Re: Pulse client issue with Adaptive Auth.

-red-_ · ‎11-06-2007

The IVE cluster is configured to utilize RSA adaptive auth solution. As part of the noteworthy changes to make this work, the original defender.thtml,, defender mobile and defender-ipad files have been replaced with a customized version which would redirect the user to an external server to answer for additional assessment or to answer any enrollment questions prior to being able to complete the log-in process. This works just fine in just about all my use cases, including the ability to connect from the mobile devices. The one exception I've found so far is being able to log in from Windows or Mac pulse client. I configure the connection, provide the log-in credentials. when I attempt to sign in, instead of redirecting me, the client presents a Juniper challenge response window with an alphanumeric string to which it expects a response.

Based on my understanding of what it took to get the solution running, I suspect the custom defender.thtml file is being completely ignored, and the standard challenge is being presented. However, with the custom template having been uploaded, and this working from the browser, and most notably from the pulse client on the mobile devices, I cannot figure out how/why this is happening. I am curious if anyone else has encountered this. So far I have experienced this issue with 7.1R10 up to 7.3R3. Not sure if this is something I am overlooking or if this is a limitation of the Pulse client.

-red-_ · ‎11-06-2007

We essentially re-used the defender.thtml file that RSA had provided. Saved it as defender-mobile and defender-ipad, then overwrote the ones in the custom sign-in template, uploaded it, and that did the trick for the mobile devices. The only outstanding issue we have today is the desktop version of pulse still exhibits the behavior I described earlier. I am being told that a fix has been identified and should be included with the next release of Pulse. With well over a year into this, I will believe it when I finally see it work, but at least someone is looking at it

zanyterp_ · ‎11-19-2007

The web form-based adaptive auth, as madansudhindra indicated, is only available with browser-based clients such as pulse mobile or network connect; other clients, such as pulse & odyssey, are unable to parse the custom pages required for this.

zanyterp_ · ‎11-19-2007

@-red- wrote:
No solution yet. May be getting closer though.
Looking at this with our SE, he pointed out something interesting during our testing. When using desktop version of Pulse (be it Windows or MAC) with adaptive auth configured in the realm, the user access log shows the "agent" field was blank ... "agent = " However, once you you remove the adaptive auth component from the realm and just go with AD, the agent field is populated.
This would suggest that with adaptive auth configured, IVE is unable to determine user agent. Therefore, it doesnt know which defender file to invoke, essentially intead of using the customized defender files uploaded as part of the template, it is presenting a generic passcode prompt. At least that's what it looks like
So far, I have observed this on all versions of IVE code ranging from 7.1Rx all all the way up to 7.4R3
Again, the part which completely throws me off here is that mobile versions of Pulse work just fine.

The mobile versions of Pulse are similar to Network Connect: they are, essentially, site-specific browsers. This is why they are able to get the non-generic information. If you were utilizing it, the Odyssey client should show you the same behavior as you see in Pulse.

madansudhindra_ · ‎03-06-2012

Unfortunatey, there is no way to get this to work with the Pulse client on a Mac or Windows system, without having to launcha webpage to authenticate first.

Network Connect and the Pulse client for IOS and Android work fine,when the defender-mobile-webkit.thtml file is edited.

madansudhindra_ · ‎03-06-2012

The latest I heard out of Juniper on delivering this feature is that Juniper is seeing minimal market traction for AA, based on discussions with other customers and partners. The feature continues to be a roadmap feature with no commitment as other feature development takes priority

zanyterp_ · ‎02-12-2013

limitation of the pulse client. what versions of pulse are you using?

-red-_ · ‎02-15-2013

The last version I've tried this on is 3.1.3.31097. I am curious if Juniper has an ETA on getting this addressed.

madansudhindra_ · ‎02-22-2013

We would like to use the Pulse client with our RSA Adaptive Auth infrastructure as well !

It works well on the mobile devices, but breaks on the Windows and Mac versions of Pulse, even the very latest version that is distributed with IVE OS 7.4R1.

The fallback is to use Network Connect.

When we contacted our RSA reps on this topic, they mentioned that "Juniper was unresponsive when they asked for info to hook AA into Pulse", but it might just be the case of two large organizations talking to each other.

I recently had our Juniper rep enter a Enhancement Request for us for getting AA to work with Pulse Mac and Windows, so lets see when they agree to fix the same.

ss0_ · ‎07-16-2013

Did Juniper or RSA provide any updates to this problem?

This is a growing need to provide this type of authentication service. Thanks.