Cert-only auth does not succeed. However, it does succeed with Network Connect. The support contract on this unit has expired so I can't open a case, but I think I have encountered a bug with the Junos Pulse client for Mac OS X. I am getting an issuer cert mis-match, possibly due to the fact the O= organization component of the RDN has a comma in the name, which seems to trigger a set of double quotes around the value when compared. I'm not certain that's all that is wrong, but Junos Pulse is calling it an RDN mismatch and Network Connect and SSL browsers have no problem with it. Below is the cert search output from the debug log on the client: 00225,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:346 - 'JamCertLib' 1) Processing Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] ... 00172,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Users/test_user/Library/Keychains/login.keychain) 00155,09 2012/07/21 15:01:29.975 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:125 - 'JamCertLib' Found Keychain (path: /Library/Keychains/System.keychain) 00244,09 2012/07/21 15:01:29.975 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1259 - 'JamCertLib' Private key found for certificate: Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] 00194,09 2012/07/21 15:01:29.976 3 test_user PulseTray Pulse p1654 t40B osxCert.cpp:1074 - 'JamCertLib' SecTrustEvaluate() succeeded with SecTrustResultType (1: kSecTrustResultProceed (Always Trust)) 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,
[email protected])... 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)... 00313,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:743 - 'JamCertLib' Cert doesn't have matching issuer-RDN:
[email protected]; 2.5.4.3=ca.example.com; 2.5.4.11=Information Systems; 2.5.4.10="Example Company, Inc."; 2.5.4.7=Anytown; 2.5.4.8=State; 2.5.4.6=US 00284,09 2012/07/21 15:01:29.977 3 test_user PulseTray Pulse p1654 t40B jamCert.cpp:407 - 'JamCertLib' Filtering out Certificate [Subject: test_user, Issuer: ca.example.com, Thumbprint: 723454574BAA2847E1201F2FC345AC929314A0AE] based on its issuer name not matching in server specified list 00532,09 2012/07/21 15:01:29.977 5 test_user PulseTray Pulse p1654 t40B pluginListener.cpp:804 - 'JamUI' UiPlugin-PostJob xid = 32, kPromptAllowSave = 1, kPromptLoginName = '', kPromptServerName = 'EXAMPLE', kPromptSSID = '', kPromptServerURL = 'connect.example.com', kPromptServerType = 'ive', kPromptConnectionId = 'd61c590912e74ebf990fafa3ff57603a', kPromptProxyURL = '', kPromptCertificateErrorStatus = 0, kPromptRetryAuth = 0, kPromptSecondAuth = 0, kPromptProxyAuth = 0, kPromptSecurId = 0, kRequestedUserName = '', kPromptChallenge = '' 00135,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:45 - 'JamUI' postmessage received from main thread 00168,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:26 - 'JamUI' PostMessageToUI post message received for window 65535 , commandtype 50 00166,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B MacStddefine.mm:29 - 'JamUI' PostMessageToUI posted successfully for window 65535 , commandtype 50 00180,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:387 - 'JamUI' postmessageReceiver post message received for window 65535 , commandtype 50 00173,09 2012/07/21 15:01:29.978 4 test_user PulseTray Pulse p1654 t40B PulseTrayController.mm:402 - 'JamUI' OnJamCommand post message received for window 65535 , commandtype 50 00220,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:266 - 'JamUI' Prompt request kPromptTypeGetClientCertificate, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32 00206,09 2012/07/21 15:01:29.978 3 test_user PulseTray Pulse p1654 t40B DialogManager.cpp:1017 - 'JamUI' Prompt reply kUIStatusCompleted, Connection='EXAMPLE', Index=(ive:d61c590912e74ebf990fafa3ff57603a), xid = 32 00141,09 2012/07/21 15:01:29.978 1 root dsAccessService eapService p1691 t8DFF JNPRClient.cpp:3291 - 'eapService' No valid client certificate found. 00146,09 2012/07/21 15:01:29.978 4 root dsAccessService eapService p1691 t8DFF EapService.cpp:28 - 'eapService' processUserCertRequest - no cert selected These being the pertinent lines: 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (C=US,ST=State,L=Anytown,O=\"Example Company\, Inc.\",OU=Information Systems,CN=ca.example.com,
[email protected])... 00390,09 2012/07/21 15:01:29.977 4 test_user PulseTray Pulse p1654 t40B osxCert.cpp:678 - 'JamCertLib' Comparing cert-rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=Example Company\, Inc.,L=Anytown,ST=State,C=US) with rdn (
[email protected],CN=ca.example.com,OU=Information Systems,O=\"Example Company\, Inc.\",L=Anytown,ST=State,C=US)...
... View more