I want to run an idea by you guys. Please let me know if it will work and how to set it up.
I have read that I can add a certificate to Trusted Client CA. Now my thought was since we use MaaS 360 for our iphone / ipad / tablet to push apps, that I could setup a cert in our juniper SA2500 running 7.1R5 and then give it to MaaS 360 to push to the clients and then have Junos Pulse look for this cert and if they have it allow them in to the realm.
My problem is, in order to add a cert to Junpier I have to create a cert request, so I an give it to another admin so he can create a valid cert I can install. I don't see this option in Junpier. How do we go about this idea if I can't request a cert?
Thoughts or am I going down the wrong road?
What we are tryign to avoid is, a user installing Junos Pulse and by passing our MaaS 360 to log in to our VPN. Once a user sees how it works on a device that is in MaaS 260, they can then jus tload junos pulse on another device and by pass one of our requirements.
How does everybody else do it?
You can generate a certificate request from any source (openSSL, windows MMC, etc). I usually generate my csr files from an advanced certificate request using the windows certificate MMC.
You can use this link as a guide -
my impression was that I had to do a cert request from the device that the cert was going to live on? We have a Enterprise wildcard cert, couldn't I just use the same one then?
Also, we send our cert to a respectable cert authority, we don't really want to use an internal cert.
no, typically a cert does not need to be generated on the device it is being installed on.
Maybe I am confused on what you are trying to accomplish. Are you wanting to use host checker to see if a certificate is installed on the client prior to letting it connect to your vpn?
well, yes, but using junos pulse on ipads and iphones and such. I am not really worried about desktops at this time. host checker runs on ipads or through junos pulse. I didn't think it did.
Unfortunately from my testing the amount of checks you can do on ipad/iphone devices is very limited. Since I've upgraded to 7.2 I see they now have support for something called Mobile Security Suite ( http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/mobile-security/#... I have not researched it much yet but figured I would provide the link. Hopefully someone with more experience with mobile devices and Juniper could contribute to the thread also.
Thanks Dan, that sounds like what we are already using in the MaaS 360 service. I'll see if anybody else has anythiing on what we are after.
I'll give you a short hint on how you should integrate client CA's and so on ; ).
Then there are different way's how you can enforce access through certificates
Handling Certificate Authentication / Authorization:
You can take every attribute from the client certificate for limiting access to realms / roles, a few examples:
Have a look to the Juniper SA Admin Guide how you can use / extract the Attributes
Not every device does handle intermediate CA's properly
Hope this does help you.
I have the cert all setup and it is added to the Realm. This all works fine as the Junos login shows no able to login because missing the cert, expected. Now when we push the cert to the client, VPN doesn't seem to see it. I can't figure out where the cert lives or how to get it into the Junos Pulse browser if thats where VPN looks for it at. does anybody have any idea hwere the cert wil ive on a ipad/iphone ?
I don't want to push it after they login, that defeates the purpose. I want to push it to the device before they login this way I can check to see if they have it or not if it allows them to login.