I have a question in configuring the SA to check client certificates attributes.
Our intention is it to provide a ActiveSync access for our customers to sync their mobile devices (e.g. Apple iOS, Android) with our internal Microsoft Exchange 2007 server. For that we added a virtual port on our external interface and enabled the client certificate requirement for this port. Then we configured a virtual hostname (passthrough proxy) which forwards the traffic to target URL (Exchange-server). This setup works perfectly with certificates of our Trusted Client CA.
Now the question:
Is it possible to filter a special attribute of the certificate? More precisely I mean the certificate template informationÓ extension ("Template=WirelessUsers(126.96.36.199.4.1.3188.8.131.5249325.11114837.14369456.6622982.4790504.72.2880170.14957459)_") and/or the enhanced key usageÓ extension (e.g. Client Authentication (184.108.40.206.220.127.116.11.2)Ó
or custom value WirelessUsers (18.104.22.168.4.1.322.214.171.12449325.11114837.14369456.6622982.4790504.72.10766458.11704646)_Ó)
I did some tests with role option restrictions for certificates... e.g. CN = <user>Ó works perfectly, but I canÕt find any information about these special attributes.
It would be great if someone could help me :-)
I did some other tests with Client Cert validation:
Configuration > Trusted Client CA > [root-ca] > Advanced Certificate Processing Settings
Enabled the Initial Require Explicit PolicyÓ and set the required value of the affected template:
I tried with our specific value (see below) but it doesnÕt work.
Standard value 126.96.36.199.188.8.131.52.2 (id-kp-clientAuth) doesnÕt work, too.
Tcpdump on the external port tells me that the client sends the correct certificate
Extension Id: 184.108.40.206 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 220.127.116.11.4.1.318.104.22.16849325.11114837.14369456.6622982.4790504.72.10766458.11704646 (iso.22.214.171.124.1.3126.96.36.19949325.11114837.14369456.6622982.4790504.72.10766458.11704646)
KeyPurposeId: 188.8.131.52.184.108.40.206.2 (id-kp-clientAuth)
Extension Id: 220.127.116.11.4.1.311.21.10 (id-ms-application-certificate-policies)
CertificatePoliciesSyntax: 2 items
policyIdentifier: 18.104.22.168.4.1.322.214.171.12449325.11114837.14369456.6622982.4790504.72.10766458.11704646 (iso.126.96.36.199.1.3188.8.131.5249325.11114837.14369456.6622982.4790504.72.10766458.11704646)
policyIdentifier: 184.108.40.206.220.127.116.11.2 (id-kp-clientAuth)
I send a request from my client to this port and send the right certificate but authentications fails. There is no log entry with any error description._
Reply from SAÕs external port:
Secure Socket Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Level: Fatal (2)
Description: Certificate Unknown (46)
Does anyone have any idea or experience with this feature?
Did you ever get a solution for this?
We're looking to do something similar for our Ipad users (junos pulse), but at the moment it's set to "any certificate from a trusted CA" - we want to allow certificates using the CA's custom ipad template, but deny everything else
even if you could figure out a way to get the custom attr, where wuold you put it. Need a auth server to hold them. The pass though proxy is relying on your LDAP server not Juniper.