Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

iOS and Pulse using Client Cert for Authentication

bberg_
Occasional Contributor
‎11-06-2012 11:26:AM
‎11-06-2012 11:26:AM

iOS and Pulse using Client Cert for Authentication

Is it possible to configure Pulse on an iOS device to only use Client Cert authentication or do you need AD or RSA secondary authentication?

The goal is an Ôalways on vpnÕ without users having to enter a username from mobile devices.

 

I have done the following:

- Created a Certificate Authentication server on the IVE 7.3R1

- Configured Realm/Role Mapping

- Imported Certs on IVE: Device, Trusted Client, Trusted Server CAÕs

- Imported Certs on iPAD via email and imported w/ iphone config utility for Root CA, Intermediate CA & Client CA

- Installed Pulse on iPAD iOS 6.0.1, Pulse 4.1.0 w/ cert

 

Seeing the following errors:

Event Log (points to a Windows error in the kbaÕs)

SSL negotiation failed while client at source IP x.x.x.x' was trying to connect to x.x.x.x'. Reason: 'decryption failed or bad record mac'

 

Policy Trace (key usage on cert is Digital Signature, Non-Repudiation)

Client certificate validation failed: FAILED: 26 unsupported certificate purpose

 

0 Kudos
6 REPLIES 6
zanyterp_
Respected Contributor
‎11-06-2012 04:56:PM
‎11-06-2012 04:56:PM

Re: iOS and Pulse using Client Cert for Authentication

Yes it is supported to do that.
What type if certificate are you using for the user authentication: is it user or machine?
Does the same occur when using the certificate on the desktop?
0 Kudos
bberg_
Occasional Contributor
‎11-07-2012 01:27:PM
‎11-07-2012 01:27:PM

Re: iOS and Pulse using Client Cert for Authentication

Hi,

From a Mac OSX, I don't see the error: Reason: 'decryption failed or bad record mac' but I get Reason: No Certificate.

 

Is there any documented information I can forward to our PKI team re: specs for certs, i.e., are there any restrictions on naming conventions, signature algorithm, key size?

 

Thank you!

 

0 Kudos
bberg_
Occasional Contributor
‎11-07-2012 01:34:PM
‎11-07-2012 01:34:PM

Re: iOS and Pulse using Client Cert for Authentication

Are they looking for for TLS Web client authentication on Extended Key Usage?.. See below.

  id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }

   -- TLS WWW client authentication

   -- Key usage bits that may be consistent: digitalSignature

   -- and/or keyAgreement

Extended key

Enable for these key usage extensions

TLS Web server authentication : Digital signature, key encipherment or key agreement

TLS Web client authentication : Digital signature and/or key agreement

0 Kudos
bberg_
Occasional Contributor
‎11-07-2012 02:32:PM
‎11-07-2012 02:32:PM

Re: iOS and Pulse using Client Cert for Authentication

So, I got the PKI group to issue a new cert w/ the correct Extended Key Usage and it works from a Mac OSX running Junos Pulse 3.0.6.28297 but does not work from iPAD.  The error is Reason: 'decryption failed or bad record mac' so wondering if there is limitation on iOS re: encryption strength?

0 Kudos
bberg_
Occasional Contributor
‎11-07-2012 03:34:PM
‎11-07-2012 03:34:PM

Re: iOS and Pulse using Client Cert for Authentication

It is working on iPAD if you launch Pulse via Safari so no need to troubleshoot this.  Sent error message to j-tac in the event they want to investigate further.

0 Kudos
zanyterp_
Respected Contributor
‎11-08-2012 09:04:PM
‎11-08-2012 09:04:PM

Re: iOS and Pulse using Client Cert for Authentication

thank you for working with jtac on this.

 it is something we have seen in some instances, but unsure on reasons why. hopefully they can find something for you.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.