I haven't been able to replicate this in my lab on 7.1R2.
Are you (or @zthiel, or others) doing any extra checking beyond the certificate only (e.g. OCSP, CRL checking, CDP)? If yes, if you remove this restriction, what happens?
We do not have any other check. And CRL, etc.. is disabled.
Do you have a case number you can send me in private message that I can look at internally to see if I can try to determine what I'm doing differently?
Not sure how to send priv-message here, but we do not have a case number anyway.
OK; that will probably be the best way to start working on this toward resolution. I know @zthiel hasn't had much luck yet but generally when it is something as drastic as this, the best bet is a case. Sorry!
Are you doing certifcate-based authentication (cert-server) and it is failing? Or are you doing role/realm/access-based restrictions based on certificates retrieved during the login process?
Under "Configuration > Certificates > Trusted Client CAs" we have the self-signed certificate.
"Client certificate status checking" is set to "None". Checks are on "Trusted for Client Authentication" and "Participate..."
As an Auth. Server, we put up type "Certificate Server". User mapping via default setting "<certDN.CN>".
Under User Realm for Authentication above Certificate Server it set.
Under Authentication Policy/Certificate it is set :
"Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. To change the certification authority, see the Trusted Client CA page."
That's it. No more settings.
OK; thank you.
Unfortunately, that works without an issue for me in my lab.
What do you role map against?
What does your policy trace show?
>What do you role map against?
Based on usernames. As last position (when username is no "special" one) then user gets a standard role.
>What does your policy trace show?
Nothing. It seems it never gets to that point.
You open the browser. At the first time accessing it opens list of your certificates. You choose it and
Juniper then says the certification is wrong or invalid. In Juniper log there only is one line in the logs, which
This is very curious for us. Because we in the past installed some upgrades already and there never occured a problem nor did we changed our certificate since that.
Our upgrade path was 5.4R6->6.4R4.1->7.0R1->7.0R4
These upgrades did not worked for us :
7.1R2.0, 7.1R1.0, 7.0R6.0, 7.0R5.1
So 7.0R5.1 is the first upgrade after our current version. What has changed in 7.0R5.1 regarding certificates ?
I PM'ed you a few minutes ago with my case number, thanks!!