Identity and Policy Control
Reply
Juniper Employee
aronow
Posts: 36
Registered: ‎11-06-2007
0

Re: UAC with IC4000 and 802.1x - Remediation question

Martin,

 

 

Off the top of my head there are a couple of things that could cause auth table entries not to get pushed:

 

1) If the IC believes the client machines communicaiton is natted to the IC

2) If the FW does not have any defined infranet auth policies

3) if the IC auth table mapping policy is configured for dynamic (for testing, you should start out with always provision setting - that is the default)

4) if no IE resource policies are defined on the IC

 

So first, I would say verify that the IC and the client are communicating directly (without nat)

Second, make sure you have some infranet auth policies defined on the FW (in the FW gui, these policies will show with a little shield icon)

Third, verify your IC configuration to make sure your resource policies and your auth table mapping policies are defined correctly.

 

Hope some of that helps.  If not, it might be time to call JTAC

 

Thanks sir

-Jeff

Visitor
martin_xon
Posts: 2
Registered: ‎02-02-2009
0

Re: UAC with IC4000 and 802.1x - Remediation question

[ Edited ]

Hi Aronow,


The Authtable is now published to the Enforcer andeverything seems to be working.


The rest to be done:
===============
I am able to authenticate to the IC directly (by opening up IE and connecting to a specific URL on the IC) by means of using the "System Local" and "LDAP/AD" databases as authentication servers.

With regards to LDAP and RADIUS, I have a quick question:

Do I have to create a "Location Group" and "RADIUS Client" under "UAC>Network Access>Location Group" and also under "UAC>Network Access>Radius Client" for LDAP to work in conjunction with the local RADIUS (SBR) setup on the IC, for seemless authentication ?

I am however still experiencing some problems with authenticating to the IC by means of the Oddessy client (OAC), but I think this may be a slight misconfiguration that I have done on the IC.

Ok, so all that is left for me to do now is the following:
---------------------------------------------------------------------

  • Integrate UAC into the MSGina, how will I attempt this as I have never changed the msgina before :smileyindifferent:
  • Using LDAP Authentication and be assigned to the correct VLAN (currently everyone is assigned to the trust VLAN using LDAP, but this can be a configuration issue as SBR (System Local database) assigns correct VLAN)
  • Integrate IDP with the whole UAC solution
  • When an endpoint is in Compliance/Trusted VLAN and starts an attack against let's say the IIS server, it is then reassigned by means of the IDP to the Out of Compliance/Untrusted VLAN untill the attack is stopped or resolved.


 
When all this is done, I will be able to do the demo to our partners customer as they want to see it.
 

Regards,

Martin

Message Edited by martin_xon on 03-11-2009 02:08 AM
Message Edited by martin_xon on 03-11-2009 02:10 AM
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.