Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Centralized Access Control to Network Resources, with an EX Series Switch Connected to Junos Pulse Access Control Service

You can deploy an EX Series switch and Junos Pulse Access Control Service to control who is admitted to your network and what resources—servers, applications, stored data, and other devices—the user can access after being admitted to the network. Access Control Service provides both authentication and authorization:

With this combination of products, the switch serves as an Infranet Enforcer, that is, a policy enforcement point for Access Control Service. Access Control Service sends auth table entries and resource access policies when an endpoint successfully completes 802.1X or MAC authentication (unmanaged devices). Access for any endpoint is governed by the resource access policies that you configure on Access Control Service. The switch converts the resource access policies into filter definitions and applies these to the appropriate port. Because resource access policies are employed, firewall filters are not required for the switch configuration.

This example describes how to configure the switch to use Access Control Service for authentication and authorization and how to configure Access Control Service to use the switch as an Infranet Enforcer.

Note: This example configures the switch prior to configuring the Access Control Service. However, you can configure the Access Control Service first, if you prefer. The sequence does not matter.

The example also describes the requisite configuration procedures on Access Control Service for configuring user roles, user realms, and resource access policies:

Requirements

• Junos OS Release 12.2 or later for EX Series switches
• One EX Series switch acting as an Infranet Enforcer and an authenticator port access entity (PAE)
• Junos Pulse Access Control Service Release 4.2 or later
• Access Control Service IC Series device or MAG Series device

Before you configure the switch to use Access Control Service, be sure you have:

• Installed and set up the IC Series device or the MAG Series device.
  • For information on the IC Series, see 
    https://www.juniper.net/techpubs/en_US/release-independent/ uac/information-products/pathway-pages/unified-access-control/product/.
  • For information on the MAG Series, see 
    https://www.juniper.net/techpubs/en_US/release-independent/ mag/information-products/pathway-pages/mag-series/product/.
• The IP address and password of the IC Series or MAG Series device.

Note: Within the example, the IC Series or MAG Series device is referred to as a Network Access Control (NAC) device.

Overview and Topology

You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. You can use Access Control Service as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.

In addition, Access Control Service functions as a centralized policy management server. It eliminates the need to configure firewall filters on the individual switch. Instead, you define resource access policies centrally on Access Control Service. The resource access policy defines which network resources are allowed and denied for a user, based upon the user’s role. Access Control Service NAC device distributes these policies to all connected switches. For messages relating to access policies, the NAC device communicates with the switch using the Junos UAC Enforcer Protocol (JUEP).

The Access Control Service IC Series device or MAG Series device acts as your centralized NAC device. Specific resources are allocated through resource access policies from the Access Control Service device. The ports on the switch form a control gate that blocks all traffic to and from supplicants until they are authenticated.

Limit access to protected resources by defining user roles and user realms with accompanying resource access policies in the UAC admin console.

In this example, we are configuring access control for a medical facility. Because we are using Access Control Service for centralized access control, we specify the permissions and limitations on the UAC NAC device.

To ensure patient privacy, the patient medical history files are accessible only to the medical staff (med-staf). The patient insurance information and payment records are available only to the accounts personnel (accounts). Other information pertaining to the patients is available to anyone of the general staff (other).

The switch acts as an Infranet Enforcer and an authenticator port access entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.

Table 1 shows the configuration components used for the switch and the Access Control Service NAC device in this example.

Figure 1 shows the topology used in this example.

Figure 1: Centralized Access Control to Network Resources with an EX Series Switch Connected to Junos Pulse Access Control Service

Configuring the EX Series Switch to Connect to the Junos Pulse Access Control Device

CLI Quick Configuration

To quickly connect the switch to Access Control Service, copy the following commands and paste them into the switch terminal window:

Note: This example uses the default values for timeout, interval, and timeout-action.

Step-by-Step Procedure

1. Configure the switch to use Access Control Service for authentication and authorization:
   [edit ethernet-switching-options]
user@switch# set uac-policy
2. Configure the access profile to specify Access Control Service. The access profile contains the authentication and authorization configuration that aids in handling authentication and authorization requests, including the authentication method and sequence, and Access Control Service address:
   1. Configure radius as the authentication method to be used when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches:
      [edit access profile]
user@switch# set myuac_profile authentication-order radius
   2. Define the access profile for connecting to the UAC by specifying the IP address of the authentication server:

      Note: Specify the same IP address that you use for the RADIUS server and the NAC device.

      [edit access profile]
user@switch# set myuac_profile radius authentication-server 10.204.88.148
3. Configure the RADIUS server to use the same IP address that you specified for the authentication server:
   [edit access]
user@switch# set radius-server 10.204.88.148
4. Configure the password to use for connecting the switch with the RADIUS server:

   Note: The password specified here is used for RADIUS communications between the switch and Access Control Service. It does not need to match the password that is specified on Access Control Service through the administrative interface on Access Control Service.

   [edit access]
user@switch# set radius-server secret MySecret
5. Configure the address of Access Control Service NAC device:

   Note: Specify the hostname and IP address of the NAC device. This is the same IP address that you used for specifying the authentication server.

   [edit services united-access-control infranet-controller my_nac ]
user@switch# set address 10.204.88.148
6. Configure the switch’s management Ethernet interface for the NAC device:
   [edit services united-access-control infranet-controller myswitch]
user@switch# set interface me0.0
7. Configure the password for connecting the switch to the Access Control Service NAC device:

   Note: This password must match the password specified on Access Control Service though its administrative interface. It is used for Junos UAC Enforcer Protocol (JUEP) communications between the switch and Access Control Service.

   [edit services united-access-control infranet-controller myswitch]
user@switch# set password MyUACPassword
8. Specify the name of the access profile to use for 802.1X, MAC RADIUS, or captive portal authentication:

   Note: Use the same access profile that you configured previously (step 2).

   [edit protocols dot1x]
user@switch# set authenticator authentication-profile-name myuac_profile
9. Configure the 802.1X interface that the switch will use for communicating with Access Control Service:
   [edit protocols dot1x]
user@switch# set authenticator interface ge-0/0/10.0

Results

Display the results of the configuration:

Creating an Authentication Server Instance on the UAC NAC Device

Step-by-Step Procedure

1. In the NAC device admin console, select Authentication > Auth. Servers.
2. Click System Local.
3. Select the Users tab.
4. Click New.
5. In the dialog box for New Local User, enter information into the text boxes of the following fields:
   • Username
   • Full Name
   • Password

   Note: All other fields are optional.

6. Click Save Changes.
7. Repeat this procedure for each user that you want to include in the device database. For example, we created three users: bobbarker, joansmith, and stevejones

Results

The users bobbarker, joansmith, and stevejones are available in the NAC device database and can be associated with a role.

Configuring User Roles on the UAC NAC Device

Step-by-Step Procedure

To set up the user roles:

Note: In this example, either Odyssey Access Client or the Junos Pulse client is installed on the client.

1. In the NAC device admin console, select Users > User Roles.
2. Click New Role and then enter the Name of the role that allows users with compliant endpoints to access the protected resources. You can also enter additional information about this role into the Description text box.
3. Click Save Changes.
4. Repeat these steps to create the additional user roles. For example, we created three roles: med-staff, accounts, and general-user

Results

The roles, med-staff, accounts, and general-user, are available in the NAC database.

Configuring a User Realm

Step-by-Step Procedure

To configure a user realm within the authentication server instance.

Note: Only one user realm is required.

1. In the NAC device admin console, select Users > User Realms.
2. In the dialog box User Authentication Realms, click New.
3. In New Authentication Realm, :
   • Enter information into the text boxes:
     • Name—Name of the realm. For this example, we are using hospital-staff.
     • Description:—(Optional) Any additional information that you wish to provide.
   • Under Servers:
     • Authentication—Select System Local.
     • Directory/Attribute—Select None.
     • Accounting—Select None.
4. Click Save Changes.

Results

The new user realm can be associated with the roles you have created.

Mapping User Roles to the User Realm

Step-by-Step Procedure

1. In the NAC device admin console, select Users > User Realms>Role Mapping hospital-staff.
2. Click New Rule.
3. In the Role Mapping Rule dialog box, for a rule based on username, enter the information for the appropriate fields:
   • Under Rule: If username, is———bobbarker.
   • Under then assign these roles, select med-staff role and then click Add.
4. Create additional role mapping rules for additional users. For example, create a role mapping rule to associate user joansmith with accounts, and a role mapping rule to associate user stevejones with medical-staff.
5. Click Save Changes.

Results

Each user is associated with a role.

Configuring Sign-In Policies

Step-by-Step Procedure

1. In the admin console, select Authentication > Signing in > Sign-in Policies.
2. To create a new sign-in policy, click New URL and select Users.
3. In the Sign-in URL field, enter the URL that you want to associate with the policy. Use the format <host>/<path> where <host> is the hostname of the NAC device, and <path> is any string users must enter. For example */testsite/.
4. (Optional) Enter a Description for the policy.
5. In the Sign-in Page list, select Default Sign-in Page.
6. Under Available realms, select the hospital-staff that you created.
7. Under Authentication protocol set, select 802.1X.
8. Click Save Changes.

Results

A sign-in URL is available for users.

Configuring a Location Group

Step-by-Step Procedure

1. In the admin console, select Network Access > Location Group.
2. Select New Location Group.
3. For Name, type medical-group.
4. Add an optional description.
5. Leave the default sign-in policy.
6. Click Save Changes.

Results

A location group that can be assigned to the EX Series switch is created.

Configuring an EX Series Switch Infranet Enforcer Instance on the UAC NAC Device

Step-by-Step Procedure

1. On the left navigation bar in the NAC device admin console, select UAC > Infranet Enforcer > Connection.
2. Click New Enforcer. The New Infranet Enforcer dialog box appears. By default, the new ScreenOS Enforcer page is displayed.
3. Select the Junos EX option button. The New Infranet Enforcer page is displayed.
4. Enter the name of the switch in the Name box.
5. Enter the password for the switch. This password is a shared secret that administrators of both the switch and Junos Pulse Access Control Service can use for connectivity between the two devices.
6. Enter the serial number of the switch.
7. For Location Group, select medical-group.
8. Click Save Changes.

Results

Junos Pulse Access Control Service and the EX switch can be connected.

Configuring Resource Access Policies on the UAC NAC Device

Step-by-Step Procedure

1. In the Infranet Enforcer admin console, select UAC > Infranet Enforcer > Resource Access.
2. Click New Policy.
3. On the New Policy page:

   Step-by-Step Procedure

   1. For Name and Description, enter any name and description for this policy, such as MedicalServer.
   2. For Resources, specify the protocol, IP address, network mask, and port of each resource (or range of addresses) for which this Infranet Enforcer resource access policy applies, one per line. You cannot specify a hostname in an Infranet Enforcer resource access policy. You can specify only an IP address. You can use TCP, UDP, or ICMP.

      For example, type:10.204.91.20 to specify the med-staff protected resources on the switch.

   3. In the Infranet Enforcer box, add the switch you created to selected Enforcers.
   4. In the Roles box, select Policy applies to SELECTED roles, select med-staff, and click Add to apply this resource access policy to users who are mapped to the med-staff role.
   5. In the Action box, select Allow access.
4. Click Save Changes.
5. Complete two additional resource access policies:
   • Allow role accounts with the IP address 10.204.91.21.
   • Allow role general-access with the IP address 10.204.91.22.

Results

Individual users, through their assigned roles, are provided access to the proper protected assets.

Verification

The following procedures verify the connections between the switch and the NAC device.

• Verifying That the Switch Is Connected to Access Control Service
• Verifying the Configuration of Resource Access Policies
• Verifying the Mapping of Roles to Resources

Verifying That the Switch Is Connected to Access Control Service

Purpose

Verify that the switch is connected to Access Control Service.

Action

Host           Address         Port   Interface     State
ic             10.204.88.148   11123  vlan.60       connected

Meaning

Confirm that the State indicates that the Access Control Service is connected.

Verifying the Configuration of Resource Access Policies

Purpose

After you have configured the access resource policies on the UAC device admin console, verify that they have been deployed to the switch.

Action

Identifier: 1
  Resource: 10.204.91.20:*
  Action: allow
  Apply: selected
  Role identifier       Role name
    0000000001.000005.0 med-staff
Identifier: 2
  Resource: 10.204.91.21:*
  Action: allow
  Apply: selected
  Role identifier       Role name
    1331203933.456038.0 accounts
Identifier: 3
  Resource: 10.204.91.23:*
  Action: allow
  Apply: selected
  Role identifier       Role name
    1318918961.643263.0 general-user
Identifier: 4
  Resource: 10.204.88.148:*
  Resource: udp://*:53,67
  Action: allow
  Apply: all
Total: 4          

Note: There must always be a resource access policy to allow traffic to the Access Control Service.

Meaning

The results show the resource access policies that were configured in this example. The policy with identifier 4 is the policy that allows traffic to the Access Control Service. It lists the IP address of the Access Control Service and an additional resource for udp indicating that it allows dhcp/dns traffic, too.

Verifying the Mapping of Roles to Resources

Purpose

Display the content of the authentication table in a user role firewall implementation. The table, pushed from a supporting Access Control Service device, provides the user roles associated with incoming traffic.

Action

Identifier: 6
  Source: 00-50-56-a4-5a-4c/10.204.90.61
  Username: bobbarker
  Age: 0
  Role identifier       Role name
    0000000001.000005.0 med-staff
Total: 1

Meaning

This output shows the mapping for username bobbarker. The output shows only one user, because only this user is connected at the time that the command is issued. If additional users were connected, the other users would also be displayed.