I installed version 7.1R1 and I'm still experiencing the same issue...

Ok, 7.1R1 does actually work with client certificates that use a chain.  As long as your certificate restriction is set at the Realm level.  I had mine set at the Role level and that does not work.  

Russ

ensure to bind device cert to internal network interface on the sa device cfg

Hello Dan,

If the proper intermediate CA are installed on the IVE, you should not be getting any chaining errors. The other possiblity is the root CA is missing from the device. If you are using a VeriSign certificate, you may want to double check with them as their hierarchy has changed directly to a four-tier hierarchy (two intermediates) plus it is cross-certified by two root ca (which can be a bit confusing).

The proper root and the 1 intermediate cert exists on the IVE and still no luck. Like I said, Network connect has no issues with the cert so not sure what is happening.

Thawte's website has a troubleshooting tool that says my chain is incomplete also so I guess I have an issue with the intermediate cert I installed.

Pulse client seems to have issues with wildcard certs... oh well. There goes another good Juniper idea poorly executed...

DirectAccess here I come!

ya, kind of regreting going to pulse over network connect, it seems to be a beta product. I have checked everything and the entire chain exists, I guess I will try calling support.

same issue here...

We have a digicert wildcard certificate and the chain is fully correct!

Only thing complaining is Pulse..

Because it's just cosmetic (and I have enough to do) I'm simply afraid to call JTAC (again...)....all they will do is ask you for logs...logs...logs....