- Pulse Secure Community
- :
- About kalagesan_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
kalagesan_
Super Contributor
375
Posts
0
Kudos
47
Solutions
03-16-2014
11:21:PM
Hi Alexey, I don't think we have a delete message option in this forum however I have added #mistakeen post# to this query. This will take care. Regards, Kannan
... View more
03-14-2014
06:05:AM
Hi Alexey, I hope your query is on routers, please post the query in below forum. This forum is only for SBR/UAC/OAC/pulse http://forums.juniper.net/t5/Routing/bd-p/IProuting Regards, kannan
... View more
03-14-2014
03:49:AM
Hi Suresh, Glad that my susggestion helped,you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
03-13-2014
06:09:AM
Hi Satish, I understand your query. Please use wireshark software to open the tcp dump captured on the IC, Wireshark is a free and open-source packet analyzer. You can install this software in your PC.After installation you can open the tcp dump file using this application. You can download it from below URL: http://www.wireshark.org/download.html Hope this resolvedyour query. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
03-05-2014
03:26:AM
Hi Jro, I am glad that my suggestion resolved your query Regards, Kannan
... View more
03-04-2014
10:04:PM
Hi, I am glad that my suggestion helped you in issue resolution, happy to help you in future Regards, Kannan
... View more
03-04-2014
06:00:AM
Hi, Now I got the problem, You should see a dot1x profile named Local Are connection in pulse UI for dot1x. This is the dot1x profile pushed from the IC when you download the puls e client from IC or installing the preconfigured pulse msi file downloaded from IC. Can you dowload the pulse client for dot1x directly from IC server using agentless access if possible to the PC else can you try downloading the preconfigured pulse msi file from junos pulse connections from IC. installingthis preconfigured msi file from junos pulse will solve the issue I hope this should help Regards, Kannan
... View more
03-04-2014
05:26:AM
Hi , Can you now try with EAP -TTLS enabled as outer protocol & EAP -JUAC as inner protocol on IC.ON pulse lcient have Juniper TTLS enabled. Restart the Unified access service from services of the local machine after making the above changes. Hope this helps, i Regards, kannan
... View more
03-03-2014
11:01:PM
Hi Andre, No junos pulse needed on ipad, infact we dont have a junos pulse client for ipad in UAC, we only junos pulse client for SA SSL VPN connection. Please use your ipad wifi profile only, please ensure that you have uploaded the client ( user certficate ) on to the ipad, you can download the client certs & the server CA either by importing if from a email or hyperlink in your ipad device. Ensure that you have the right user certficate selected in identity section on the respectrive WIFI profile with EAP-TLS enabled. Hope this helps. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
03-03-2014
10:42:PM
Hi, For testing , please test only with local database system locl auth server and user authentication. If you wants to use machine authentication you need to use AD as auth server. Hence lts just test user auth based on system local auth server. Can you also enable Microsoft enabled PEAP protocol in authentication tab of windows 7 network properties instead of EAP-TTLS, also enasure that you have PEAP enabled in IC as well in 802.1x protocl section. If this works, then we will test the certficate auithentication next based on TTLS Update the results after the above mentioned changes & testing Regards, Kannan
... View more
03-02-2014
10:56:PM
Hi Andre, Can you ensure that you have right EAP dot1x protocols enabled on the client device, along with right CA & client certficates uploaded and enabled in client device. Regards, Kannan
... View more
03-02-2014
10:51:PM
Hi, 1. Are you trying to use certficate based authentication or username /password based authentication? 2. Are you trying user authentication or machine authentication? 3. What is the authentication server enabled in IC? 4. If you have the setup ready , what is the error message in IC user access log? 5. Do you see the local Are connection profile lodaded in the Pulse UI? 6. Can you donload & install the pulse client from the same IC using agent less access if possible? REgards, Kannan
... View more
02-23-2014
11:46:PM
Hi Arslan Nawaz, The below information on AD configuration should help for SPNEGO : On Active Directory, there are two steps that must be performed: ´ Create a dedicated user for the SPN. Add the SPN to this user using 'ktpass.exe' (this will generate the keytab). NOTE: You must set a password for the user. User must change password on next logon should not be enabled, and Password neverexpires should be enabled. The SPN must be added in this format: HTTP/[email protected] The SPN iscase sensitive. Note the order of uppercase, lowercase and upper case. ´ For Active Directory 2008, the commands 'ktpass' and 'setspn' are already installed. For Active Directory 2003, an add-on pack is required. Before adding the SPN, it's a good idea to make sure it doesn't already exist. This will help avoid ticket decryption issues on Junos Pulse Access Control Service. On the endpoint, the MAG Series device must be added as a trusted host(with Internet Explorer or Firefox). This can also be done with an Active Directory group policy. Without this, the browser will not participate in SPNEGO. On the MAG Series device, you must upload the keytab file and verify thatthediode turns green (indicating a successful join).SPNEGOdoes not workunless the diode is green. Sample Active Directory Commands To search for a particular SPN: C:\>setspn -Q HTTP/dev94.abc-domain.lab.test.com To search for all the SPNs of user 'spnuser': C:\>setspn -Lspnuser To delete this SPN of user 'spnuser': C:\>setspn -d HTTP/dev94.abc-domain.lab.test.com spnuser In this example, the MAG Series device FQDN is: xyz.abc-domain.lab.test.com and the AD realm is: ABC-DOMAIN.LAB.JUNIPER.NET. This adds an SPN to the user: Additional Information The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint.Old ticketsmust be purgedfromthe endpoint ifSPNs are updatedor passwords are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGOrequest to the MAG Series device. During testing,you should purge tickets before each authentication request. A similar program to 'kerbtray.exe' is klist.exe. This is a command line program to view and purge tickets. This can be downloaded from Microsoft's site. When troubleshooting, Juniper Network recommends that you restart the browser between auth requests to avoid cache issues. If Internet Explorer pops-up a Windows dialog box during authentication, this signifies that the ICisn't trusted for SPNEGO. You should add the MAG Series device FQDN underOptions -> Security -> Local Intranet -> Sites ->Advanced. In Firefox, you can install the 'Live HTTP Headers' plug-in to monitor HTTP traffic. You should verify that the ticket is being sent as base64 data. To add the MAG Series device as a trusted host in Firefox, load URL about:config in the address window and set:network.negotiate-auth.trusted-uris. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
02-14-2014
05:52:AM
Hi Andre, I understand your requirement. only radius license on MAG should help to achive your requirement. I have tested this in my lab before. Hope this helps. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
02-11-2014
11:20:PM
Hi, I have attached the document for your convenience, you can download the same & use it Regards, Kannan
... View more
02-10-2014
10:33:PM
Hi, Yes your requirement of customizing the loginpage of UAC is possible. You can use custom signin pages options in UAC to achive your requirement, below is the URL for accessing the custoemr signin page guide which you or your IT team can use it for creating custom signinpages as per your requirement http://www.juniper.net/techpubs/en_US/sa8.0/information-products/topic-collections/security-access-customsigninpages-developer-reference-8-0-5-0.pdf Hope this resolves your query. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
02-05-2014
02:50:AM
Hi Jro, You have posted the query in right forum, I understand your query. I have tested this requirement and it works. First you need to have active directory authentication server configured in IC. After that configure role mapping based on group mebership. You can use UAC infranet controller for layer 2 802.1x authentication with radius return attribute policy for assigning VLANS based on the roles that the user gets. Assigning static VLANs , open port and VLAN radius attributes are configurable in IC admin UI under network access. Its up to to switch to decide assigning which VLAN based on the return attributes from IC ( radius server), 802.1x works only access port , if you make a port trunk , it will not work. Hope this helps to resolve your issue. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
01-13-2014
02:18:AM
Hi Sasha, We would like to know what Juniper devices that you are using RSA platform for authentication?based on this we can get you appropriate information Regards, Kannan
... View more
01-07-2014
10:37:PM
Hi Hayyan, I suspect the machines account lokced due to failure log in attempts. I suspect the configuration on OAC installed oon the endpoint PC is inititating the repeated auth requests leading to this failure. I recommend you to create a Juniper SUpport case with OAC logs, IC user access and radius debug logs taken during the issue Regards, Kannan
... View more
01-07-2014
10:32:PM
Hi Sasha, I understand that you query is regarding replcaing RSA with yubikey ID, are you using any Juniper products with RSA integaration for authentication. What you expect from Juniper on your query? If you r query is generic without any Juniper Products involved I am not sure whether you will be getting the appropriate information. Regards, Kannan
... View more
01-07-2014
09:44:PM
Hi Peter, Please post your query in the belwo Ethernet Switching forum, its the appropriate forum to dicsuss the Junos Q Fabric issues http://forums.juniper.net/t5/Ethernet-Switching/bd-p/switch Regards, Kannan
... View more
12-30-2013
10:56:PM
Hi Braker, Please check this PSN for more information http://kb.pulsesecure.net/InfoCenter/index?page=content&id=TSB16290&cat=&actp=LIST&showDraft=false Regards, Kannan
... View more
12-26-2013
01:16:AM
Hi, I have tested this long back for one of my issue however once you place the cert in machine store OAC should be able to locate the certs from machien cert store Regards, Kannan
... View more
12-23-2013
06:11:AM
Hi, If you can add the SRX device as radius client along with its dictionary fileand if that dictionary file has the QOS attributes that you specified or if there is a radius RFC complaint QOS attribute availble, you can configure a return policy for that attibute. This is only for SRX and not for screen OS because I dont't think you can add screen OS Firewall as a radius client in IC Regards, Kannan
... View more
12-22-2013
11:00:PM
Hi , I understand your query, after performing MSI based installation or before installuing the OAC I suggest you to use Active directory base Group Policy to push the machine certificates to each machines personal store. OAC should be able to pick the cert once its placed in machine cert store. Hope this resolves query. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
12-22-2013
10:57:PM
Hi Sasha, Can you confirm whether your query is regarding to SBR or UAC or OAC or junos pulse product or some thing else. Also get me more details on the query, based on this we can go forward Regards, Kannan Juniper Networks
... View more
12-17-2013
11:46:PM
Hi Gulia, I understand your query. You can configure RADIUS request attribute policies option available in MAG UAC where we can enforce the action of processing authentication requests based on information in the RADIUS packet before a connection can be authenticated. You assign RADIUS request attribute policies as a realm restriction. Using RADIUS attributes policy available in the UAC IC device you can return VLAN attribute in which the Radius client ( Cisco switch ) will assign the VLAN based on the return attribute.It can be a gusrt VLAN or any other VLAN. To configure a RADIUS attributes policy: In the admin console, select UAC > Network Access > RADIUS Attributes. Click New Policy. On the New Policy page: For Name, enter a name to label this policy. (Optional) For Description, enter al description for the policy. Under Location Group, select the location groups to which you want to apply this policy, and click Add. To apply the policy to all location groups, do not add any location groups and use the default setting (all) listed in the Selected Location Groups list. Under RADIUS Attributes, select from the following options Open Port„Check this option if you do not want to assign endpoints to a VLAN or return any RADIUS attributes. Selecting this check box disables all other RADIUS Attributes options. VLAN„Select this option to configure VLAN assignment according to RFC 3580 by returning the RADIUS tunnel attributes to the NAD. Specify the existing VLAN ID on the network infrastructure that you want to use for the role(s) to which this policy applies. Selecting this option is equivalent to manually specifying the three RFC 3580 RADIUS tunnel attributes in the Return Attribute section. Return Attribute„Select this option to specify the return attributes you want sent to the NAD. This will resolve your query. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
12-17-2013
11:34:PM
Hi Jiff, Yes, your understanding is correct and your requirement posted in the last update is possible and supported in MAG UAC Regards, Kannan
... View more
12-05-2013
12:38:AM
Hi, Your understanding is correct. The following admin UI pages are hidden when the MAGx600-UAC-SRX license is applied: ´ UAC: Infranet Enforcer: IPsec Routing, IP Address Pools ´ Authentication Servers: all are hidden except for Active Directory and local authentication ´ Endpoint Security and Host Checker ´ UAC: Network Access (Layer 2 options) ´ UAC: Host Enforcer ´ IF-MAP Federation ´ Junos Pulse and Odyssey Access Client installation option ´ Agent settings for user roles You can use SRX Series user role policies with or without the MAGx600-UAC-SRX license as an alternative to resource access policies with a standard UAC license. There is no single sign-on capability without the MAGx600-UAC-SRX license. Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks! Regards, Kannan
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
