Hi,

1. Are you trying to use certficate based authentication or username /password based authentication?

2. Are you trying user authentication or machine authentication?

3. What is the authentication server enabled in IC?

4. If you have the setup ready , what is the error message in IC user access log?

5. Do you see the local Are connection  profile lodaded in the Pulse UI?

6. Can you donload & install the pulse client from  the same IC using agent less access if possible?

REgards,

Kannan

Hi, thank's for the interest in the case.

1. I was trying to do both.

2. I would like to have a user authentication (using personal keys)

3. When I was trying username based auth it was set to System local with a Realm restriction on personal certificate. When I was trying cert atuh the auth server was set to Certificate server

4. There is no log in User access, Events or via Troubleshooting (session recorder). Capture of pacets on the PC says only that authentication has failed after the creation of outer SSL/TLS tunnel from the switch.

5/6. Under Pulse conncections I've enabled only one connection - 802.1x. This connection has a defined Outer user name as anonymous and a Trusted Client side CA certificate that was used to sign user certificate. At first I've opened the port on the switch to allow dowload of the Junos Pulse client from the IC to the PC. After that I've switched back the switch port to use 802.1x with a RADIUS server (IC). The connection is listed in the Pulse GUI. When I click connect it says: "Waiting for the network" and then I get a notification form windows about unsucessful 802.1x auth.

I think the following documentation with detailed configuration should help here.

http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/uac-ex-series-centralized-resource-co...

Thanks

Dear apaul, thank you for Your reply. Before posting this thread I've read every little piece of documentation, KB articles, admin guide, examples that is available on Juniper sites as well as on this forum. Therefore I've read the article You have posted.

Unfortunately for me none of those texts solve my problem nor give me any guidance at all. There are plenty of examples of  how to implement 802.1x with different types od EAP with OAC, but not even one with Junos Pulse.

That's why I've reached out to the community for some real-life configurations and examples of 802.1x with Junos Pulse.

Just for the sake of being complete.  Can you post your EX config?  Just want to verify that you have 802.1x enabled on the ports.

Also, you can start with at least getting local authentication working before adding certificates.  They are a different beast.

Garett

Hi,

For testing , please test only with local database system locl auth server and user authentication. If you wants to use machine authentication  you need to use AD as auth server. Hence lts just test user auth based on system local auth server.

Can you also enable Microsoft enabled PEAP protocol in authentication tab of windows 7 network properties instead of EAP-TTLS, also enasure that you have PEAP enabled in IC as well in 802.1x protocl section.

If this works, then we will test the certficate auithentication next based on TTLS

Update the results after the above mentioned changes & testing

Regards,

Kannan

CAn you also post the detailed Pulse logs, to do this ensure you open Pulse @ client, goto File --> Logs --> Log Level --> Details and Save the logs once the issue is replicated. Please provide the timestamp of the connection attempt to co-relate the logs. Also you can add a tcp-dump from the IC which could help here as well.

I've set up realm to use local database - no certificates - and on the PC I've set the 802.1x method to EAP-PEAP. After those changes authorization i sucessful. After the user is assigned correct VLAN (as configured on IC) the Junos Pulse connects correctly to the IC.

But I see a flaw here IC shows me that 2 user licenses are being eaten - one for 802.1x and one for L3.

I think it's because the limitation of Junos Pulse that cannot handle EAP-PEAP, as noted in the documentation Junos Pulse 5.0 Admin Guide on page 214.

As far as I know to run a 802.1x UAC deployment with host checker one needs to use EAP-JUAC as the inner authentication protocol. And that's only supported with EAP-TTLS as the outer authentication in Junos Pulse.

So we're back to my orignial question

Please correct me if I'm wrong. 

@glaberge

I don't post the config of my EX because the sucessful EAP-PEAP atuh confirms that the EX<->RADIUS (IC) is working.

Hi ,

Can you now try with EAP -TTLS enabled as outer protocol  & EAP -JUAC as inner protocol on IC.ON pulse lcient have Juniper TTLS enabled. Restart  the Unified access service from services of the local machine after making the above changes.

Hope this helps, i

Regards,

kannan