MAG - Junos Pulse IOS Cert Authentication strange ...

apezuela_ · ‎09-16-2009

Hi,

We are using certificate authentication in our VPN SSL and the client side, we are using IPAD/IPHONE devices with junos pulse (we made iphone configuration with IPCU).

If we launch VPN from Safari, it works well (It lauched Junos Pulse in backplane) but when we launch VPN from Junos Pulse, it is not working (Error: wrong certificate).

It seems like when you are using Junos Pulse, it can not identify a username.

If I look on MAG user events, when we are using Safari we get the next logs:

Info   AUT22670
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] EXT92250(mobility)[mobility] - Login succeeded for EXT92250/mobility (session:00000000) from 79.156.50.158.
Info   AUT24326
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] EXT92250(mobility)[] - Primary authentication successful for EXT92250/Enagas_CA from 79.156.50.158
Info   AUT30970
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] System(mobility)[] - The X.509 certificate for 'CN=******-emisora-1, DC=******, DC=ES' issued by CN=******-policy-ca, DC=Enagas S.A., DC=ES, successfully passed CRL checking
Info   AUT30972
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] System(mobility)[] - CRL checking started for certificate 'CN=E******-emisora-1, DC=******, DC=ES' issued by CN=******-policy-ca, DC=****** S.A., DC=ES
Info   AUT30970
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] System(mobility)[] - The X.509 certificate for 'CN=EXT92250, O=****** SA, L=MADRID, ST=ESPA\C3\91A, C=ES' issued by CN=******-emisora-1, DC=******, DC=ES, successfully passed CRL checking
Info   AUT30972
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] System(mobility)[] - CRL checking started for certificate 'CN=EXT92250, O=****** SA, L=MADRID, ST=ESPA\C3\91A, C=ES' issued by CN=******-emisora-1, DC=******, DC=ES
Info   CRT30663
2014-02-28 10:58:43 - CZASSL02 - [79.156.50.158] System()[] - client certificate received: -----BEGIN CERTIFICATE-----MIIDFDCCAn2gAwIBAgIKW5NS0AACAAAFmzANBgkqhkiG9w0BAQUFADBHMRIwEAYKCZImiZPyLGQBGRYCRVMxFjAUBgoJkiaJk/IsZAEZFgZFbmFnYXMxGTAXBgNVBAMTEEVuYWdhcy1lbWlzb3JhLTEwHhcNMTExMTE1MTExMzIxWhcNMTQxMTE1MTEyMzIxWjBXMQswCQYDVQQGEwJFUzEQMA4GA1UECAwHRVNQQcORQTEPMA0GA1UEBxMGTUFEUklEMRIwEAYDVQQKEwlFTkFHQVMgU0ExETAPBgNVBAMTCEVYVDkyMjUwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/tdoM1NoYbyGPmvlt5DH+qZjF52de1KfJnAVvO551wuYuLBK/e8nMM95sJCmlhCmXUbrGZJXN+DHANtJZ3NLII7b.......................-----END CERTIFICATE-----
Info

If I look on MAG user events, when we are using Junos Pulse, we get next logs:

Info    AUT23457
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - Login failed using auth server Enagas_CA (Certificate Server). Reason: Wrong Certificate
Info    AUT24327
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - Primary authentication failed for /******_CA from 79.156.50.158
Info    AUT30970
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - The X.509 certificate for 'CN=******-emisora-1, DC=******, DC=ES' issued by CN=******-policy-ca, DC=******S.A., DC=ES, successfully passed CRL checking
Info    AUT30972
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - CRL checking started for certificate 'CN=******-emisora-1, DC=******, DC=ES' issued by CN=******-policy-ca, DC=****** S.A., DC=ES
Info    AUT30970
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - The X.509 certificate for 'CN=******, O=****** SA, L=MADRID, ST=ESPA\C3\91A, C=ES' issued by CN=******-emisora-1, DC=******, DC=ES, successfully passed CRL checking
Info    AUT30972
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System(mobility)[] - CRL checking started for certificate 'CN=******, O=****** SA, L=MADRID, ST=ESPA\C3\91A, C=ES' issued by CN=******-emisora-1, DC=******, DC=ES
Info    CRT30663
2014-02-28 10:54:36 - CZASSL02 - [79.156.50.158] System()[] - client certificate received: -----BEGIN CERTIFICATE-----MIIDFDCCAn2gAwIBAgIKW5NS0AACAAAFmzANBgkqhkiG9w0BAQUFADBHMRIwEAYKCZImiZPyLGQBGRYCRVMxFjAUBgoJkiaJk/IsZAEZFgZFbmFnYXMxGTAXBgNVBAMTEEVuYWdhcy1lbWlzb3JhLTEwHhcNMTExMTE1MTExMzIxWhcNMTQxMTE1MTEyMzIxWjBXMQswCQYDVQQGEwJFUzEQMA4GA1UECAwHRVNQQcORQTEPMA0GA1UEBxMGTUFEUklEMRIwEAYDVQQKEwlFTkFHQVMgU0ExETAPBgNVBAMTCEVYVDkyMjUwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/tdoM1NoYbyGPmvlt5DH+qZjF52de1KfJnAVvO551wuYuLBK/e8nMM95sJCmlhCmXUbrGZJXN+DHANtJZ3NLII7b.....-----END CERTIFICATE-----
Info

Kita_ · ‎12-23-2010

Do you have the complete chain installed under "Trusted Client CAs"? If the same client certificate is being provided in both scenarios, the only other potential issue is how the SA/MAG is evaluating the certificate chain causing the failure.

Do you have a case open for this issue? Ideally, JTAC will need to review a system snapshot with certificate event codes to confirm this theory.

MAG - Junos Pulse IOS Cert Authentication strange behaviour

MAG - Junos Pulse IOS Cert Authentication strange behaviour

Re: MAG - Junos Pulse IOS Cert Authentication strange behaviour