Identity and Policy Control
Reply
Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

How to check Computer Certificates on clients by IC-4000

Background:

  • I was using 802.1x authentication by using computer certificates through IAS.
  • I am using ISG-1000 Firewall as Internal Firewall / for LAN.
  • Active Directory, CA, DHCP, DNS are in Trust Zone.
  • IAS, ADAM, and IC-4000 are in DMZ Zone.
  • All users (Clients) are in Untrust Zone.
  • Switches are configured for DHCP Relaying.
  • Multiple (5) Dynamic VLANs are configured on switches + on Firewall.
  • Routing is done through Firewall among all VLANs + Zones.


Now i wanna remove IAS and wanna use IC-4000 as RADIUS Server. I configured IC-4000 as RADIUS server by adding its IP on Switches and made switches IC-4000's Clients. Created a Location Group and sign in policy and added that location group.

Everytime my client's try to login it failed and shows following error.

 Required Certificate is missing, wrong Certificate

and authentication fails, even client can't get any IP.

I added CA certificate in Trusted CA's on IC-4000.

I also have configured RADIUS attributes policies for VLAN assignment.

 

What configuration Steps are required on IC-4000 to work as RADIUS Server and check Computer Certificates and client could get IP easily according to its VLAN ???? What configuration required for OAC ????

 

I need urgent reply plz...

Mr Manoj where are you man....???? everyone is welcome for immediate response.

 

Thanks / Regards

 

Raja M Kamran

 

 

Trusted Contributor
ManojReddy
Posts: 38
Registered: ‎03-18-2008
0

Re: How to check Computer Certificates on clients by IC-4000

[ Edited ]

1)Load the CA Certificate onto IC's Trusted Client CA certificates list and select the cert status checking to what ever that suits your deployment. you can set it to none if you are confused. and make sure you select "Trusted for Client Authentication?" checkbox and save settings.

2)Create a new Certificate Auth Server, give a name to it and just save changes. nothing much to configure here.

3)Create a New Authentication Protocol set. you can have two possible configurations here(choose any one):

    a) remove EAP-TTLS and EAP-PEAP from the selected protocols list and add EAP-TLS and save the auth protocol set by giving some name to it.
    b) remove EAP-TTLS from the selected protocols list and under PEAP section remove exisitng entries under selected protocols and add EAP-TLS only and save the auth protocol set.

4)you need to have protocol config in OAC profile as well:

    a)Create a Profile in OAC and uncheck permit login using password check box.

    b)under authentication tab, remove EAP-TTLS and add EAP-TLS or EAP-PEAP depending upon what auth protocol set you created on IC. if you selected EAP-PEAP, goto PEAP tab and remove existing protocols and add EAP-TLS

 

5)Under User Infro->Certificate tab select "permit login using my certificate" and "user automatic cert selection"

6)use this profile in OAC for authenticating to IC.

7)Create a sign-in URL in IC which uses the just created auth protocols set and assosciate it with a realm which uses the just created certificate auth server. create roles as per your requirement.

8)create Location group and attach it to this sign-in URL, add radius clients and create radius attribute policies as per your requirement

 

 

let me know if things are not working.

 

problems with this config is:

 

1)you won't be able to do host checks

2)you won't be able to use Firewall as Infranet Enforcer with Infranet Auth policies

 

reply if you need to any of the above things. I can suggest other options.

 

thanks

 

 

 

Message Edited by ManojReddy on 09-09-2008 12:40 PM
Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

Re: How to check Computer Certificates on clients by IC-4000

Hi

 

Thanks for your immediate response, but i m facing few difficulties......

 

3)Create a New Authentication Protocol set. you can have two possible configurations here(choose any one): a) remove EAP-TTLS and EAP-PEAP from the selected protocols list and add EAP-TLS and save the auth protocol set by giving some name to it. b) remove EAP-TTLS from the selected protocols list and under PEAP section remove exisitng entries under selected protocols and add EAP-TLS only and save the auth protocol set.

 

Manoj where is this feature in IC-4000's interface, i cant find anything like this..

 

Few more questions for you:

  1. I wanna check patches, OS version, Installed applications like Oracle, MS Office etc. 
  2. Also whether IC-4000 can update Patches or Antivirus automatically..???
  3. one more thing i wanna check a registry entry, if this entry is not available on a client system it should be disallowed to access network and also send mail to Administrator.
  4. Domain name must be verified first before assigning IP address by DHCP.

 

Also tell me how can i use ISG-1000 Firewall as an enforcer with 802.1x (Computer Certificates).

Or give me suggestions what changes can be done to my scenario to achieve required goals .

 

Thanks / Regards,

 

 

Raja M Kamran

 

 

Trusted Contributor
ManojReddy
Posts: 38
Registered: ‎03-18-2008
0

Re: How to check Computer Certificates on clients by IC-4000

[ Edited ]

> where is this feature in IC-4000's interface, i cant find anything like this..

 
in IC's Admin UI under: Authentication->Signing In -> Authentication Protocol Sets->New Authentication Protocols Set 
 
>I wanna check patchesOS version, Installed applications like Oracle, MS Office etc
 
You can do this by creating a Host Checker policy of "Custom-Patch Assessment" type. inside the Patch Assessment HC Policy select the softwares and patches you want to check for. (refer UAC Admin guide for more details on how to do this).
 
>>Also whether IC-4000 can update Patches or Antivirus automatically..???
 
IC Can launch Live Update for updating Antivirus signatures. inside the HC policy that you are using for checking Antivirus on end-points: Enable "Download Latest Virus Definition Files" Check box. 
if this is enabled, When IC checks the users PC and finds that Antivirus definitions are not latest, it will automatically launch the Live Update of AV signatures in the background(user can't see that Live Update is going on). Once, Liveupdate finishes downloading new defintions your AV program will have latest definitions.
 
IC currently doesn't have capability to update patches for any software in users PC. IC only supports automatic update AV definitions.
 
>Domain name must be verified first before assigning IP address by DHCP.
 
 This can be done by doing HC checks of "Custom:Registry Setting" type. findout which registry key in windows stores the domain name and create a HC policy to check for that particular registry key and assign the HC policy to a role.
 
if you want to check for NetBIOS name of user's PC, you can create a  "Custom:NetBIOS" HC Policy and check for a particular NetBIOS name.

Message Edited by ManojReddy on 09-16-2008 11:49 AM
Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

Re: How to check Computer Certificates on clients by IC-4000

hi

 

I am still facing difficulties in login using certificates.....give me suggestions what to do..????

i have told you i wanna check computer certificates not user....but in OAC properties when i click on certificate it shows only user's certificates not computer certs.

 

if u want to give suggestions regarding changes in scenarios plz go ahead.

i m tired now....it is very................................................difficult

actually my Goals are

 

  1. 802.1x implementation using only computer certificates...users have no certificates
  2. dynamic vlan assignment based on computer groups(department wise)
  3. AV, Patches check and remediation
  4. Remediation Vlan assignment if point no. 3 fails
  5. Quarantine Vlan assignment if point no. 1 fails (computer has no certificate)

Question arises in my mind..!!! 

  • whether i use firewall as a inforcer or not ???..why.???
  • Is it possible both computer certficates checking and group membership checking (2 different servers CA /AD)..??
  • what configurations are required at client (OAC configuration) + XPSP3 802.1x configuration..??

 

Plz help me.!!!!!:mansad:

 

Raja M Kamran

 

Trusted Contributor
ManojReddy
Posts: 38
Registered: ‎03-18-2008
0

Re: How to check Computer Certificates on clients by IC-4000

[ Edited ]

your problem description "802.1x authentication using computer certificates" mislead me to think that you are using certificate authentication :=) .

 

1)Use AD as auth server for the realm and create role mapping rules based on AD group lookup and map users to 3 roles(dept role, remediation role and quarantine role in same order)

2)make sure that Certificate CA is added in trusted CA list on IC

3)on IC, create 3 Host Checker Policies

    a) Custom:Antivirus Policy for checking Antivirus on user's computer. configure what AV parameters you want    to check

    b) Custom:smileytongue:atch Assement Policy for checking Patches for specific softwares on user's PC

    c) Custom:Machine Certificate policy for checking computer certificate. make sure you select proper which    

        issued the machine certificate. you can also configure other certificate parameters you want to check for.

4)Assign all three HC policies to dept role and assign Machine Cert HC policy to Remediation role and leave Quarantine role without any HC policies.

 

5)Now create Radius Attribute policies for each role in following order:

 

  a) Applies to Dept Role and returns dept's VLAN ID

  b) Applies to Remediation Role and returns Remediation role's VLAN ID 

  c) Applies to Quaratine Role and returns Quarantine role's VLAN ID

 

Question arises in my mind..!!! 

  • whether i use firewall as a inforcer or not ???..why.???
 
This matters when you are using non EAP-JUAC as inner auth protocol for authentication(for example when you are using user certs for authentication). IC doesn't know user's IP and can't enforce infranet auth policies on FW.
 
  • Is it possible both computer certficates checking and group membership checking (2 different servers CA /AD)..??
 
if you are checking for machine certficates using Host Checker policy YES, it is possible.  in this case you don't have to create Certificate auth server. just use AD auth server
 
  • what configurations are required at client (OAC configuration) + XPSP3 802.1x configuration..??

  

Nothing fancy. just add the adapter on which you are doing 802.1x and select the profile you want to use and configure required username/password settings in profile.

 

 

Message Edited by ManojReddy on 09-18-2008 08:30 AM
Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

Re: How to check Computer Certificates on clients by IC-4000

hi

 

Thanks alot Mr. Manoj for your kind help now i m on my way...i just upgraded my IC now these option are available to me like Authentication protocol set, actually i was using UAC 2.0 R2 version...

 

Now i ll tell u soon about my progress ....

 

Once again i m very grateful for ur quick and helpful responses ..

 

one thing i wanna ask which certificate attributes i can use for checking Client system validation..

reply me with CA attributes..

 

 

Thanks

 

Take gr8care

 

Raja M Kamran

 

Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

Re: How to check Computer Certificates on clients by IC-4000

dear Manoj

 

thanks for ur help, its working now, host checker policy for computer certificates working f9, but another problem that i m facing is new user whose profile is not on system cant login...:smileysad:!!!!!

 

i tried various combinations of authentication through OAC client but its not working

actually problem is that Computer get IP from DHCP after user's login-->OAC connects to IC-->user authentication performs-->VLAN assignment

 

now plz help me in this regard.

i want computer get ip before user's login..bcz i m just checking computer certificates and VLAN assignment based on computer groups.(dept wise computer groups)

 

or if u can suggest me better solution then plz u r welcome

 

Thanks / Regards

 

Raja

Trusted Contributor
ManojReddy
Posts: 38
Registered: ‎03-18-2008
0

Re: How to check Computer Certificates on clients by IC-4000

New AD users won't be able to login to Windows as machine doesn't have cached credentials of the new user locally.

 

How to get it to Work: You can enable 'GINA' in OAC

 

When GINA is enabled: after windows user give his username password(in Windows login prompt), OAC captures the credentials, pauses Windows Login and then authenticates user with IC and puts the machine into authorised VLAN(based on your config) and then allows Windows to continue its logon process. when Windows starts login process, machine has IP Address so that it can reach Domain Controller to authenticate new user.

 

Please refer OAC Admin guide and OAC user guide to know about how to enable GINA in OAC.

 

Thanks

Manoj

 

 

Contributor
Kamran
Posts: 45
Registered: ‎07-01-2008
0

Re: How to check Computer Certificates on clients by IC-4000

one more thing i found out IC doesnt check computer / machine membership in groups...!!! is it true.??

bcz i have added user and computer in same group suppose Finance, then it was working when i removed user from finance and then login again it didnt get finance Vlan...why..???

 

 

thanks

 

Raj

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.