I have the same issue too, I know my cert is good cause when I switch the vpn client to network connect on the same role, it connects just fine, switch it back to pulse client and same error

What does your user access log show as the failure reason?

Do you have the role-based option enabled for Pulse or Network Connect?

Hi there!

Expericence the same error message with 7.1R3 and Junos Pulse 2.0R3.

The Pulse client displays the descripted error message + Auth. Logging on SA shows annonymous - initialisation failed.

Any know issues when using certificates on smartcards with pulse 2.0? With Pulse 1.0 we were able to choose the certifcate, but it also failed (withour error code on client). In this situation the SA log displayed a TLS handshake failed error. Maybe because CA Certificates from smartcards are not supported on Pulse 1.0

We checked the imported certificates, they have the BasicConstraint: CA included

Kind regards

Andreas

How is the Device certificate assigned in the SA internal port & External port?

Hello Viji,

in my unterstanding (you may correct me), this does not depend on device certificate, because the certificates (Root CA nad Sub CA) for Client Authentication are imported into Trusted Client CAs. There is no error "like not trusted server" when browsing to the SA appliance. The authentication using Network connect with certifcates works! So, i think its a bug related to pulse 2.0?

Kind regards

Your analysis is correct in most of the cases from browser/NC client importing the certificate under Trusted Client Ca should me enough For cert based authentication. Need more information to which certificates the Internal port/external port are mapped. are they both mapped to the same certificate or how is it configured.

Toivo,

Junos Pulse does support certificate authentication. Do you know if certificate authentication is working with a browser connecting to the SA device? If it does not, this is a good indication, there is something wrong with the certificate or how the certificate was installed. You'll want to make sure the proper CA chain and certificate are installed on the user account.

Morpheuss,

If it works in NC, but not Junos Pulse, I would still check to ensure both CA chain for both the user certificate and device certificate on the IVE are trusted. If I remember correctly for Junos Pulse, if either is not trusted, the certificate will not appear for client authentication. I can run a few tests and update you.

Morpheuss,

I ran a quick test to confirm the difference between Network Connect and Junos Pulse. I had a certificate installed for client authentication and confirm it worked in both scenarios. The second part was to delete the CA from the end user machine. Now, the end user certificate is no longer trusted by the local machine.

When I connected to the SA with Network Connect, it still prompted with the certificate and allowed the connection.

When I connect to the SA with Junos Pulse, it automatically failed as it could not find any certificates that matched the CA and trusted.

Most likely, this means that the proper CA chain is not installed on the local machine or the CA chain is not trusted by the local machine.

Hello Kita,

your descripted behaviour is correct. That's what I also could find out when using both scenarios. When the client site certificate was missing, I was also getting an error which told me that someting was wrong with the chain.

But this does not relate to my connection issue.

I talked with Juniper Support _and the statement which Viji gave seems to be one of the main reason.

When using Junos Pulse, the device Certifcate has to be bound to the internal Interface!. I have to check this in customer configuration because this is a two-armed setup.