Configuring Communications Between the JUNOS Enforcer and the Infranet Controller (CLI Procedure)

To configure an SRX Series or J Series device to act as a JUNOS Enforcer in a UAC deployment, and therefore to enforce Infranet Controller policies, you must specify an Infranet Controller to which the SRX Series or J Series device should connect.

Before you begin:

1. Enable UAC through the relevant JUNOS security policies. See Enabling UAC in a JUNOS Environment (CLI Procedure).
2. (Optional) Import the Infranet Controller’s server certificate onto the SRX Series or J Series device and create a profile for the certificate authority (CA) that signed the certificate. See Example: Loading CA and Local Certificates Manually (CLI).
3. Configure user authentication and authorization by setting up user roles, authentication and authorization servers, and authentication realms on the Infranet Controller. See the Unified Access Control Administration Guide.
4. Configure resource access policies on the Infranet Controller to specify which endpoints are allowed or denied access to protected resources. See the Unified Access Control Administration Guide.

To configure an SRX Series or J Series device to act as a JUNOS Enforcer:

1. Specify the Infranet Controller(s) to which the SRX Series or J Series device should connect.

   • To specify the Infranet Controller’s hostname:

     user@host# set services unified-access-control infranet-controller hostname

   • To specify the Infranet Controller’s IP address:

     user@host# set services unified-access-control infranet-controller hostname address ip-address

   Note: When configuring access to multiple Infranet Controllers, you must define each separately. For example: user@host# set services unified-access-control infranet-controller IC1user@host# set services unified-access-control infranet-controller IC2user@host# set services unified-access-control infranet-controller IC3 user@host# set services unified-access-control infranet-controller IC1 address 10.10.10.1user@host# set services unified-access-control infranet-controller IC2 address 10.10.10.2user@host# set services unified-access-control infranet-controller IC3 address 10.10.10.3 Make sure that all of the Infranet Controllers are members of the same cluster.

   Note: By default, the Infranet Controller should select port 11123. To determine if this default has changed, see the Unified Access Control Administration Guide.

2. Specify the JUNOS interface to which the Infranet Controller should connect:

   user@host# set services unified-access-control infranet-controller hostname interface interface-name

3. Specify the password that the SRX Series or J Series device should use to initiate secure communications with the Infranet Controller:

   user@host# set services unified-access-control infranet-controller hostname password password
4. (Optional) Specify information about the certificate that the device should use for SSL communications with the Infranet Controller.

   • To specify the certificate that the device should use:

     user@host# set services unified-access-control infranet-controller hostname server-certificate-subject certificate-name

   • To specify the CA profile associated with the certificate:

     user@host# set services unified-access-control infranet-controller hostname ca-profile ca-profile

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Communications Between the JUNOS Enforcer and the Infranet Controller