cancel
Showing results for 
Search instead for 
Did you mean: 

iOS question, identifying client...

Highlighted
New Contributor

iOS question, identifying client...

Hello,

I'm new to all of this VPN stuff, so please bare with me.

I would like to let our iPad users connect to our network via Junos Pulse, be we have a policy that states:

1) Only our computers can connect

2) the suer needs to authenticate with a password to conenct

So, I see how we can use a certificate or a password, but that doesn't help. For Mac/Linux/Windows we use host checker to looks for various stuff that only our computers have. Is there a way we can do anything to validate the iPad and then have the user submit a U/P to connect?

Thanks,

Allan

10 REPLIES 10
Highlighted
Respected Contributor

Re: iOS question, identifying client...

You are welcome; good luck!

Thank you for letting me know how it goes.

Contributor

Re: iOS question, identifying client...

You'r speaking about Full authentication of devices by Certificates, why aren't you aproaching following Idea?

You can Use Device Certificate for Identification of Corporate Devices.(For lost Devices there should be a CRL in place)

This way you would have to have the exactly Certificate on the Corporate Device + Username and the Password.

regards

Highlighted
Respected Contributor

Re: iOS question, identifying client...

Not at this time, no.

There is no Host Checking allowed for the iOS devices and the Junos Pulse application does only one type of auth (cert or username+password).

Have you forwarded the query/information to your SE for them to work with you on an enhancement request for this type of functionality on the iOS family?

Highlighted
New Contributor

Re: iOS question, identifying client...

no, haven't sent the question to juniper yet. I was hoping for an easy answer?

Highlighted
Respected Contributor

Re: iOS question, identifying client...

Checking the posture of the iOS device (Host Checking) is not supported by Apple.

Highlighted
Contributor

Re: iOS question, identifying client...

I'm trying to accomplish the same thing. I'm wondering if a client certificate can be used as a secondary authentication and then used in role restrictions to allow/deny certain access? i'd like to be able to use one URL for Corporate and non-Corporate iPad users. The secondary auth will not be a requirement to login but be used later for role restrictions. Does anyone have any experience with this?

Thanks,

Derek

Highlighted
Respected Contributor

Re: iOS question, identifying client...

You should be able to do that without worrying about a secondary auth server, if desired (I don't have access to a system I can test this right now but I should be able to next week).


What you would do is enable the certificate restriction on the realm and use the option to check the certificate but not require it (it is the middle radio button on Users>User Realms>realmName>Restrictions>Certificate). You would then have the certificate details for use in role restrictions and/or role mapping rules.

Highlighted
Contributor

Re: iOS question, identifying client...

So authenticating with the certificate is not required in order to use it later in role restrictions? That would be perfect if that was the case.

Do you know if I could test this with a self-signed cert? I know this is not the correct way to do it but I don't want to have to buy a client cert before I know this will work.

Thanks,

Derek

Highlighted
Respected Contributor

Re: iOS question, identifying client...

yes and yes.

You can do this with a self-signed cert, for example using your own MS CA, as long as you have the root imported in the trusted client cert location to make sure you can get the details.

I know it works through the web browser and I _believe_ it should work through Junos Pulse Mobile on iOS; however, I am not sure as I have not tested yet (and cannot test today).

What you need to do is enable the certificate restriction on the realm to remember the cert, but it doesn't restrict users from connecting to the realm if they do not have a certificate.