Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role mapping using client certificate attribute fails

jeronimo
Contributor
‎11-30-2017 09:38:AM
‎11-30-2017 09:38:AM

Role mapping using client certificate attribute fails

Hi,

I'm having trouble authenticating a client certificate. Everything works up to the role mapping of the realm. I am trying to use an attribute called SERIALNUMBER in the Subject field of the client certificate.

If I configure role mapping to map a certificate attribute to a certain role it fails. (certificate attribute "SERIALNUMBER" is  "..." --> assign these roles "Users")

 

If instead I use the username generated by the username template from the authentication server (certificate server) then it works.

 

Why can't I use the certificate attribute directly?

The second problem is I tried using policy tracing for "Role Mapping", but it does not log anything specific related to role mapping.

Info     PTR10103     2017/11/30 01:44:16 - PULSE2 - [192.168.1.102] - admin(Admin Users)[.Administrators] - :xRealm - Policy Tracing turned on
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in browser = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in Perferred Language = "en"
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in URL = "*/"
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in host name = "192.168.1.102"
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in host address = "192.168.1.102"
Info     PTR23331     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Sign-in network interface = "internal"
Info     PTR23338     2017/11/30 01:44:39 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Requesting client certificate as required
Info     PTR23329     2017/11/30 01:44:47 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Resuming sign-in process
Info     PTR23386     2017/11/30 01:44:47 - PULSE2 - [192.168.1.102] - System(xRealm)[] - Created user name "LT12345" from template "LT<certDN.serialNumber>"
Info     PTR10104     2017/11/30 01:45:19 - PULSE2 - [192.168.1.102] - admin(Admin Users)[.Administrators] - :xRealm - Policy Tracing turned off



Any idea?

Thanks.

 

ps.jpg

 ps2.jpg

 

 

 

0 Kudos
5 REPLIES 5
jeronimo
Contributor
‎12-04-2017 10:48:AM
‎12-04-2017 10:48:AM

Re: Role mapping using client certificate attribute fails

Answer to question #2

In order for complete authentication trace to work as expected you have to:
    * Provide the realm to trace
    * Provide the IP address in order to see PRE-LOGIN/USERNAME stuff happening (ONLY THAT!)
    * Provide the username in order to see what happens later

If you don't provide a username and ONLY an IP address you will see nothing past login and vice-versa (no IP = no pre-login data, obviously).

Answer to question #1

Policy trace shows:

No match on rule 'certAttr.certDn.serialNumber = '1030xxxxxxx84''

This should be "certDn.serialNumber" and not "certAttr.certDn.serialNumber".

So it appears you can only check attributes within certAttr and not within the subject.

Feature or bug?

0 Kudos
jeronimo
Contributor
‎12-26-2017 09:01:AM
‎12-26-2017 09:01:AM

Re: Role mapping using client certificate attribute fails

Tried contacting support about this. I have the feeling they just can't understand what you are telling them, much like every other first-level helpdesk. They provided workarounds like "use the username template" or "use a custom expression". That's not wrong, however I'd really love to know why things are as they are (certificate attribute matching does not work for subject attributes, what's so hard to understand about that?). I gave up. Too bad. (Well, Fortinet is worse.)

 

BTW I don't think it's very professional to ask for the private key of my certificate in order to test in the lab... (ROFL on that one)

0 Kudos
zanyterp
Moderator
Moderator
‎12-26-2017 09:37:AM
‎12-26-2017 09:37:AM

Re: Role mapping using client certificate attribute fails

I'm sorry to hear that they asked for that (rather than a sample for a test user that you can immediately expire).
I believe that certAttr.* is always used for certificate checks.
Is the serial number a standard attribute that I should be able to enable on my CA for testing this?
0 Kudos
Sad Urchin
New Contributor
‎03-01-2018 03:07:AM
‎03-01-2018 03:07:AM

Re: Role mapping using client certificate attribute fails

I used the following in custom expressions, and it worked:

 

certAttr.serialNumber = "02"

 

Request you to please try this and check

0 Kudos
jeronimo
Contributor
‎03-01-2018 04:22:AM
‎03-01-2018 04:22:AM

Re: Role mapping using client certificate attribute fails

@Sad Urchinwrote:

I used the following in custom expressions, and it worked:

 certAttr.serialNumber = "02"

 Request you to please try this and check

 

Yep, no news there

Smiley Happy

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.