Hi Michael,

I understand that you are working on UAC deployment with 802.1X. and you wnated to know whether the below hardwares, software, license specifications  are correct.

1 x UAC (MAG4610, ok?)

1 x 500 users (what is the part number?)

500 x 802.1x client (Junos Pulse client or OAC?)

Yes the above recommendations are valid, however you may need to include  Juniper EX switch or Accespoint since 

UAC  802.1X can be implemented 

Normal dot.1x setup  is given below 

OAC/Pulse-supplicant

EX switch/ acess point-authenticator

IC--authetication server 

MAG 4610 hardware  can support  upto 5000 endpoints, your requirement  of using 500 users is possible where you can procure 500 user endpoint license along with you can use OAC or pulse client for 802.1X. as supplicants.

I would also recommend you to work Juniper account Team or system ENgineer to validate the above details . They are best point of conatct who can help with appropriate and right information for deployment  requirements. Hope this helps.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Michael - Kannan covered the fact that the box will do just fine. And of course he is right that you need some form a a switch and / or a firewall for 802.1x enforcement. 

To comment on your last question - Is 802.1x client required? - the short answer is yes. But the longer answer is you do have some options. You can use the Juniper Pulse or OAC clients or you can use a native 802.1x supplicant. I am in the midst of helping a customer do a very large scale deployment using only native supplicant's (Windows & OS/X).

You have to have some client unless you just want to do MAC Authorization (whitelist, blacklist) - the difference is in functionality / features. Native supplicants will only do layer 2 based authentication using certificates or credentials while the Juniper clients let you work at layer 3, let you do host check.......

So as always the answer is "it depends" - Hope this helps. 

Isn't that the case very often: it depends?

Hi  Michael,

Yes the below hardware and license are looking good.
1 x UAC (MAG4610)
1 x 500 users (part number: ACCESSX600-ADD-500U)
500 x 802.1x client (Junos Pulse client or OAC)

If the switches are 802.1x compliant that should be fine and it is supported, you can add this switch as radius client in the UAC
( MAG4610).This is sufficient for layer 2 authentication.

For layer 3 ensforcement non juniper firewalls are not supported in UAC,. You need Juniper screen OS or JUNOS based ( SRX) firewall for layer 3 enforcement.

On the diffrence between between OAC and pulse client, I will update you shortly

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Hi Michael,

Please find the requested information on OAC and pulse client,

• Odyssey Access Client (OAC)—You can configure the IC Series device to automatically install OAC on supported Windows endpoints. You can manually install OAC on Macintosh endpoints. OAC includes built-in components (including Host Checker) to provide maximum protection and functionality.

• Junos Pulse—UAC provides a single, dynamic, integrated multiservice client for Windows. Pulse is an intelligent, location-aware network access and acceleration client. Pulse delivers identity-enabled network security and access control, providing comprehensive endpoint security. Host Checker is integrated into Pulse. In addition to using the client with a UAC deployment, Pulse supports the SA Series Secure Access platform, WAN acceleration (WX), and Juniper Networks SRX Seriesdevices as a dynamic virtual private network (VPN) client.You can deploy Pulse to endpoints that access one device, such as an IC Series
device, and those endpoints can access SSL VPN with the same client.

Hope the above information helps, if you need more information on this please refer CAC and pulse admin guides.
You can acces OAC and pulse admin guides using the below URLS

https://download.juniper.net/software/aaa_802/public/oac/docs/OACAdmin52_Windows.pdf

http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-2.1R1-adminguide.pdf
NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Hello,

Junos Pulse Admin Guide has a chapter which describes Client Software feature comparison including OAC and Junos Pulse.

http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-2.1R1-adminguide.pdf

Refer Table 8 on page 107.

Hope that helps

Michael - the differences between L2 and L3 are control based. IE - if what can do you with the traffic for that resource? L2 allows you to authenticate and to then decide what will happen at layer 2. Assign to a specific VLAN,, open the port....

You are not dealing with the traffic flows except at the port / VLAN level.

When you work at L3 you are of course authenticating / not authenticating but now you have the ability to control traffic at layer 3 and higher - all the way up to layer 7. So now you are dealing at the IP address / packet content level in terms of your ability to control traffic flows.

Does that make sense?