KB22849 - Pulse Connect Secure (PCS) is unable to export the user sessions to the IF MAP server

This article describes the customer reported issue of Pulse Connect Secure (PCS) being unable to export the user sessions to the IF MAP server.






 

Customer has a Federation server (an PPS) and two Federation clients (one PCS and one PPS). After logging into PPS, the customer is unable to see the user session on PCS and PPS at the following locations:
 

• On PCS, go to IF-MAP Federation > Active Users.
• On PPS, go to  IF-MAP Federation > This Server > Federation-wide sessions

To check for IF-Map federation on the Infranet Controller and PCS device, make sure that:

1. The Dynamic auth table provisioning has been enabled on any connected Infranet Enforcers, which the customer wants to use with Federation.
2. On the Infranet Controller, the IF-MAP server settings have been configured to permit the server to communicate with IF-MAP clients.  
3. The IF-MAP client settings have been configured to permit clients to communicate with the IF-MAP server.
4. On the Infranet Controller and PCS device, coordinate Session-Import policies, Session-Export policies, roles, and resource access policies between all of the clients in the Federated network.  
5. Session-Export policies are configured on PCSs  devices to define how sessions are translated into IF-MAP data.
6. Session-Import policies are configured on PCS, which correspond with Export policies to translate IF-MAP data into PCS roles.  
7. On the Infranet Controller, Source IP policies for PCS device users are configured and who will use Source IP to access the network.

The following entries were found:

From Event Log:
(IF-map client is sending and recieving requests to PPS with IP 172.18.235.98)

info - System()[] - 2011/08/02 15:41:42 - Received IF-MAP request from client 172.18.235.98: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:jnpr="http://www.abc.net/2008/IFMAP/1" xmlns:meta="http://www.trustedcomputinggroup.org/2006/IFMAP-METADATA/1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:jnpr2="http://www.pulsesecure.net/2009/IFMAP/1" xmlns:ifmap="http://www.trustedcomputinggroup.org/2006/IFMAP/1" xmlns:wsdl="http://www.abc.net/2008/IFMAP/1/ifmap.wsdl"> <SOAP-ENV:Header> <ifmap:session-id>172.18.235.98:26883 </ifmap:session-id> </SOAP-ENV:Header> <SOAP-ENV:Body> <ifmap:publish validation="None"> <delete filter="meta:access-request-ip[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <ip-address type="IPv4" value="172.19.30.93"> </ip-address> </identifier> </link> </delete> <delete filter="meta:capability[@publisher-id=&quot;1rBLrYw/2&quot;]"> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> </delete> <delete filter="meta:role[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <identity type="username" name="RBoswell"> </identity> </identifier> </link> </delete> <delete filter="meta:authenticated-as[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <identity type="username" name="RBoswell"> </identity> </identifier> </link> </delete> <delete filter="jnpr:authn-info[@publisher-id=&quot;1rBLrYw/2&quot;]"> <identifier> <identity other-type-definition="jnpr.net:migration" type="other" name="986e16b37f07466f5f2b"> </identity> </identifier> </delete> <delete filter="jnpr:migration-id[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <identity other-type-definition="jnpr.net:migration" type="other" name="986e16b37f07466f5f2b"> </identity> </identifier> </link> </delete> <delete filter="meta:access-request-device[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <device> <name>1rBLrYw/2:151 </name> </device> </identifier> </link> </delete> <delete filter="meta:device-attribute[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <device> <name>1rBLrYw/2:151 </name> </device> </identifier> </link> </delete> <delete filter="meta:authenticated-by[@publisher-id=&quot;1rBLrYw/2&quot;]"> <link> <identifier> <access-request name="1rBLrYw/2:sid1e28ecf14773120fedfd574085468d7de436755835ff673a"> </access-request> </identifier> <identifier> <ip-address type="IPv4" value="172.18.235.98"> </ip-address> </identifier> </link> </delete> <update> <identifier> <ip-address type="IPv4" value="172.18.235.98"> </ip-address> </identifier> <metadata> <jnpr:generation-id cardinality="singleValue">305 </jnpr:generation-id> </metadata> </update> </ifmap:publish> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

info - System()[] - 2011/08/02 15:41:42 - Sent IF-MAP response to client 172.18.235.98: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:jnpr="http://www.pulsesecure.net/2008/IFMAP/1" xmlns:meta="http://www.trustedcomputinggroup.org/2006/IFMAP-METADATA/1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:jnpr2="http://www.pulsesecure.net/2009/IFMAP/1" xmlns:ifmap="http://www.trustedcomputinggroup.org/2006/IFMAP/1" xmlns:wsdl="http://www.pulsesecure.net/2008/IFMAP/1/ifmap.wsdl"> <SOAP-ENV:Header> <ifmap:session-id>172.18.235.98:26883 </ifmap:session-id> </SOAP-ENV:Header> <SOAP-ENV:Body> <ifmap:response validation="None"> <publishReceived> </publishReceived> </ifmap:response> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

There was no Network Connect (NC) /Pulse Secure Desktop client connection information in the PCS logs; so the interaction between the endpoint (users system), the if-map client and the if-map server was explained to the customer and it was suggested that the customer should launch NC and access the resources behind Infranet Enforcer.

The Interaction takes place as mentioned below:
 

1. An endpoint authenticates through the PCS device and starts Network Connect or Pulse Secure Desktop client.
2. The PCS device provisions an IP address for the endpoint to use on the internal network. Once the endpoint's IP address on the internal network is known, the PCS appliance derives the IF-MAP data from the endpoint's session.  
3. The PCS device's IF-MAP client publishes the session information, as IF-MAP data to the IF-MAP server, by using Session-Export policies.
4. When the user attempts to access resources behind the enforcement point, access is blocked as the Infranet Enforcer has no information about the endpoint.  
5. The Infranet Enforcer sends out a dynamic discovery message, which includes the endpoint's source IP address.
6. The Infranet Controller client uses the IP address to retrieve session data from the IF-MAP server.  
7. The Infranet Controller uses Session-Import policies to retrieve session data from the IF-MAP server.

Note: The endpoint, which is authenticating to the PCS device, must be running Network Connect /Junos Pulse.

It was confirmed that after launching Network Connect, the customer was able to see the session in the IF-MAP Federation > Active Users tab and on the Federation PPS Server in IF-MAP Federation > This Server, the Federation-Wide Sessions tab.