Understanding the Captive Portal on the JUNOS Enforcer
In a Unified Access Control (UAC) deployment, users might not be aware that they must first sign in to the Infranet Controller for authentication and endpoint security checking before they are allowed to access a protected resource behind the JUNOS Enforcers. To help users sign in to the Infranet Controller, you can configure the captive portal feature. The captive portal feature allows you to configure a policy in the JUNOS Enforcer that automatically redirects HTTP traffic destined for protected resources to the Infranet Controller or to a URL configured in the JUNOS Enforcer.
You can configure a captive portal for deployments that use either source IP enforcement or IPsec enforcement, or a combination of both enforcement methods.
Figure 37 shows the captive portal feature enabled on a JUNOS Enforcer. Users accessing protected resources are automatically redirected to the Infranet Controller:
- Users point to a protected resource using the browser.
- The JUNOS Enforcer determines that the user is not authenticated and redirects the request to the Infranet Controller or another server.
- Users enter their Infranet username and password to log in.
- The Infranet Controller passes the user credentials to an authentication server.
- After authentication, the Infranet Controller redirects the users to the protected resource they wanted to access.
Figure 37: Enabling the Captive Portal Feature on a JUNOS Enforcer
By default, the JUNOS Enforcer encodes and forwards to the Infranet Controller the protected resource URL that the user entered. The Infranet Controller uses the protected resource URL to help users navigate to the protected resource. The manner in which the Infranet Controller uses the protected resource URL depends on whether or not the user’s endpoint is running the Odyssey Access Client or JUNOS Pulse. If the user’s endpoint is not running the Odyssey Access Client or JUNOS Pulse (that is, it is in an agentless or Java agent configuration), the Infranet Controller automatically opens a new browser window and uses HTTP to access the protected resource after the user signs in. If the endpoint is using the Odyssey Access Client, the Infranet Controller inserts a hypertext link in the webpage that automatically opens after the user signs in. The user must then click that hypertext link to access the protected resource by means of HTTP in the same browser window.
The JUNOS Enforcer supports the captive portal feature only for HTTP traffic. If you attempt to access a protected resource by using HTTPS or a non-browser application (such as an e-mail application), the JUNOS Enforcer does not redirect the traffic. When using HTTPS or a non-browser application, you must manually sign in to the Infranet Controller first before attempting to access protected resources.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding UAC in a JUNOS Environment
- Understanding Captive Portal Configuration on the JUNOS Enforcer
- Example: Creating a Captive Portal Policy on the JUNOS Enforcer (CLI)
- Understanding the Captive Portal Redirect URL Options
- Example: Configuring a Redirect URL for Captive Portal (CLI)