Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Failed to authenticate client certificate..." after upgrading to 7.1R2

zanyterp_
Respected Contributor
‎06-01-2011 07:58:AM
‎06-01-2011 07:58:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

I haven't been able to replicate this in my lab on 7.1R2.

Are you (or @zthiel, or others) doing any extra checking beyond the certificate only (e.g. OCSP, CRL checking, CDP)? If yes, if you remove this restriction, what happens?

0 Kudos
Asema_
Occasional Contributor
‎06-01-2011 08:07:AM
‎06-01-2011 08:07:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

We do not have any other check. And CRL, etc.. is disabled.

0 Kudos
zanyterp_
Respected Contributor
‎06-01-2011 08:09:AM
‎06-01-2011 08:09:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Do you have a case number you can send me in private message that I can look at internally to see if I can try to determine what I'm doing differently?

0 Kudos
Asema_
Occasional Contributor
‎06-01-2011 08:12:AM
‎06-01-2011 08:12:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Not sure how to send priv-message here, but we do not have a case number anyway.

0 Kudos
zanyterp_
Respected Contributor
‎06-01-2011 08:14:AM
‎06-01-2011 08:14:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

OK; that will probably be the best way to start working on this toward resolution. I know @zthiel hasn't had much luck yet but generally when it is something as drastic as this, the best bet is a case. Sorry!

0 Kudos
zanyterp_
Respected Contributor
‎06-01-2011 09:11:AM
‎06-01-2011 09:11:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Are you doing certifcate-based authentication (cert-server) and it is failing? Or are you doing role/realm/access-based restrictions based on certificates retrieved during the login process?

0 Kudos
Asema_
Occasional Contributor
‎06-01-2011 09:18:AM
‎06-01-2011 09:18:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Under "Configuration > Certificates > Trusted Client CAs" we have the self-signed certificate.

"Client certificate status checking" is set to "None". Checks are on "Trusted for Client Authentication" and "Participate..."

As an Auth. Server, we put up type "Certificate Server". User mapping via default setting "<certDN.CN>".

Under User Realm for Authentication above Certificate Server it set.

Under Authentication Policy/Certificate it is set :

"Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. To change the certification authority, see the Trusted Client CA page."

That's it. No more settings.

0 Kudos
zanyterp_
Respected Contributor
‎06-01-2011 09:30:AM
‎06-01-2011 09:30:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

OK; thank you.

Unfortunately, that works without an issue for me in my lab.

What do you role map against?

What does your policy trace show?

0 Kudos
Asema_
Occasional Contributor
‎06-01-2011 09:38:AM
‎06-01-2011 09:38:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

>What do you role map against?

Based on usernames. As last position (when username is no "special" one) then user gets a standard role.

>What does your policy trace show?

Nothing. It seems it never gets to that point.

You open the browser. At the first time accessing it opens list of your certificates. You choose it and

Juniper then says the certification is wrong or invalid. In Juniper log there only is one line in the logs, which

says "WrongCert".

This is very curious for us. Because we in the past installed some upgrades already and there never occured a problem nor did we changed our certificate since that.

Our upgrade path was 5.4R6->6.4R4.1->7.0R1->7.0R4

These upgrades did not worked for us :

7.1R2.0, 7.1R1.0, 7.0R6.0, 7.0R5.1

So 7.0R5.1 is the first upgrade after our current version. What has changed in 7.0R5.1 regarding certificates ?

0 Kudos
zthiel_
Contributor
‎06-01-2011 12:39:PM
‎06-01-2011 12:39:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

I PM'ed you a few minutes ago with my case number, thanks!!

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.