I'm trying to configure UAC+EX+Junos Pulse for L2 access.
UAC and EX are ready but I have some problems with Junos Pulse as 802.1x supplicant.
On the physical interface with Windows 7 installed I've enabled 802.1x authentication with Juniper Networks: EAP-TTLS.
I have also did the following:
-installed UAC (IC) certificate on the PC
-installed root CA certificate that signed UAC certificate on the PC
-in setting of juniper EAP-TTLS I've set the anonymous field to "anonymous"
Could someone explain me the process of deploying Junos Pulse+UAC+EX for 802.1x?
What am I missing?
Solved! Go to Solution.
Now I got the problem, You should see a dot1x profile named Local Are connection in pulse UI for dot1x. This is the dot1x profile pushed from the IC when you download the puls e client from IC or installing the preconfigured pulse msi file downloaded from IC.
Can you dowload the pulse client for dot1x directly from IC server using agentless access if possible to the PC else can you try downloading the preconfigured pulse msi file from junos pulse connections from IC.
installingthis preconfigured msi file from junos pulse will solve the issue
I hope this should help
1. Are you trying to use certficate based authentication or username /password based authentication?
2. Are you trying user authentication or machine authentication?
3. What is the authentication server enabled in IC?
4. If you have the setup ready , what is the error message in IC user access log?
5. Do you see the local Are connection profile lodaded in the Pulse UI?
6. Can you donload & install the pulse client from the same IC using agent less access if possible?
Hi, thank's for the interest in the case.
1. I was trying to do both.
2. I would like to have a user authentication (using personal keys)
3. When I was trying username based auth it was set to System local with a Realm restriction on personal certificate. When I was trying cert atuh the auth server was set to Certificate server
4. There is no log in User access, Events or via Troubleshooting (session recorder). Capture of pacets on the PC says only that authentication has failed after the creation of outer SSL/TLS tunnel from the switch.
5/6. Under Pulse conncections I've enabled only one connection - 802.1x. This connection has a defined Outer user name as anonymous and a Trusted Client side CA certificate that was used to sign user certificate. At first I've opened the port on the switch to allow dowload of the Junos Pulse client from the IC to the PC. After that I've switched back the switch port to use 802.1x with a RADIUS server (IC). The connection is listed in the Pulse GUI. When I click connect it says: "Waiting for the network" and then I get a notification form windows about unsucessful 802.1x auth.
I think the following documentation with detailed configuration should help here.
Dear apaul, thank you for Your reply. Before posting this thread I've read every little piece of documentation, KB articles, admin guide, examples that is available on Juniper sites as well as on this forum. Therefore I've read the article You have posted.
Unfortunately for me none of those texts solve my problem nor give me any guidance at all. There are plenty of examples of how to implement 802.1x with different types od EAP with OAC, but not even one with Junos Pulse.
That's why I've reached out to the community for some real-life configurations and examples of 802.1x with Junos Pulse.
Just for the sake of being complete. Can you post your EX config? Just want to verify that you have 802.1x enabled on the ports.
Also, you can start with at least getting local authentication working before adding certificates. They are a different beast.
For testing , please test only with local database system locl auth server and user authentication. If you wants to use machine authentication you need to use AD as auth server. Hence lts just test user auth based on system local auth server.
Can you also enable Microsoft enabled PEAP protocol in authentication tab of windows 7 network properties instead of EAP-TTLS, also enasure that you have PEAP enabled in IC as well in 802.1x protocl section.
If this works, then we will test the certficate auithentication next based on TTLS
Update the results after the above mentioned changes & testing
CAn you also post the detailed Pulse logs, to do this ensure you open Pulse @ client, goto File --> Logs --> Log Level --> Details and Save the logs once the issue is replicated. Please provide the timestamp of the connection attempt to co-relate the logs. Also you can add a tcp-dump from the IC which could help here as well.
I've set up realm to use local database - no certificates - and on the PC I've set the 802.1x method to EAP-PEAP. After those changes authorization i sucessful. After the user is assigned correct VLAN (as configured on IC) the Junos Pulse connects correctly to the IC.
But I see a flaw here IC shows me that 2 user licenses are being eaten - one for 802.1x and one for L3.
I think it's because the limitation of Junos Pulse that cannot handle EAP-PEAP, as noted in the documentation Junos Pulse 5.0 Admin Guide on page 214.
As far as I know to run a 802.1x UAC deployment with host checker one needs to use EAP-JUAC as the inner authentication protocol. And that's only supported with EAP-TTLS as the outer authentication in Junos Pulse.
So we're back to my orignial question
Please correct me if I'm wrong.
I don't post the config of my EX because the sucessful EAP-PEAP atuh confirms that the EX<->RADIUS (IC) is working.
Can you now try with EAP -TTLS enabled as outer protocol & EAP -JUAC as inner protocol on IC.ON pulse lcient have Juniper TTLS enabled. Restart the Unified access service from services of the local machine after making the above changes.
Hope this helps, i