I'm using client certificates as primary auth and RSA securID as secondery auth on an iPhone Realm, all this works just fine from PC with IE or FFox, I get my prompt to input my securID passcode and can logion all the way just fine.....on the pulse client on the iPhone, the input field to input my secondery auth credentials seems to fail to display for some reason, anyone seen this or figured out a work around ?, is this even supported on Pulse ?
I basically extract the <certAttr.altName.UPNuid> value from the client cert at login and feed that to my RSA server as the username( which matches ofcourse),
Dual Auth Schemes involving client certificate authentication may not work on Junos Pulse on IOS based apple devices. This is a known limitation. I believe this limitation is slated to fixed in one upcoming releases (don't have specifics)
Just an FYI...if you need to use client ssl auth with junos pulse client and pulse on the IVE, you need to bind an SSL cert on the external and internal interfaces of the IVE, this does not apply to junos client and network connect on the IVE side, here is an explanation from JTAC below,
"Regarding the reason why both interface require cert, the cert is required on the internal interface due to restriction in the TTLS plug-in. The TTLS plug-in only creates one instance of the SSL context and the cert for this context is defaulted to the internal interface. This connection will only be used during authentication and not after the connection has been created. The cert is required on the external interface because the secure connection is established on the external interface. There is no connection from the client to the internal interface on an SA.