cancel
Showing results for 
Search instead for 
Did you mean: 

Junos Pulse 2-form factor auth on iPhone

morpheuss_
Contributor

Junos Pulse 2-form factor auth on iPhone

I'm using client certificates as primary auth and RSA securID as secondery auth on an iPhone Realm, all this works just fine from PC with IE or FFox, I get my prompt to input my securID passcode and can logion all the way just fine.....on the pulse client on the iPhone, the input field to input my secondery auth credentials seems to fail to display for some reason, anyone seen this or figured out a work around ?, is this even supported on Pulse ?

I basically extract the <certAttr.altName.UPNuid> value from the client cert at login and feed that to my RSA server as the username( which matches ofcourse),

3 REPLIES 3
ruc_
Regular Contributor

Re: Junos Pulse 2-form factor auth on iPhone

Dual Auth Schemes involving client certificate authentication may not work on Junos Pulse on IOS based apple devices. This is a known limitation. I believe this limitation is slated to fixed in one upcoming releases (don't have specifics)

chamank_
New Contributor

Re: Junos Pulse 2-form factor auth on iPhone

Right now, this feature is limited to iPhone on windows machine...

morpheuss_
Contributor

Re: Junos Pulse 2-form factor auth on iPhone

Just an FYI...if you need to use client ssl auth with junos pulse client and pulse on the IVE, you need to bind an SSL cert on the external and internal interfaces of the IVE, this does not apply to junos client and network connect on the IVE side, here is an explanation from JTAC below,

"Regarding the reason why both interface require cert, the cert is required on the internal interface due to restriction in the TTLS plug-in. The TTLS plug-in only creates one instance of the SSL context and the cert for this context is defaulted to the internal interface. This connection will only be used during authentication and not after the connection has been created. The cert is required on the external interface because the secure connection is established on the external interface. There is no connection from the client to the internal interface on an SA.