- Pulse Secure Community
- :
- About doug_fir_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
doug_fir_
Occasional Contributor
13
Posts
0
Kudos
1
Solution
05-06-2015
10:04:AM
Our SA2500 kicked the bucket out of warranty, and we quickly built up the virtual appliance to at least let 3 users in w/o a license. Is it possible to move a 50 user license from our now-deceased SA2500 to the virtual appliance? I know the virtual systems require a licensing server and can't have the licenses applied directly, just want to know if this is even possible.
... View more
07-23-2012
09:50:AM
Just to update this in case anyone encounters it in the future, I recreated a test private certificate authority which did not include a comma in the O= section. Certificates signed by this authority work fine with the Junos Pulse Mac OS X client now. I'm not certain there was not some other misconfiguration in my previous cert authority besides the comma, but this solved the problem. Strangely, this error did not occur using the Junos Pulse iOS client with certs signed by the previous cert authority. Regards.
... View more
07-21-2012
04:23:PM
Cert-only auth does not succeed. However, it does succeed with Network Connect. The support contract on this unit has expired so I can't open a case, but I think I have encountered a bug with the Junos Pulse client for Mac OS X. I am getting an issuer cert mis-match, possibly due to the fact the O= organization component of the RDN has a comma in the name, which seems to trigger a set of double quotes around the value when compared. I'm not certain that's all that is wrong, but Junos Pulse is calling it an RDN mismatch and Network Connect and SSL browsers have no problem with it. Below is the cert search output from the debug log on the client: 00225,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:346 - 'JamCertLib' 1) Processing Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] ... 00172,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Users/test_user/Library/Keychains/login.keychain) 00155,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Library/Keychains/System.keychain) 00244,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1259 - 'JamCertLib' Private key found for certificate: Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] 00194,09 2012/07/21 15:01:29.976 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1074 - 'JamCertLib' SecTrustEvaluate() succeeded with SecTrustResultType (1: kSecTrustResultProceed (Always Trust)) 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,[email protected])... 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)... 00313,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:743 - 'JamCertLib' Cert doesn't have matching issuer-RDN: [email protected]; 2.5.4.3=ca.example.com; 2.5.4.11=Information Systems; 2.5.4.10="Example Company, Inc."; 2.5.4.7=Anytown; 2.5.4.8=State; 2.5.4.6=US 00284,09 2012/07/21 15:01:29.977 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:407 - 'JamCertLib' Filtering out Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] based on its issuer name not matching in server specified list 00532,09 2012/07/21 15:01:29.977 5 test_user PulseTray Pulse p1654 t40B pluginListener.cpp:804 - 'JamUI' UiPlugin-PostJob xid = 32, kPromptAllowSave = 1, kPromptLoginName = '', kPromptServerName = 'EXAMPLE', kPromptSSID = '', kPromptServerURL = 'connect.example.com', kPromptServerType = 'ive', kPromptConnectionId = 'd61c590912e74ebf990fafa3ff57603a', kPromptProxyURL = '', kPromptCertificateErrorStatus = 0, kPromptRetryAuth = 0, kPromptSecondAuth = 0, kPromptProxyAuth = 0, kPromptSecurId = 0, kRequestedUserName = '', kPromptChallenge = '' 00135,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:45 - 'JamUI' postmessage received from main thread 00168,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:26 - 'JamUI' PostMessageToUI post message received for window 65535 , commandtype 50 00166,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:29 - 'JamUI' PostMessageToUI posted successfully for window 65535 , commandtype 50 00180,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:387 - 'JamUI' postmessageReceiver post message received for window 65535 , commandtype 50 00173,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:402 - 'JamUI' OnJamCommand post message received for window 65535 , commandtype 50 00220,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:266 - 'JamUI' Prompt request kPromptTypeGetClientCertificate, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32 00206,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:1017 - 'JamUI' Prompt reply kUIStatusCompleted, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32 00141,09 2012/07/21 15:01:29.978 1 root dsAccessService eapService p1691 t8DFF JNPRClient.cpp:3291 - 'eapService' No valid client certificate found. 00146,09 2012/07/21 15:01:29.978 4 root dsAccessService eapService p1691 t8DFF EapService.cpp:28 - 'eapService' processUserCertRequest - no cert selected These being the pertinent lines: 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,[email protected])... 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn ([email protected],CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)...
... View more
07-02-2012
06:37:PM
Just to add, I can see in /var/log/system.log: dsAccessService[93]: COdCertLib::OpenCertStore: opening CA/Root store 'Current User/Library/Keychains/login.keychain' So it looks like Junos Pulse is attempting to look in the keychain, just not seeing my client certificate. Again, this certificate works fine for Safari. Disabling the cert requirement makes Junos Pulse connect successfully. I have duplicated the issue on 10.6.8 on a separate system.
... View more
07-02-2012
06:09:PM
Thanks so much for the replies, sorry it has taken a bit for me to reply. Yes, Safari works fine with a client cert installed in the keychain, and Network Connect has no problem with it. If I purposefully remove the cert+key I get rejected from the SA, so I know it's referencing it in Safari. The response I get in Junos Pulse (v3.0) is "Missing or invalid client certificate". This is in Mac OS X 10.7.4, connecting to an SA2500. Is there a way to see more detailed debug logs for the client app? Thanks for the help.
... View more
06-28-2012
09:34:PM
Great to see a Junos Pulse Mac OS X client now. We would love to use it, but it doesn't seem to allow for client certificate auth + user/pass. Does it check the user's keychain for a client cert, or is this not an available feature yet? Does everyone just do user/pass auth for their SA's? We want to keep our cert + user/pass config. Thanks!
... View more
02-29-2012
02:51:PM
Yep, already started going the LDAP SSL route to work around this. Thanks for the information.
... View more
02-29-2012
11:01:AM
Greetings, I have an SA2500 on which I'm trying to set up an Active Directory auth server. I am getting failures to bind when testing the connection in the auth server config screen. The AD servers require LDAP signing for security, and I get messages in AD that the SA is attempting to bind without requesting signing. Is there a way to configure the SA to request signing for integrity validation, or is this simply not an option? Thanks.
... View more
07-23-2010
04:49:PM
Finally figured it out. It looks like the certificates on the client were not getting imported properly. The private key portion was not getting installed. Thanks for your time.
... View more
07-23-2010
12:47:PM
Thanks for the help, Kevin. Unfortunately it's not working in Windows either. The error for both OS clients in the User Access log is "Login failed. Reason: NoCert". Interesting you place your cert in the MS Intermediate Certs keychain. I would think the login keychain would be the first choice, and that's where I placed it. I'm wondering if there are any specific guidelines for cert creation that I'm missing, and my cert is invalid in some way. We are using our own local CA, who's cert is installed on the SA under Trusted Client CA's and Trusted Server CA's. the CA cert is also installed on the clients, and each client auth certificate is using the CN of the username, firstname_lastname for example. The device certificates are also signed by the same local CA, so everyone is working under the same trust, and the certs appear valid in the keychain. Is there any chance of a network issue? Does the SA _initiate_ traffic with the client that could cause a firewall established-related traffic problem? I can look into this but any insight would be helpful. Thanks for your help again.
... View more
07-21-2010
02:38:PM
I'm having a heck of a time getting our SA4500 to accept client certificates we've signed with our internal CA. We're trying to auth with first a client certificate, and then a radius name/pass. Both client and SA are aware of our internal CA cert, but we can't get the browser to produce the cert for the login. Users are using Safari, but we've also tried Firefox with no luck. The message is "No certificate found". However, the client cert is sitting in Keychain Access, and appears valid. We name the locally-signed client certs by first_last for the CN. I've also tried setting the certificate preference in Keychain Access to use that specific cert for the url of the SSL VPN but no luck! Thanks for any help you can provide.
... View more
01-08-2009
11:29:AM
Thanks for the reply! If it's as simple as an LDAP transaction it should be no problem.
... View more
01-07-2009
09:02:PM
This is a long shot if someone can help us, but we have an Apple Open Directory server and are wondering if it would substitute for an Active Directory server to provide user authentication. Open Directory can represent itself as a PDC to windows users, and we'd like to access groups on that server to authenticate ssl vpn connections. We are considering an SSL VPN 4500 but this would be a necessary prerequisite. Thanks.
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
