07-19-2012 12:54 AM
I set up a MAG with SRX Enforcer linked to an Active Directory and I still have questions / or issues.
The users are authenticated for Internet Access using their Active Directory account with opening their browser.
1. Is it possible to get the authentication completely seamless from a user perspective ? (just using the ad authentication entered at the boot)
2. The user needs to enter login / pwd once until the laptop reboot (is it the normal behavior ?)
3. We are using Citrix for some users and when one user on the Citrix is authenticated all others benefit from this authentication ? is it normal ? Is there a way to bypass this behaviour ?
Thanks for your help
SRX Release : 12.1R2.9
UAC Release : 4.2R2
Solved! Go to Solution.
07-19-2012 05:18 AM
Your requirement can be achived through "User Role Access with the SRX Series" feature introduced in IC 4.2 R1, I.e SPNEGO SSO feature.
Using this feature, A user role firewall policy that does not require an agent on endpoints that provides
user role support on the SRX Series device for specific applications.
Active Directory support that allows authenticated users with Kerberos single sign on
(SSO) to access different resources without passing through Junos Pulse Access
Control Service for reauthentication.
UAC Solution Guide for SRX Series Services Gateways:
IC 4.2 admin guide , refer User Role Access with the SRX Series
Firewall, chapter 8 , page#219 for more information:
Hope this clarifies your query
07-19-2012 06:18 AM
Thanks for your reply, I've implemented this solution which works well.
Except that when using Citrix, it seems that once a user is authenticated from this Citrix Server (IP address) all other users are authenticated too and benefit from the rights of the first authenticated user.
Any idea ?
07-19-2012 12:48 PM - edited 07-19-2012 12:49 PM
SRX is an L3 auth enforcer. L3 auth means that MAG pushes an auth entry based on role-mapped resource on SRX. SRX is using an IP of the end-user station to create a proper IP-source UAC rule. When first user will authenticate, then all other users will share the same resource access, because SRX is simply not able to distinguish those users. For the SRX that particular IP address (Citrix server) is already authenticated.
07-20-2012 01:48 AM
Thanks a lot for your answer.
The setup is fine and works well except for Citrix but a workaround exists by dedicating one ip pers Citrix Session.