I got it fully working. In the way you suggested. AD as primary and RSA as secondary auth. server. Works like a champ now :) Thanks! ... View more

Thanks. I am now able to authenticate using tokens. There was a problem with the RSA configuration. I will try to implement LDAP/AD challenge as well next. ... View more

Has anyone ever solved this? I am sitting in the same boat right now and I hit a wall. ... View more

Yes, I am pretty sure that there is no node secret on the RSA server either. ... View more

@Era wrote: Hi!   Here are some details regards our RSA case - http://kb.pulsesecure.net/KB23202   In general just configure AD as LDAP server and as result it will be available under RSA -Directory/Attribute drop list.   It works for my configuration for 20 RSA roles based on AD groups memberships.   Hope it helps.   Ok, I have done this, but I still don't get it to work. I have:   * RSA as Authentication Server * LDAP (AD) as Directory/Atribute Server   Then I try to log in to the realm by using my AD credentials. It takes a while and then tells me wrong username/password. I don't get to see anything where I could enter my tokencode, I am not prompted for it.   On the RSA console I can see the user trying to logon but failed due to " Authentication method failed".    The SSL VPN logs say that "there is no node verification file". I assume this is usually automatically created upon first successfull authentication.   Any ideas?   Thanks   ... View more

@zanyterp wrote: As NateK indicated: are you using RSA-as-RADIUS or the RSA (SecurID) server type? I am using the native RSA SecurID server type. ... View more

@zanyterp wrote: RSA cannot be used for authorization; only LDAP and RADIUS have this potential The secondary authentication server is not only for SSO; it is for if an additional verification is desired, such as what you are doing. Thanks. That's odd though, because I can definitely select RSA as an authorization server when I put an LDAP server in the first spot.   Is there some documentation about this somewhere that goes into the details? ... View more

@filbert: What I want is AD as an authentication server (first spot in the realm's auth server selection), and RSA as a secondary (authorization - second spot). I seem to be unable to do this, probably because AD is configured in native mode, not LDAP, like you said. What I don't understand here is why native does not work while LDAP does. And no, I am not selecting the "additional authentication server" option.   @NateK: Your solutions looks interesting, however, the "additional authentication server" option that you used is usually not for token stuff, it's ment to be for SSO. So I am not sure I want to use this. Does anyone have any thoughts on this?   I will probably just end up defining AD through LDAP and be done with it, but I still would like to understand.   Thanks   ... View more

NateK wrote:   Both AD and RSA will need to be setup as Auth servers on your IVE and you should be golden. Well it doesn't, at least not when AD is setup as "native", not LDAP. Can you confirm that your AD configuration is based on LDAP rather than native AD connection?   Thanks   ... View more

@Filbert wrote: You can't use Native AD as an authorization server. It can only be an authenticaion server. If you confgured AD using LDAP then you could use that as an authorization server. Ok. And that would give me the option to authenticate users agains AD and then ask them for their SecurID Tokencode?   Why would native AD not work?   Thanks Sascha ... View more

Yes, braker, exactly right. When selecting RSA as authentication server, I can not select the AD server as directory/attribute server.   As for you other question: We have an additional LDAP server (pointing to a Novell eDirectory). I can select that as a directory/attribute server, but that's not what I need/want. I need the combination of RSA and Active Directory.   Thanks! ... View more

I might add: Disabling split tunneling and thus forcing all traffic through the VPN does not help. Android keeps using the DNS server of it's primary network unless I use FQDNs.   Another addition: We tried different Android versions from 2.x up to 4.2, all with the same effect. All using the latest Pulse client from Play Store. ... View more

@zanyterp wrote: To provide L3 VPN access for Apple iOS devices, yes, you need to enable Network Connect on the role. Junos Pulse for Mobile on iOS uses a different communication protocol than Junos Pulse for Windows. The iOS communication uses the NC foundation; the Pulse on Wndows client uses a newer communication protocol for endpiont-to-IVE communication. Now that is interesting. Not really obvious. So you are saying if I have a Pulse enabled role and hit that with Pulse on iOS, it won't work? Juniper needs to make this clearer in the admin interface and documentatation. If it's called Pulse on iOS (and not Network Connect), logic would tell me to enable Pulse on the role instead of NC. VERY misleading. ... View more

yes, it's correct, and no, it's not just for iOS. It's for any Pulse client. To make it available to iOS only you would have to make sure only iOS can access that role or ressource. ... View more

@KB_Fan wrote: Product roadmaps can't be disclosed in public forums due to revenue recogntion rules in GAAP accounting. You need to contact your SE or account manager for an NDA discussion. Regards, -Keith This continues to be a problem with Juniper. Most other companies will tell you precisely where they will go in the near future. With Juniper I have to beg for info. Kind of wierd. ... View more

@mrkool wrote: Also we do two factor auth with pulse and it works just fine. when you say it does not handle Radius auth what do you mean? you enable pulse in the role but you setup the auth in the realm and realm will do Radius auth. Most of the SMS based two-factor auth products will require you to log on with normal credentials first (username/password) and once that's verified, challenge the SSL gateway to prompt the user to enter a password a second time (this time his SMS provided pin code). This is done so nobody can just hammer your SSL gateway with fake requests, which would all result in tons of SMS being sent out. Juniper's SSL VPN handles those "secondary" challenges just fine, you can configure many options on how to react on them. Unfortunately, Pulse does not handle this at all. Network Connect does. Anyways, as you can see, Pulse is far away from having reached feature parity with NC. Hence my question: Anyone here know the roadmap of Juniper in this regard? I know they promised feature parity, but I have no details. ... View more

@mrkool wrote: Pulse already does way more than NC what specific features are you looking for? the only short comming of pulse in my case was it does not work from an IVS and according to juniper that will not happen as IVS are being phased out. What version are you talking about? You must have a newer version than me. I am talking about the one available on the Juniper site, 2.x. For starters, it does not plug into Windows Gina. It also does not handle RADIUS authentication where a second challenge is sent from the Radius server (very common in SMS token products) - NC does this without a problem). It's not available on Linux and Mac OS X, like NC is. That's what comes to mind without thinking much about it. I am sure there is more. ... View more

Regarding to the "Supported Platforms" document, Mac OS X 10.7 is not yet supported. Neither in 7.0 nor 7.1. Probably comes with 7.2 which should be released soon (hopefully). ... View more

That's true. What happens if I have a role that has Network Connect enabled (and thus Pulse disabled) and an iOS device is hitting that role? Will it work? Or would I have to use a role that has Pulse enabled? Also, does Pulse plug into GINA on Windows like NC does? Thanks Sascha ... View more