Centralized Access Control to Network Resources on EX Series Switches
Network access control (NAC) allows you to control access to network resources such as servers, applications, and stored data.
You can use Junos Pulse Access Control Service and the switches for a centralized end-to-end NAC system. The Access Control Service eliminates the need to configure firewall filters on each switch. Instead, you define resource access policies centrally on the NAC device. For more information, read this topic.
Understanding Centralized Network Access Control and EX Series Switches
Network access control (NAC) allows you to control who is admitted to the network and what resources—servers, applications, and stored data—those users are allowed to access. These controls include:
Authentication—Pre-admission controls
Authorization—Post-admission controls
You can use different methods to implement NAC on Juniper Networks EX Series Ethernet Switches.
This topic describes:
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch
For pre-admission controls, you can use the switch in combination with any RADIUS server as the authentication server. For additional information, see Understanding Authentication on Switches.
For post-admission controls, you can configure firewall filters to limit access to specific resources. For additional information, see Firewall Filters for EX Series Switches Overview.
Centralized NAC Using Junos Pulse Access Control Service
You can use Junos Pulse Access Control Service and the switches for a centralized end-to-end NAC system, including both pre-admission authentication and post-admission authorization.
When you configure such a system, the Juniper Networks MAG Series Junos Pulse Gateways or the Juniper Networks IC Series Unified Access Control Appliances NAC device functions as the authentication server. For messages relating to IEEE 802.1X and MAC RADIUS authentication, the NAC device communicates with the switch using the RADIUS protocol.
The Access Control Service also performs additional functions. It eliminates the need to configure firewall filters on each switch. Instead, you define resource access policies centrally on the NAC device. This centralized method is particularly helpful when you have multiple switches in your network.
The resource access policy on the Access Control Service defines which network resources are allowed and denied for a user, based upon the user’s role. The NAC device distributes these policies to all connected switches. The NAC device thus functions as a centralized policy management server. For messages relating to access policies, the NAC device communicates with the switch using the Junos UAC Enforcer Protocol (JUEP). The switch converts the resource access policies into filter definitions and applies these to the appropriate port.
With this solution, the EX Series switch serves as an Infranet Enforcer, that is, a policy enforcement point for the Access Control Service. The Access Control Service sends auth table entries and resource access policies when an endpoint successfully completes 802.1X authentication or MAC authentication (unmanaged devices). Access for any endpoint is governed by the resource access policies that you configure on the Access Control Service. Because resource access policies are employed, firewall filters are not required for the switch configuration.
This integrated solution of Access Control Service and EX Series switches is easier to implement and much more efficient than previous versions of Access Control Service and the switches. As soon the switch connects to the MAG Series or IC Series NAC device, the Access Control Service pushes the role-based policies to the switch via JUEP. This enables the user to access the network more quickly than previous implementations, because the policy is already available on the switch and does not need to be pushed from the centralized device at the time of user authentication. Moreover, the policy push happens only once, which utilizes network bandwidth efficiently and makes this implementation suitable for scaled environments.
If you change policies, the Access Control Service automatically pushes the updated policies to the connected switch. The switch applies the policies dynamically without taking users through another authentication transaction.
Do not configure firewall filters on the switch and do not use RADIUS server attributes for firewall filters if you are configuring the switch to use the Access Control Service. Instead, specify or deny access to resources by using the Access Control Service resource access policies.
You create policies on the NAC device’s administrative interface to control access to resources and services. Access is based on successful authentication, the user’s assigned role, and the security compliance of the endpoint device. For example, you can provide full access to protected resources employee role and limited access for a contractor role.
Captive Portal Authentication
Captive portal authentication allows you to authenticate users on the switches by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network. The details of configuring captive portal authentication differ depending on whether you are using the Access Control Service:
If you have connected the switch to the Access Control Service, use the Access Control Service NAC device as an external captive portal server for redirecting Web browser requests. When users try to access a protected network resource that is connected to the switch, the user must first sign in to the Access Control Service for authentication and endpoint security checking. The captive portal redirects the user to a login page located on the Access Control Service. When the sign-in page for the Access Control Service is displayed, the user signs in and the Access Control Service examines the endpoint for compliance with security policies. If the endpoint passes the security check, access is granted to the protected resource.
See OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse Access Control Service (CLI Procedure). You can use the same Access Control Service as the external captive portal server for more than one switch.
If you are not using the Access Control Service, you can use captive portal to redirect users to a login page that you configure on the local switch. See Designing a Captive Portal Authentication Login Page on Switches for information about designing a login page on your switch.
Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access Control (CLI Procedure)
You can connect the switch to Junos Pulse Access Control Service to set up a centralized, end-to-end network access control (NAC) system, which allows you to control who is admitted to the network and what resources those users are allowed to access.
The Access Control Service functions both as an authentication server (RADIUS server) and as a centralized policy management server.
Before you begin configuring the switch to connect to the Access Control Service:
Configure a resource access policy.
Obtain the password of the Access Control Service.
Obtain the IP address of the Access Control Service.
Specify the same IP address for the authentication server, the RADIUS server, and the infranet controller (NAC device). These components refer to the same Access Control Service.
To configure the switch to work with the Access Control Service:
- Configure the switch to use the Access Control Service
for authentication and authorization:
[edit ethernet-switching-options]
user@switch# set uac-policy - Configure the access profile to specify the Access Control
Service. The access profile contains the authentication and authorization
configuration that aids in handling authentication and authorization
requests, including the authentication method and sequence, and the
Access Control Service address:
Configure radius as the authentication method to be used when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches:
[edit access profile]
user@switch# set profile-name authentication-order radiusSpecify the IP address of the authentication server:
NoteSpecify the same IP address that you use for the RADIUS server and the NAC device.
[edit access profile]
user@switch# set profile-name radius authentication-server ip-address
- Configure the RADIUS server to use the same IP address
that you specified for the authentication server:
[edit access]
user@switch# set radius-server ip-address - Configure the password to use for connecting
the switch with the RADIUS server: Note
The password specified here is used for RADIUS communications between the switch and the Access Control Service. It does not need to match the password that is specified on the Access Control Service through the administrative interface on the Access Control Service.
[edit access]
user@switch# set radius-server secret password - Configure the address of the Access Control Service MAG
Series or the IC Series NAC device:Note
Specify the hostname and IP address of the NAC device. This is the same IP address that you used for specifying the authentication server.
[edit services united-access-control infranet-controller hostname]
user@switch# set address ip-address - Configure the switch’s management Ethernet interface
for the NAC device:
[edit services united-access-control infranet-controller hostname]
user@switch# set interface me0.0 - Configure the password for connecting the switch to the
Access Control Service NAC device:Note
This password must match the password specified on the Access Control Service though its administrative interface. It is used for Junos UAC Enforcer Protocol (JUEP) communications between the switch and the Access Control Service.
[edit services united-access-control infranet-controller hostname]
user@switch# set password password - Configure the amount of time that switch waits to receive
a response from the Access Control Service:
[edit services united-access-control]
user@switch# set timeout seconds - Specify the time between continuity-check messages for
the switch’s connection with the Access Control Service:
[edit services united-access-control]
user@switch# set interval seconds - Specify an action for the switch to take if a timeout
occurs for the connection between the switch and the Access Control
Service:
[edit services united-access-control]
user@switch# set timeout-action action - Specify the name of the access profile to use for 802.1X,
MAC RADIUS, or captive portal authentication:Note
Use the same access profile that you configured previously (step 2).
[edit protocols dot1x]
user@switch# set authenticator authentication-profile-name profile-name - Configure the 802.1X interface that the switch will use
for communicating with the Access Control Service:
[edit protocols dot1x]
user@switch# set authenticator interface interface-name
OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse Access Control Service (CLI Procedure)
If you have connected the EX Series switch to the Junos Pulse Access Control Service and you want to use the captive portal user authentication feature, configure the Access Control Service network access control (NAC) device as an external captive portal server. The captive portal feature is required only for user authentication. Unmanaged devices, such as printers or phones, can be authenticated through 802.1X and MAC address authentication.
When users try to access a protected network resource that is connected to the switch, the user must first sign in to the Access Control Service for authentication and endpoint security checking. The captive portal redirects the user to a login page located on the Access Control Service.
When the sign-in page for the Access Control Service is displayed, the user signs in and the Access Control Service examines the endpoint for compliance with security policies. If the endpoint passes the security check, access is granted to the protected resource.
Before you begin, be sure you have:
Designed your captive portal login page on the Access Control Service.
To configure the switch to use the Access Control Service for captive portal:
- Configure captive portal to authenticate clients connected to the switch for access to use the authentication profile that directs the client to the Access Control Service:
- Enable an interface for use with captive portal authentication:
[edit]
user@switch# set services captive-portal interface interface-name supplicant multiple - (Optional) Specify which clients are to bypass captive
portal authentication:Note
You can use set ethernet-switching-options authentication-whitelist mac-address interface interface-name to limit the scope to the interface.
