Identity and Policy Control
Reply
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

What is required for UAC to run 802.1x?

Hi all,

 

What is required in UAC to run 802.1x?

 

Can we propose the following:

1 x UAC (MAG4610, ok?)

1 x 500 users (what is the part number?)

500 x 802.1x client (Junos Pulse client or OAC?)

 

Is 802.1x client required?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Trusted Expert
kalagesan
Posts: 380
Registered: ‎08-09-2011
0

Re: What is required for UAC to run 802.1x?

Hi Michael,

 

I understand that you are working on UAC deployment with 802.1X. and you wnated to know whether the below hardwares, software, license specifications  are correct.

 

1 x UAC (MAG4610, ok?)

1 x 500 users (what is the part number?)

500 x 802.1x client (Junos Pulse client or OAC?)

 

Yes the above recommendations are valid, however you may need to include  Juniper EX switch or Accespoint since 

UAC  802.1X can be implemented 

 

Normal dot.1x setup  is given below 

 

OAC/Pulse-supplicant

EX switch/ acess point-authenticator

IC--authetication server 

 

MAG 4610 hardware  can support  upto 5000 endpoints, your requirement  of using 500 users is possible where you can procure 500 user endpoint license along with you can use OAC or pulse client for 802.1X. as supplicants.

 

I would also recommend you to work Juniper account Team or system ENgineer to validate the above details . They are best point of conatct who can help with appropriate and right information for deployment  requirements. Hope this helps.

 


NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Distinguished Expert
muttbarker
Posts: 2,393
Registered: ‎01-29-2008
0

Re: What is required for UAC to run 802.1x?

Michael - Kannan covered the fact that the box will do just fine. And of course he is right that you need some form a a switch and / or a firewall for 802.1x enforcement. 

 

To comment on your last question - Is 802.1x client required? - the short answer is yes. But the longer answer is you do have some options. You can use the Juniper Pulse or OAC clients or you can use a native 802.1x supplicant. I am in the midst of helping a customer do a very large scale deployment using only native supplicant's (Windows & OS/X).

 

You have to have some client unless you just want to do MAC Authorization (whitelist, blacklist) - the difference is in functionality / features. Native supplicants will only do layer 2 based authentication using certificates or credentials while the Juniper clients let you work at layer 3, let you do host check.......

 

So as always the answer is "it depends" - Hope this helps. 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Screenie
Posts: 1,089
Registered: ‎01-10-2008
0

Re: What is required for UAC to run 802.1x?

Isn't that the case very often: it depends?:smileysad:

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: What is required for UAC to run 802.1x?

Hi all,

 

Assumming the switches are 802.1x compliant, FW are non-Juniper, what would be the BOM components needed for this?

 

Is this okie?

1 x UAC (MAG4610)

1 x 500 users (part number: ACCESSX600-ADD-500U)

500 x 802.1x client (Junos Pulse client or OAC)

 

What are the differences between Junos Pulse client and OAC?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Trusted Expert
kalagesan
Posts: 380
Registered: ‎08-09-2011
0

Re: What is required for UAC to run 802.1x?

Hi  Michael,

Yes the below hardware and license are looking good.
1 x UAC (MAG4610)
1 x 500 users (part number: ACCESSX600-ADD-500U)
500 x 802.1x client (Junos Pulse client or OAC)

If the switches are 802.1x compliant that should be fine and it is supported, you can add this switch as radius client in the UAC
( MAG4610).This is sufficient for layer 2 authentication.

For layer 3 ensforcement non juniper firewalls are not supported in UAC,. You need Juniper screen OS or JUNOS based ( SRX) firewall for layer 3 enforcement.

On the diffrence between between OAC and pulse client, I will update you shortly


NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Trusted Expert
kalagesan
Posts: 380
Registered: ‎08-09-2011
0

Re: What is required for UAC to run 802.1x?

Hi Michael,

Please find the requested information on OAC and pulse client,


• Odyssey Access Client (OAC)—You can configure the IC Series device to automatically install OAC on supported Windows endpoints. You can manually install OAC on Macintosh endpoints. OAC includes built-in components (including Host Checker) to provide maximum protection and functionality.

• Junos Pulse—UAC provides a single, dynamic, integrated multiservice client for Windows. Pulse is an intelligent, location-aware network access and acceleration client. Pulse delivers identity-enabled network security and access control, providing comprehensive endpoint security. Host Checker is integrated into Pulse. In addition to using the client with a UAC deployment, Pulse supports the SA Series Secure Access platform, WAN acceleration (WX), and Juniper Networks SRX Seriesdevices as a dynamic virtual private network (VPN) client.You can deploy Pulse to endpoints that access one device, such as an IC Series
device, and those endpoints can access SSL VPN with the same client.

Hope the above information helps, if you need more information on this please refer CAC and pulse admin guides.
You can acces OAC and pulse admin guides using the below URLS

https://download.juniper.net/software/aaa_802/public/oac/docs/OACAdmin52_Windows.pdf

http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-2.1R1-adminguide.pdf
NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Super Contributor
apaul
Posts: 161
Registered: ‎11-06-2009
0

Re: What is required for UAC to run 802.1x?

Hello,

 

Junos Pulse Admin Guide has a chapter which describes Client Software feature comparison including OAC and Junos Pulse.

http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-2.1R1-adminguide.pdf

Refer Table 8 on page 107.

 

Hope that helps

Ashish Paul
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: What is required for UAC to run 802.1x?

Thanks kalagesan,

What is the difference between L2 and L3 authentication?
Is there a link on this?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Distinguished Expert
muttbarker
Posts: 2,393
Registered: ‎01-29-2008
0

Re: What is required for UAC to run 802.1x?

Michael - the differences between L2 and L3 are control based. IE - if what can do you with the traffic for that resource? L2 allows you to authenticate and to then decide what will happen at layer 2. Assign to a specific VLAN,, open the port....

 

You are not dealing with the traffic flows except at the port / VLAN level.

 

When you work at L3 you are of course authenticating / not authenticating but now you have the ability to control traffic at layer 3 and higher - all the way up to layer 7. So now you are dealing at the IP address / packet content level in terms of your ability to control traffic flows.

 

Does that make sense?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.