Related Documentation
Understanding Centralized Network Access Control and EX Series Switches
Network access control (NAC) allows you to control who is admitted to the network and what resources—servers, applications, and stored data—those users are allowed to access. These controls include:
- Authentication—Pre-admission controls
- Authorization—Post-admission controls
You can use different methods to implement NAC on Juniper Networks EX Series Ethernet Switches.
This topic describes:
NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch
For pre-admission controls, you can use the switch in combination with any RADIUS server as the authentication server. For additional information, see Understanding Authentication on EX Series Switches.
For post-admission controls, you can configure firewall filters to limit access to specific resources. For additional information, see Firewall Filters for EX Series Switches Overview.
Centralized NAC Using Junos Pulse Access Control Service
You can use Junos Pulse Access Control Service and the switches for a centralized end-to-end NAC system, including both pre-admission authentication and post-admission authorization.
When you configure such a system, the Juniper Networks MAG Series Junos Pulse Gateways or the Juniper Networks IC Series Unified Access Control Appliances NAC device functions as the authentication server. For messages relating to IEEE 802.1X and MAC RADIUS authentication, the NAC device communicates with the switch using the RADIUS protocol.
The Access Control Service also performs additional functions. It eliminates the need to configure firewall filters on each switch. Instead, you define resource access policies centrally on the NAC device. This centralized method is particularly helpful when you have multiple switches in your network.
The resource access policy on the Access Control Service defines which network resources are allowed and denied for a user, based upon the user’s role. The NAC device distributes these policies to all connected switches. The NAC device thus functions as a centralized policy management server. For messages relating to access policies, the NAC device communicates with the switch using the Junos UAC Enforcer Protocol (JUEP). The switch converts the resource access policies into filter definitions and applies these to the appropriate port.
 | Note: With this solution, the EX Series switch serves as an Infranet Enforcer, that is, a policy enforcement point for the Access Control Service. The Access Control Service sends auth table entries and resource access policies when an endpoint successfully completes 802.1X authentication or MAC authentication (unmanaged devices). Access for any endpoint is governed by the resource access policies that you configure on the Access Control Service. Because resource access policies are employed, firewall filters are not required for the switch configuration. |
This integrated solution of Access Control Service and EX Series switches is easier to implement and much more efficient than previous versions of Access Control Service and the switches. As soon the switch connects to the MAG Series or IC Series NAC device, the Access Control Service pushes the role-based policies to the switch via JUEP. This enables the user to access the network more quickly than previous implementations, because the policy is already available on the switch and does not need to be pushed from the centralized device at the time of user authentication. Moreover, the policy push happens only once, which utilizes network bandwidth efficiently and makes this implementation suitable for scaled environments.
If you change policies, the Access Control Service automatically pushes the updated policies to the connected switch. The switch applies the policies dynamically without taking users through another authentication transaction.
| Note: Do not configure firewall filters on the switch and do not use RADIUS server attributes for firewall filters if you are configuring the switch to use the Access Control Service. Instead, specify or deny access to resources by using the Access Control Service resource access policies. See Configuring Resource Access Policies. |
You create policies on the NAC device’s administrative interface to control access to resources and services. Access is based on successful authentication, the user’s assigned role, and the security compliance of the endpoint device. For example, you can provide full access to protected resources employee role and limited access for a contractor role.
See About Resource Access Policies for additional information.
Captive Portal Authentication
Captive portal authentication allows you to authenticate users on the switches by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network. The details of configuring captive portal authentication differ depending on whether you are using the Access Control Service:
- If you have connected the switch to the Access Control
Service, use the Access Control Service NAC device as an external
captive portal server for redirecting Web browser requests. When users
try to access a protected network resource that is connected to the
switch, the user must first sign in to the Access Control Service
for authentication and endpoint security checking. The captive portal
redirects the user to a login page located on the Access Control Service.
When the sign-in page for the Access Control Service is displayed,
the user signs in and the Access Control Service examines the endpoint
for compliance with security policies. If the endpoint passes the
security check, access is granted to the protected resource.
See Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse Access Control Service (CLI Procedure). You can use the same Access Control Service as the external captive portal server for more than one switch. See About Sign-In Policies.
- If you are not using the Access Control Service, you can use captive portal to redirect users to a login page that you configure on the local switch. See Designing a Captive Portal Authentication Login Page on an EX Series Switch for information about designing a login page on your switch.
