I guess there is a bug.

Or did anybody get on-demand work. If so, what did you configure?

Thanks in advance,

Steffen

zanyterp_ · ‎05-09-2011

I have been able to set this up and connect successfully without any issue.

What errors do you see on your user access log? In the iOS logs?

billiam_ · ‎07-28-2011

Hi,

I've got exactly the same issue, did anyone manage to resolve what caused it?

Thanks

zanyterp_ · ‎07-28-2011

Please open a case with JTAC and provide the iPhone configuration profile for review as well.

Testing here has not had any issues with connections.

What version of iPhone are you using: AT&T or Verizon?

Authentication Failed error from JunOS Pulse iPhone

Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone

Re: Authentication Failed error from JunOS Pulse iPhone