Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OAC machine authentication with 'Use automatic certificate selection'

rrosiak_
Occasional Contributor
‎04-11-2012 08:13:AM
‎04-11-2012 08:13:AM

OAC machine authentication with 'Use automatic certificate selection'

Hi,

I have computers where there are several certificates in the computer personal store. One of them is a certificate for OAC machine authentication signed by special CA. When I will choose manually this certificate I can succesfully authenticate this machine.

I need however to select the "Use automatic certificate selection", because I'm preparing remote installation for many computers. Unfortuntely OAC 5.40.19091 selects the wrong certificate that is on the computer certificate personal store which is not the certificate for 802.1x machine authentication, so the verification of that certificate fails on IC and the whole 802.1x authentication fails.

Is there any way to tell OAC, to select any certificate that was signed by selected CA ? It seems like OAC now doesn't care which certificates it chooses when "Use automatic certificate selection" option is selected.

0 Kudos
5 REPLIES 5
apaul_
Regular Contributor
‎04-11-2012 10:56:PM
‎04-11-2012 10:56:PM

Re: OAC machine authentication with 'Use automatic certificate selection'

Hi,

Is there multiple Certificates with Intended Purpose as ñclient authenticationî certificates in the personal store ?

Can you check with a Certificate, which needs to be used by OAC as a ñclient authenticationî certificate and there are no multiple ñclient authenticationî certificates in the local computer personal store.

Thanks

0 Kudos
rrosiak_
Occasional Contributor
‎04-12-2012 08:04:AM
‎04-12-2012 08:04:AM

Re: OAC machine authentication with 'Use automatic certificate selection'

Hi,

There is one certificate for OAC machine authentication with Intended Purpose with "client authentication". Other certificates were generated by 3rd party application and the Intented Purpose is set to "ALL", so that includes "client authentication" as well.

I've tried to revoke and regenerate the OAC machine certificate several times and the "Automatic certificate selection" feature selects sometimes a proper OAC machine auth certificate and sometimes the wrong 3rd party certificate. I do not really understand what is the algorithm here for choosing the certificate.

We can't delete 3rd party certificate or change the Intented purposes there. Is there any workaround to select a proper OAC machine certificate when there are multiple "client authentication" certificates in local computer personal store ?

0 Kudos
kalagesan_
Super Contributor
‎04-12-2012 08:09:PM
‎04-12-2012 08:09:PM

Re: OAC machine authentication with 'Use automatic certificate selection'

Hi,

I beilive that this is expected behavior When we have multiple certfiicates for client authentication and if you have "Use automatic certificate selection" . As mentioned by you I understand that you can't remove the other certificates in the PC personal store. If you are sysadmin, I hope you can manage what certificates needs to be pushed using AD group policy.

Since you told that most of them are remote machines, controlling over domain group policy can be an option to remove the other certfiicates or change the inended pupose

Regards,

Kannan

0 Kudos
rrosiak_
Occasional Contributor
‎04-13-2012 05:22:AM
‎04-13-2012 05:22:AM

Re: OAC machine authentication with 'Use automatic certificate selection'

Hi,

The problem is that I can't remove the "client authentication" feature for 3rd party certificate, becase 3rd party application needs it. I think the solution could be a feature in OAC where you can enter the certificate attribute name and the expected attribute value, so that OAC could filter out all certificates with "client authentication" to select one, proper OAC machine certificate. Unfortunately as I understand there are no such feature.

0 Kudos
apaul_
Regular Contributor
‎04-16-2012 10:38:PM
‎04-16-2012 10:38:PM

Re: OAC machine authentication with 'Use automatic certificate selection'

Yup, you are right the logic as you mentioned is not available in OAC as if now.However you can discuss the requirement with the Juniper Account team to Enhance the product to support such complex requirement.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.