There are two ways inactivity can happen.  First is the user not sending heartbeats.  Say a user logs in from a laptop.  Then the close the lid on the laptop and go home.  Their session length may be set very long, but they will miss heartbeats and eventually be timed out and removed from the IC.  You want this to happen to remove users that are no longer on your network.  The second way inactivity time out happens is if you have the role option for use traffic through the firewall.  Then, if the user doesn't send traffic through the firewall for a certain period of time they get logged out.   Both of these are configured on the role session options page.   No IP and No timestamp mean they auth at L2, but don't make an L3 connection.  When Pulse or OAC authenticates to an IC, they will make the L3 connection to the IC after the 802.1x (L2) connection has taken place.  That is how the IC knows the IP address of the workstation.  If this isn't showing up in the logs then likely your user is blocked from talking to the IC at L3.  Could be a routing issue, a network firewall issue, a windows firewall issue, etc.  Windows firewall may be application specific.  They might be able to get to the IC with a web browser but they can't with Pulse or OAC.  Fix the L3 issue with that workstation and you will get their IP and time stamp (and stop seeing them auth every minute). ... View more

You are completely correct that it should work.  Please contact JTAC and lets see if we can figure out what is wrong with Pulse L2.  For some reason it is not liking your cert or thinking it matches at L2.  And that makes no sense, because browser and L3 work.  So please contact JTAC and lets see if we can figure out what is going on with Pulse at L2.   The only other test you could run would be to try just the windows supplicant at L2, though that doesn't solve your Pulse problem at L2.  Honestly I would expect that to work.  I think the issue might be related to Pulse L2 and we would want to verify that it has the cert data correctly on the client side.  You might try uninstalling and reinstalling the Pulse client.  Then allow the workstation to deploy the client from the IC at L3 (so you'll have all the settings configured from the IC). ... View more

The only supported host checking on mac OS X takes place at layer 3.  So you could do dot1x via open protocols and then configure captive portal on a firewall for host checking.  Either that or you could use Pulse for host checking.  You would still need a firewall enforcer though.   The only other thing I could think would be to use our MDM features.  With MDM, the IC will check against someone like Mobile Iron or Airwatch MDM.  That does require the extra part of using an MDM though.   Thanks -Jeff ... View more

Hello, So OAC / Host checker doesn't do DHCP. What happens is that when you fail a host check, this triggers OAC to do a re-auth. This reauth now re-evaluates your roles and your radius attribute policies and can thus pass back a different vlan tag to the switch. After that point, OAC sends a notification to windows called a media connect. This is the same thing that happens in windows as when you are plugging in a network cable. Windows then sends out a dhcp request to your DHCp server. The server would retrun a certain set of DHCP options, one of which should be the default gateway. As far as a remediation server being on a different network, that's all going to be a matter of networking. If the server is route-able from the remediation network, then the PC will be able to reach it. The trick is to make sure that the IC is reachable from the remediation network. If not, then host check will never run again except at the next auth interval or if you manual tell OAC to reconnect to the network. Host check runs at the initial 802.1x auth, but needs to be able to reach the IC in order to perform checks at the regular intervals or for "notify me of a change" settings to work. My guess would be that either you've got static information entered on the PC, or your DHCP server is passing back odd options. You should be able to install wireshark or something to check to see if your DHCP server is returning the wrong gateway. Thanks -Jeff ... View more

I know folks have used regular LDAP servers such as OpenLDAP to do mac auth to LDAP. As far as using AD ldap, you would need to provide more information on why its failing and where its failing. If you aren't doing secure LDAP, you could do a tcpdump between the IC and AD to see the LDAP calls and tell why its failing. Thanks -Jeff ... View more

I would strongly advise you to file a case with Juniper Support (JTAC) to resolve this issue. Thanks -Jeff ... View more

It really depends on the security problem you are trying to solve. If you are only worried about which workstations are on your network, then you only need machine auth. If you use domain logins for all the workstations, you don't have to do user network auth as they will still require authentication to get logged into the workstation. If you want to have different vlans for users vs computers, then you'll need to do machine auth and then switch to user auth. All is configurable in the Odyssey Administrator. ... View more

1) Machine auth against an IC can happen at L2 (802.1x) The auth server type used on the IC MUST be AD, not LDAP. I know that "AD" has LDAP capabilities, but you can not do machine auth with an IC with an auth server of type LDAP pointing at an AD. The reason has to do with the type of auth being done. Its not possible to perform the type of auth over LDAP, only via the auth means employed by an auth server of type AD. 2) Machine auth with Machine credentials is possible with the OAC supplicant at L2 (802.1x, thus pre-IP address) 3) Yep, you can get machine GPO's. You can leave machine auth up if you only desire to auth the machine to the network. Some people like to auth the machine, and then auth the user. This is a more complex config as the timing can get a little awkward to make sure user GPO's get applied correctly since the supplicant has to disconnect the machine 802.1x auth, and authenticate as the user (this involves a small break in L3 network connectivity.) It works, but it can get a little tricky depending on your network setup and GPO configuration. I would strongly recommend testing this on your network before putting into production. 4) Yes this can work with the caveats mentioned in 3) ... View more

So if you are trying to use machine auth with machine credentials then you can't use an LDAP realm. You must use an AD auth server. If your AD server is 2008 then you should checkout the following KB: http://kb.pulsesecure.net/KB14345 Thanks -Jeff ... View more

IC doesn't currently (3.1) have a SAML server auth server option. If this is something you want, please talk to your Sales folks. Sorry Thanks -Jeff ... View more

Heya, With a critical error like that, showing an assertion, you should file a JTAC ticket. -Jeff ... View more

Martin, Off the top of my head there are a couple of things that could cause auth table entries not to get pushed: 1) If the IC believes the client machines communicaiton is natted to the IC 2) If the FW does not have any defined infranet auth policies 3) if the IC auth table mapping policy is configured for dynamic (for testing, you should start out with always provision setting - that is the default) 4) if no IE resource policies are defined on the IC So first, I would say verify that the IC and the client are communicating directly (without nat) Second, make sure you have some infranet auth policies defined on the FW (in the FW gui, these policies will show with a little shield icon) Third, verify your IC configuration to make sure your resource policies and your auth table mapping policies are defined correctly. Hope some of that helps. If not, it might be time to call JTAC Thanks sir -Jeff ... View more

Chuck, SecureID works fine with UAC. The FW would then not authenticate you to the Radius server, but the IC would authenticate you to the RSA box. You could then either use the UAC agent on your workstations or use agentless access through a web browser. Then we can do either SourceIP to the FW or do individual VPN's from the endpoints to the FW. Also, uac integrates with 802.1x capable switches for even more security. ... View more

Raja, If your machines are done doing 802.1x, and you aren't using the ISG for infranet auth, then UAC wouldn't be causing any issues. OAC does 802.1x at L2, but then everything else is windows. So from DHCP to all L3 activity, OAC isn't involved. Once 802.1x has completed, OAC tells windows that it has a "media connect". At that point windows goes out and does DHCP, and OAC will report back the IP address received through the OAC interface, but its done at that point. The only other thing I could think of would be switch timers. Maybe you are getting kicked off the network every now and then? I would think you'd be seeing a lot worse symptoms than outlook communications issues though. Are you looking to do source IP enforcement or VPN with UAC? You would want to configure your policies on your fw for infranet auth if you were going to do that. Also, for your vlan's, one reminder is that if you are using host checker with UAC, then your vlan's need to route back to the IC at least. The vlans don't need to go anywhere else, but they should allow traffic back to the IC's IP address so that the clients can talk to the IC at L3. Initital host checks can take place at L2, but periodic host checks or "monitor this policy for change" host checks require an active L3 connection back to the IC. If you continue to have problems, you could open a tac case and we can review the OAC logs to see if you are seeing disconnects. Otherwise I would try some debugging on the FW or running simple ping tests from your workstations. Thanks -Jeff ... View more

Martin, It sounds like you are having some network issues. Do you have any kind of network diagram? You can add pictures to the forum, so even if you could draw something up in paint that would be fine. Where do the vlan's terminate? Do they feed into the ISG1000? Are you using the ISG1000 as the gateway for both the trusted and untrusted vlans? Can you post your ISG1000 configuration? It sounds like you may be missing an infranet auth firewall policy. When OAC authenticates to the IC, are you seeing auth table entries on the FW? You can check via the cli with get auth table infranet Also, I'm not sure I follow on the LDAP setup. Are you doing LDAP via an IC AAA server, or are you doing LDAP from the workstation? Are you using OAC with windows XP GINA? Thanks sir -Jeff ... View more

The way I have seen this done was to use a URL in the remediation message that would point at an installer file. That way, the user can just click on a link in the remediation message and it would launch an installer. Also, you can use auto-remediation to have the AV client request new signatures. Currently there is no integration with SMS to trigger a package install. The only other way I could think to do this would be with a session start script assigned to the remediation role. Start scripts aren't as nice because it would run everytime the roll was assigned and it would also require the script to already be on a local workstation (a .bat file in some c: directory) ... View more

Rob, Glad I could help, let me know how that goes. Yeah, its a bit misleading because the section is labeled Machine Auth, and it is designed around doing 802.1x, but it can do any type of auth OAC can handle. So you should be able to add your AP statically or to an auto-scan list and have OAC try to connect at the machine auth time, even though it won't actually be doing machine auth. Basically, we will just be taking advantage of the fact that the we need OAC to associate to a network without being connected in a user context. ... View more

Even with machine auth, your machine would disconnect you from the user session and re-auth with the machine credentials. Now as far as gina modules go, there are some GINA modules that OAC can chain together with. That said, I'm not sure I understand the functionality you are hoping to achieve. If this is a home user, and they are logging off of their workstation, then why are you looking to have the wireless stay online? If they have no access to your corporate network while they logoff, then what is the point of having network access when they aren't logged in? Does the VPN start at machine time? Did you know that OAC can chain together with some GINA modules? ... View more

This is not anything I've ever heard about. Please open a JTAC case for assistance. ... View more

One thing to note on terminology: A preconfiguration file is a file that can be placed on a role on an IC running UAC 2.2 or later. You can not do a silent install when deploying OAC from an IC using a preconfiguration file. A custom MSI does have the option for a slient install. You can create a custom MSI with an option for a silent install and this should work as you would expect. However, you would need to deploy the custom MSI using enterprise software deployment tools (sms, login scripts, ghost, arconis, radia, zenworks, etc.) ... View more

Kamran If you do not have this working then please open a case with TAC. We should be able to get you up and running. ... View more

Checkout the Odyssey Client Manager -> Tools -> Odyssey Client Administrator -> Initial Settings. When you configure things in initial settings they should get pushed to any user that has not logged in before with OAC installed. So if admin install OAC, configure initial settings, then User a logs in they should get initial settings. However, if you then go back, login admin again, configure initial settings, and user A logs back in, they will not get the updated settings. The only way to try to get user A to get updated initial settings is with Odyssey Client Adminisitrator -> Merge Tools. ... View more

All, to my knowledge you can not disable the auto-upgrade in any version of UAC. This is currently not planned for UAC 2.2 However, in UAC 2.2 you can push out all of the same settings you would normally push through a custom installer. This includes GINA and other settings. ... View more

Actually, OAC's Odyssey Client Adminitrator has the ability to create a customer installer. One of the settings you can configure when creating a customer installer is a silent install. enjoy! ... View more

Sofia, You will probably need to contact JTAC to open a case. You can do so through the web case manager off the support page. http://www.juniper.net/customers/support/index.jsp Click on Case Manager and login with your CSC information. ... View more

It should work. The problem is usually that the username comes across slightly different. Make sure that the names all appear in the same case in the same formating. The issue of formating is an issue that we are aware of and are planning to fix. Keep your eye on the release notes. ... View more

For OAC licensing: OAC UAC edition is feature parity with OAC Enterprise Edition So if you want to use OAC Enterprise Edition, you can use that with your IC and use the UAC-ADD-OAC license. This license allows your OAC EE to work with an IC (and not count against your endpoint licenseing). However, then you will need to purchase a number of OAC-XXXCLT licenses for your workstations. So either way you pay for endpoints. With the OAC-XXXCLT licenses and the OAC-ADD-UAC you will have to keep track of licensing on your workstations. With the IC4000-ADD-XXXE licenses, you can use those for OAC UE, OAC EE, Agentless, or Third party supplicants. So with the IC4000-ADD-XXXE you get some more features. It really just depends on what you need. ... View more