I'm toying around with that now... I think my username template needs some love. We tried revoking the certificate on the certificate server, however it looks like the cert auth server within Juniper is just checking to see whether the connecting client computer has a certificate that matches the criteria defined in the username template field , and not checking the actual certificate server for whether that certificate is still approved. Now I'm no certificate expert, and honestly have only been in charge of our SSL implementation for a few months so I'm way behind the learning curve. But that looks to be the issue. While we are at it, is anyone out there good with the certificate user name template strings? It's pretty much greek to me, it looks like it's similar to an LDAP query, but the syntax is different enough to throw me. We are currently using a basic <certDN.CN> string and while I know that's likely the issue most of the testing I've done has had similar results or broken authentication completely.
... View more