We have a Juniper SA 6500 series box setup and in use for our iPad/iPhone users. Users log in using JunosPulse, obtain and IP and everything works perfectly.
I now have been asked to look into using certificate based authentication on top of AD/third party authentication for our mobile devices. Does anyone know if Junos Pulse on the iPad/iPhone will work with certificater based authentication?
If yes, can I use a single cert for all devices or do I need a ceet for each one? I know where the setting sin in Juniper so i am not looking for how to do it, just to know if it will work and if people have it working today.
Certificate based authentication works just fine with iPhone / iPad - you can use the same cert for multiple devices. The only issue is getting the certificate onto the device. I have found that the most effective way is to use the iphone configuration utility - pull a local user certificate out of the PC store and also pull out the accompanying trusted root certificate. Use the utility to push the cert pair to the phone and it works great.
Without the trusted root cert it will not work.
I have put together some documentation on how to do this for a test environment if you are interested.
As a test I exported a certificate along with the private key to my local workstation. I set a password on the cert at the time of the export and saved it as a pfx file. I then emailed it to myself so i could access it from the iPad.
I then was prompted to import the cert and enter the password that I had previously set on it. The cert was imported, but I could not see it listed within Junos Pulse until I remvoed and tehn re-installed Junos pulse. I saw another post about other people having that same issue.
Will this same process work instead of using the utility? The problem with the utility is that our users will be the ones performing the tasks so if we need them to install software and then connect it, it will not go well.
Emailing the cert seems to be easy, if that works.
I was one of the people that complained about the need to delete Pulse and reinstall it. If I recall this was an issue if you were running Pulse and you had any certificate in the Pulse definition - regardless of how it go on the i@ device. Definitely some form of a Pulse bug I would think. I did a post on it but no one from Juniper had any opinion in regards to the issue.
You can export the profiles from the iPhone Configuration utility and e-mail them to the users in the same way you would for a certificate. The user can then install them by tapping on the attachment.
In general the config utility tends to create more complete configurations and gives access to some settings not available directly on the phone. My experience is the iPhone is not so good at managing certificates. I've had issue trying to get the iPhone to use the right certificate and trust the root when setting up Wi-Fi access manually but with a profile it works.