Identity and Policy Control
Reply
New User
zilou
Posts: 3
Registered: ‎07-19-2012
0
Accepted Solution

MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Laptop

Hello all,

 

I set up a MAG with SRX Enforcer linked to an Active Directory and I still have questions / or issues.

The users are authenticated for Internet Access using their Active Directory account with opening their browser.

 

1. Is it possible to get the authentication completely seamless from a user perspective ? (just using the ad authentication entered at the boot)

2. The user needs to enter login / pwd once until the laptop reboot (is it the normal behavior ?)

3. We are using Citrix for some users and when one user on the Citrix is authenticated all others benefit from this authentication ? is it normal ? Is there a way to bypass this behaviour ?

 

Thanks for your help

SRX Release : 12.1R2.9

UAC Release : 4.2R2

 

Trusted Expert
kalagesan
Posts: 380
Registered: ‎08-09-2011
0

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hi,

 

Your requirement can be achived through "User Role Access with the SRX Series" feature  introduced in IC 4.2 R1, I.e SPNEGO SSO feature.

 

Using this feature, A user role firewall policy that does not require an agent on endpoints that provides
user role support on the SRX Series device for specific applications.

 

Active Directory support that allows authenticated users with Kerberos single sign on
(SSO) to access different resources without passing through Junos Pulse Access
Control Service for reauthentication.

 

UAC Solution Guide for SRX Series Services Gateways:

 

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-srxsolution.pdf

 

IC 4.2 admin guide , refer User Role Access with the SRX Series
Firewall, chapter 8 , page#219 for more information:

 

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-adminguide.pdf

 

 

Hope this clarifies your query

 

Regards,

Kannan

 

 

New User
zilou
Posts: 3
Registered: ‎07-19-2012
0

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hello

 

Thanks for your reply, I've implemented this solution which works well.

 

Except that when using Citrix, it seems that once a user is authenticated from this Citrix Server (IP address) all other users are authenticated too and benefit from the rights of the first authenticated user.

 

Any idea ?

Regards

Contributor
rrosiak
Posts: 12
Registered: ‎10-20-2011
0

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

[ Edited ]

Hi,

SRX is an L3 auth enforcer. L3 auth means that MAG pushes an auth entry based on role-mapped resource on SRX. SRX is using an IP of the end-user station to create a proper IP-source UAC rule. When first user will authenticate, then all other users will share the same resource access, because SRX is simply not able to distinguish those users. For the SRX that particular IP address (Citrix server) is already authenticated.

New User
zilou
Posts: 3
Registered: ‎07-19-2012
0

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Thanks a lot for your answer.

The setup is fine and works well except for Citrix but a workaround exists by dedicating one ip pers Citrix Session.

 

Regards

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.