cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate authentication with Junos Pulse on SA

Highlighted
Occasional Contributor

Certificate authentication with Junos Pulse on SA

Hello,

 

I have a SA with Network Connect configured to authenticate user only by certificate. It work perfectly with a certificate with an old certificate authority, but when I want to change the authentication with our new CA (with an intermediate CA), we always got : "Invalid or expired certificate". If in trusted clients CA, I remove the use of CRL, we can connect.

We don't want to not check CRL ! If I update CRL, by clicking update in CRL Settings, no error and got message 'Last result: Success, same CRL' with the date of last update updated.

See in log :

SYS30734 2013-03-28 17:58:11 - SSL-XXX2 - [127.0.0.1] System()[] - Downloaded Identical CRL (920 bytes) from 'http://pki.xxxxx-yyyy.fr/AC_Personnel/crl/crl-1.crl'

 

When the auth fail I got this log

AUT24604 2013-03-28 18:29:30 - SSL-XXX2 - [10.1.25.39] System()[] - SSL negotiation failed while client at source IP '5.X.Y.39' was trying to connect to '194.xxx.yyy.50'. Reason: ''

I remove all certificats restriction, without succes. Our CRL is available, the SA don't have any droped packet on firewall.

Anybody have an idea why I got this problem ?

 

SA is a 4500 with 7.3R3 (build 23377)

12 REPLIES 12
Highlighted
Valued Contributor

Re: Certificate authentication with Junos Pulse on SA

If there are no issues with downloading the crl on the SA device and it works without it, but fails with the CRL installed on the SA, most likely the certificate you are using is revoked.  Can you check the crl list to see if the serial number of the certificate you are using is revoked?

Highlighted
Regular Contributor

Re: Certificate authentication with Junos Pulse on SA

Under CRL Checking options what is the CRL Distribution point selected (CDP)

 

CDP specified in Trusted Client CA

  

                                 or

 

CDP Specified in Client certificate

 

If the Certificate is issued from a interim CA this would have a different CDP than the one in the interim CA.

 

Try setting this to CDP Specified in Client certificate or manually you can configure the CDP looking at client certtificate.

 

Regards,

SVK

 

Highlighted
Occasional Contributor

Re: Certificate authentication with Junos Pulse on SA

The certificate that I use is valid and not revoked, I use it to authenticate in an another system.

I try to change the CDP : manually, in client certificate and in trusted ca, without any success.

Did the certificate need a special "key usage" ?

 

I analyse the SSL stream with wireshark and decode it with the private key of the SA, and I see, that the communication switch to EAP, and after I reconize a TTLS authentication, and I can see the purpose of knowed and allowed CA. My pulse client purpose the good certificate and give the entire certificate chaine (CA, subca and end entitity certificate) after that I can't decode and don't know what happend.

Highlighted
Valued Contributor

Re: Certificate authentication with Junos Pulse on SA

The certificate does not need any specific key usage.

 

To be 100% of the issue, JTAC will need to increase debug logging on the SA with certificate event codes to help determine why the SA is failing.  Do you have a current case open for this issue?  If so, please provide the case number.

Highlighted
Occasional Contributor

Re: Certificate authentication with Junos Pulse on SA

I Have a ticket with the JTAC, but they close it, because I was in Holidays...

I have a question : did the SA 4500 with firmware release 7.3R3 support certificate with Signature Algorithm: sha256WithRSAEncryption ?

 

Here a extract of the root CA. The only difference between client and CA certificats is the size of the private key : 4096 for CA and 2048 for client.

 

$ openssl x509 -in VilledeMarseilleAutoriteRacine.crt -inform DER -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:5c:5f:da:07:44:27:52
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=PACA, L=Marseille, O=Ville de Marseille, OU=0002 21130055300016, CN=Ville de Marseille - Autorite Racine
        Validity
            Not Before: Mar  5 09:57:05 2013 GMT
            Not After : Mar  6 09:57:05 2033 GMT
        Subject: C=FR, ST=PACA, L=Marseille, O=Ville de Marseille, OU=0002 21130055300016, CN=Ville de Marseille - Autorite Racine
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a9:57:99:bd:45:d5:93:c6:69:b2:69:1a:60:a3:
                    f2:a1:44:ed:e8:ab:a8:ea:2b:28:a4:b2:ea:75:70:
                    57:63:ff:82:93:15:33:4a:52:16:77:68:c6:50:e5:
                    2e:b4:04:8e:4b:33:83:fd:87:5c:fa:49:34:dd:3c:
                    2d:e2:e3:c0:e1:67:fb:e9:ea:ac:56:cd:d2:4a:37:
                    28:19:8f:8d:38:fa:31:25:4a:59:bd:84:2b:72:70:
                    1b:70:37:9d:f2:01:a0:af:69:67:e7:17:68:5f:52:
                    04:4b:90:1f:b2:c7:ee:a4:8e:fa:8b:bb:08:9c:69:
                    8b:59:1c:d6:c7:83:de:6b:86:cc:9b:69:cb:14:c0:
                    82:49:81:35:56:19:c2:7f:f5:e4:c8:72:c2:e7:fb:
                    9f:4b:cc:9e:9e:88:1f:ae:0c:68:c0:78:2e:68:82:
                    f7:00:b8:90:89:aa:c1:5a:23:97:1c:1c:59:78:0f:
                    2d:0a:2b:95:e8:92:53:85:5b:83:a9:db:80:c0:44:
                    70:99:f1:a1:1d:14:d6:75:44:d7:9d:19:e7:66:8d:
                    c7:8d:61:29:2e:7b:dc:e6:26:3f:35:ac:5d:89:b0:
                    ac:be:45:3f:0c:4a:ce:14:2b:bc:7f:7e:98:1e:87:
                    4b:1c:3f:a4:a4:11:d1:c9:9c:84:30:78:74:73:98:
                    18:9c:3a:ba:43:55:f5:df:21:bc:f0:9a:a7:8b:b2:
                    cb:05:9a:e9:db:1f:00:62:dc:fe:78:1c:e7:cd:2c:
                    37:75:24:1e:f7:02:70:0d:75:8b:88:c2:b0:e1:b2:
                    f4:96:a5:6f:57:16:d5:96:8f:8c:76:a8:1b:70:2d:
                    88:fd:07:2f:ae:f7:e1:f7:cb:f8:fa:9a:b9:e1:7c:
                    94:ff:fb:5c:d3:93:97:ea:22:b0:4f:c2:08:05:f1:
                    ab:2d:b1:0a:62:19:cb:39:0c:1d:78:b0:1a:15:61:
                    b2:62:58:32:b4:c6:95:3d:b8:7c:48:32:b7:8c:06:
                    5d:ba:b2:c9:8e:af:d5:ef:b1:22:c8:fc:90:0c:ff:
                    30:7a:1a:ed:c8:49:45:fb:be:ec:36:1c:f7:17:35:
                    a6:19:c0:69:3d:16:20:0a:5f:c7:98:5a:18:be:08:
                    66:ed:e8:ff:94:20:31:db:92:5d:b0:69:64:5f:b6:
                    ea:a0:ee:65:52:9d:72:eb:fe:2a:f5:ed:f9:d3:d3:
                    22:1d:bf:df:31:0f:93:51:d1:08:53:7a:9f:fd:53:
                    08:b7:c8:7d:48:30:25:71:1d:5d:ca:78:84:fd:47:
                    2a:11:5a:6d:96:76:43:b1:f9:42:c3:71:1a:84:3b:
                    2d:fb:e4:f2:39:23:d3:96:b4:c0:cc:6d:5e:66:0d:
                    49:3a:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                BA:A7:59:C8:7B:A6:48Smiley Very Happy8:80:12:8D:31:F3:FA:1E:37:AF:21Smiley Very Happy6:9F
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:BA:A7:59:C8:7B:A6:48Smiley Very Happy8:80:12:8D:31:F3:FA:1E:37:AF:21Smiley Very Happy6:9F

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: http://pki.mairie-marseille.fr/PC/

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         76:32:b6:01:36:ea:83:da:b4:d7:6c:26:cc:d1:cb:84:70:33:
         4a:2e:a1:ae:8d:81:cd:b2:f1:4b:bf:a4:3f:e5:ba:ff:78:1d:
         25:5d:26:7c:cd:86:d2:38:79:90:4c:ae:21:dc:b7:4a:3b:88:
         b8:12:ec:7e:10:3d:fe:23:d4:12:0a:90:12:80:c9:6e:d9:aa:
         37:64:18:55:48:d8:ba:29:ba:82:05:df:73:6e:40:71:41:d5:
         22:9d:03:32:00:83:1c:29:29:72:55:86:5a:cd:10:96:41:4b:
         6c:bd:9f:f4:be:9e:b2:e7:22:90:89:af:ed:5a:8e:dc:9f:53:
         54:e3:93:c9:9b:da:ff:79:b7:e9:41:d5:d6:ba:62:48:91:01:
         e2:0c:98:64:5f:34:65:1a:ce:50:c3:00:64:44:14:2b:63:b7:
         c5:4c:4b:d4:87:3d:79:c5:82:49:51:c0:2b:4c:db:68:21:25:
         b2:b7:92:3d:47:ff:e0:72:65:19:ff:ac:13:53:58:ba:cb:a8:
         bd:16:71:51:e6:8a:79:c0:74:3d:4b:8c:fb:98:46:c6:b8:40:
         b7:91:69:9c:fd:62:ad:25:62:73:02:82:2d:9d:e9:5c:fb:26:
         c7:b1:af:dc:a5:73:0b:37:fe:b9:e5:df:c4:3a:2b:d8:79:b5:
         34:a9:27:7a:41:9a:9f:d3:b1:0c:af:62:7a:c6:b2:93:fc:2d:
         a3:a7:08:e1:46:75:0e:19:d6:0f:dc:c8:73:42:d7:f8:dd:9d:
         7e:ad:d8:63:ee:d0:2e:97:d5:64:ea:75:4a:70:19:41:58:54:
         71:6d:a0:4a:f5:57:aa:34:63:53:a5:78:6f:77:79:88:9c:df:
         e5:29:c4:a5:45:d8:89:99:61:3e:20:b0:04:7f:be:f5:7b:17:
         98:fb:08:77:ce:00:4e:e1:ac:6c:14:5a:32:85:de:63:96:7e:
         0a:9d:1d:34:85:c9:f3:2a:8e:d3:7b:b9:d8:6a:0c:fd:89:1b:
         df:72:79:95:e0:ab:f8:5c:7e:d8:5f:4c:44:a5:87:47:6c:0e:
         7e:70:a3:76:01:a3:31:5c:6c:53:73:d3:eb:86:1e:c7:a0:e5:
         72:43:4c:3a:53:88:00:67:8c:e2:8f:59:69:92:10:23:dd:1a:
         ca:df:23:cd:33:ac:0c:60:2b:2e:49:f0:6c:db:9b:77:9e:e9:
         19:64:4c:88:51:fe:e6:aa:b5:61:98:14:dd:3d:52:dc:f3:e6:
         ca:01:2c:1e:98:4a:a0:b6:59:40:56:02:12:d2:bf:03:30:56:
         a8:5f:e8:f5:c2:7c:d8:fc:1f:e7:d6:0b:ad:b5:83:ad:53:58:
         3a:d4:65:20:15:f3:b0:79

Highlighted
Valued Contributor

Re: Certificate authentication with Junos Pulse on SA

SHA256 is supported in 7.3 and should be okay.  If you want, you can try upgrading to the latest release of 7.4 as openssl version would be upgraded.  This may or may not fix your issue, but may be worth a try.

 

To root cause the issue, JTAC will need the debug log enabled with the proper certificate event codes.  Can you please open a new case or request to re-open the existing case so we can gather the proper logs?

Highlighted
Occasional Contributor

Re: Certificate authentication with Junos Pulse on SA

ticket 2013-0523-0074 openned.

Highlighted
Valued Contributor

Re: Certificate authentication with Junos Pulse on SA

I can see the jtac rep has already updated you on the data we need.  The most important log will be enabling the debug logging, replicate the issue and taking the system snapshot included the debug log.  Once you've attached the logs, I can review this and provide you feedback.  If you have any questions, please feel free to contact jtac support.

Highlighted
Respected Contributor

Re: Certificate authentication with Junos Pulse on SA

Can you test a new version of the IVE OS? There is an issue with certificates in early 7.3 releases that is fixed in 7.3R5