Using x509 certs and issues them to users.
If we install Pulse from the SA / MAG no problems. The process would be:
If we install Pulse using a push install we have issues. The process would be:
Now to get it to work, we have the user do this:
After doing that just once, it works from Pulse everytime after that. Any clues why it behaves this way?
I have not heard of any issues. I would be interested to see the debuglog.log from the Pulse client. It should output data how it is evaluating the client certificates. This would help pinpoint if it is even evaluating the certificate or not during the issue.
Is the Junos Pulse Client connection option 'Dynamic certificate trust' enabled?
Not sure why this would affect the certificate authenitcation but it could be there is a difference between the configuration profile you are using for the manual install and the current configuration on the MAG. Logging in via a browser will update the users lcoal configuration which could explain why everything starts working.
To check try exporting the configuration again and compare it to the file you are using for the install.
Verified the connection set is the same. Even tried installing again with re-exported set, same results. Also verified the Dynamic certificate trust is set.
I completely agree that hitting the URL via the browser is updating something, but just to calrify, we never log in fully, we just select the cert and then close the browser. Not fully aware of when the connection profile is downloaded, but this seems to early in the process for that to be occuring.
Does the failure occur if user's machine has only one client certificate? It sounds like a bug. I recommend reporting to TAC.