I'm new to all of this VPN stuff, so please bare with me.
I would like to let our iPad users connect to our network via Junos Pulse, be we have a policy that states:
1) Only our computers can connect
2) the suer needs to authenticate with a password to conenct
So, I see how we can use a certificate or a password, but that doesn't help. For Mac/Linux/Windows we use host checker to looks for various stuff that only our computers have. Is there a way we can do anything to validate the iPad and then have the user submit a U/P to connect?
You'r speaking about Full authentication of devices by Certificates, why aren't you aproaching following Idea?
You can Use Device Certificate for Identification of Corporate Devices.(For lost Devices there should be a CRL in place)
This way you would have to have the exactly Certificate on the Corporate Device + Username and the Password.
Not at this time, no.
There is no Host Checking allowed for the iOS devices and the Junos Pulse application does only one type of auth (cert or username+password).
Have you forwarded the query/information to your SE for them to work with you on an enhancement request for this type of functionality on the iOS family?
I'm trying to accomplish the same thing. I'm wondering if a client certificate can be used as a secondary authentication and then used in role restrictions to allow/deny certain access? i'd like to be able to use one URL for Corporate and non-Corporate iPad users. The secondary auth will not be a requirement to login but be used later for role restrictions. Does anyone have any experience with this?
You should be able to do that without worrying about a secondary auth server, if desired (I don't have access to a system I can test this right now but I should be able to next week).
What you would do is enable the certificate restriction on the realm and use the option to check the certificate but not require it (it is the middle radio button on Users>User Realms>realmName>Restrictions>Certificate). You would then have the certificate details for use in role restrictions and/or role mapping rules.
So authenticating with the certificate is not required in order to use it later in role restrictions? That would be perfect if that was the case.
Do you know if I could test this with a self-signed cert? I know this is not the correct way to do it but I don't want to have to buy a client cert before I know this will work.
yes and yes.
You can do this with a self-signed cert, for example using your own MS CA, as long as you have the root imported in the trusted client cert location to make sure you can get the details.
I know it works through the web browser and I _believe_ it should work through Junos Pulse Mobile on iOS; however, I am not sure as I have not tested yet (and cannot test today).
What you need to do is enable the certificate restriction on the realm to remember the cert, but it doesn't restrict users from connecting to the realm if they do not have a certificate.