I wanted to see if anyone has any experience with setting up mTLS on a Pulse Secure. I have been trying to get this setup for a few weeks now and am having little luck. Pulse TAC has not been very helpful other than causing the Pulse client to no longer connect due to one of their changes.
Some background:
I would like to have the Pulse challenge the client machine for its machine cert with a particular OID in the EKU field. If the client machine does not provide the cert during the TLS handshake, I would like for the Pulse to RST the connection or something similar. I do not want it to proceed to any screen that may provide information to a potential malicious user.
I currently have 2 realms and roles in place as requested by the Pulse engineer. One for the machine tunnel using PKI and one for the user which will use AD and SecureAuth for authentication.
Currently in my pcaps, I see the TLS handshake begin and once they go to change the cipher spec, the pulse sends a RST because the client is not providing a cert. I can see this in the pcap as the cert length field is set to 0. I feel like I have tried every option on the device that might seem related to mTLS but am getting nowhere and now after Pulse tried playing around in there, I am getting a general network error on the client(error 1115) which tells me nothing and can no longer reach the server from the web portal.
I am at a loss and this project coming to the deadline with this being my last hurdle. Any advice or experience would be appreciated. Thanks!
No comments:
Post a Comment