Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

need specific syntax for certificate access restrictions

Chuck14_
New Contributor
‎06-19-2013 02:56:PM
‎06-19-2013 02:56:PM

need specific syntax for certificate access restrictions

MAG6611 running 7.4R9.3

I have a realm configured to use a certificate auth server for authentication. I want to make sure that this realm will only accept user certs from one particular organization.

 

When I do a policy trace on a user logging into this realm, here is the value I want to try and match:

info - [xxx.xxx.xxx.xxx] - Username(Realm)[] - 2014/05/16 12:58:47 - MAG_hostname - Variable certIssuerDn.OU = "OCIO CA"

So I go into Realm -> Authentication Policy -> Certificate. The bottom radio button (Only allow users with a client-side certificate) is already selected. Below that is the section where you can specify restrictions, i.e. values to match within the cert. For each item you must specify "Certificate field" and "Expected value".

 

Does anybody know what the specific syntax is for filling in those two boxes? Do you have to put quotes or <> brackets around the values to get them to match? I have tried several variations and I just keep getting "Sign-in rejected. Reason: Wrong Certificate" in the policy trace. If I delete the restriction then the user can connect with no trouble.

 

What I have right now trying to match the value above is:

Certificate field:    certIssuerDn.OU           no quotes or brackets

Expected value:    "OCIO CA"                      double-quotes aroudn the whole value

 

Seems to me like that should work, but it's not matching up.

 

Any suggestions?

 

Thanks,

Chuck

 

0 Kudos
3 REPLIES 3
dcvers_
Regular Contributor
‎11-16-2007 07:03:AM
‎11-16-2007 07:03:AM

Re: need specific syntax for certificate access restrictions

First the obvious questions. Have you tried without the quotes on the expected value?

Second are there multiple OUs for the certIssuerDN? If yes then there is a note in the help that it may not authenticate correctly if an attribute has multiple values.

0 Kudos
Kita_
Valued Contributor
‎12-23-2010 09:43:PM
‎12-23-2010 09:43:PM

Re: need specific syntax for certificate access restrictions

The following values will only search the dn information of the end user certificate. It will not search the dn of the issuer.
0 Kudos
Chuck14_
New Contributor
‎06-19-2013 06:34:AM
‎06-19-2013 06:34:AM

Re: need specific syntax for certificate access restrictions

Sorry Kita, I don't quite understand your reply. Are you saying that a certificate restriction at the realm level cannot match against the certIssuerDN.* fields in the user's certificate? If so, could this be done at the role level instead? Is there any documentation available as to which certificate contents can be matched at the realm level and at the role level?

I have not been able to find much info in the documentation about what you can do in the certificate restriction screen or what the syntax is. The only doc I've found with extensive details is this one related to custom expressions, but perhaps the capabilities are different there:

http://www.juniper.net/techpubs/en_US/sa7.4/topics/topic-map/security-access-system-variables-custom...




Thanks,

Chuck


0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.