We were at 7.1R1.1 (build 17943) without any certificate problems.
We are doing role/realm/access-based restrictions based on certificates retrieved during the login process.
I tested with both and......unfortunately it worked for me in the lab.
This issue was determined to be we did not have Basic Constraints:CA:TRUE in our CA. However after doing that it still was not working.
After a long battle I ended up rolling back to 7.1 R1.1 and then upgrading back to 7.1 R2 with the new CA and NOW everything is working.
The unfortunate part is no where in any documentation on the R2 upgrade does it say this CA requirement for basic constraints was added.
it indeed seems that our certificate is no longer working because we miss "Basic Constraits".
Now the question : Do we really need to re-issue our certificate and thereby have to replace all our client certificates aswell ? This would mean a lot of unneccessary work for us. Or is there an other way ?
based on what zthiel found, it looks like this is something that you will need to re-issue certs against.
I have some similar issues using 7.1R1 on a SA-4500 with Pulse on IOS with version 2.1R1 using client certs:
using a Windows enterprise CA, I have a root cert that includes the basic constraint flield (as mentioned above to be required). But the client certificates do not show this attribute at all. I see the "Wrong Cert" logged in the Log's User Access section.
When I do the same tests using another root CA made using OpenSSL, and a corresponding client Certificate, this client cert shows the basic constraint field (as Subject Type=End Entity, Path Length Constraint=None). Using this client cert it works without any problems (using the Auth Server type Cert, requiring a valid client cert and imported the root ca to the trusted CAs).
May the missing Basic Constraint attribute in the client cert be the cause of the error? Does anybody know how to change the template on a windows CA to include the basic constraint attribute also for a client certs?
At least for us we had to re-issue our self-signed server certificate. This time with Basic Constraints setting.
We then of course had to re-issue all client certificates aswell. We however did not set the Basic Constratints setting with the Client certificates. We did it only with the server side one.
In Juniper-Admin-GUI the server side certificate now shows :
Whereas our "old" server side certifcate showed only :
Our client certificates still show version 1. Maybe this is the reason why it does not work on your side ?
I think if you have version 3 client certificates then you also would need to set "Basic constratints" with the client certificates. (This time with "CA:FALSE", of course).
Asema, I see Version 3 for client and root cert in both CAs, the windows ca (where the client cert does not show the basic constraint attrib), and in the OpenSSL CA, where the client cert has the basic constraint attrib...
I think with your Windows CA Server you need to set :
Subject Type =CA
Because if you set it to subject "End Entity" it can not validate your client certiciates.
Note: The presence of the Basic Constraints subject type is very important. This value distinguishes a CA certificate from an end entity certificate.