01-12-2012 02:39 AM
I have been trying to setup Guest user access using a local user database on IC4500. We have configured 802.1x on the EX series switch ports and using an Windows AD server whenever a user connects to the network the Odyssey access client software prompts for a password and once the same is supplied the user gets assigned to the specifiec VLAN.
Im trying the same for Guest user access, however with a captive portal scenario where the user logs in with a provided username and password and gets access only to Internet.
We also have a Juniper SRX 650 acting as a firewall.
Can anyone help me in setting up the above mentioned scenario?
01-12-2012 02:54 AM
Captive Portal,with IC and SRX is well documented in the UAC documentation.
You can refer IC Interoperability with the Junos Enforce guide
Chapter 4 deals captive portal.
Hope that helps
01-12-2012 04:08 AM
Than you very much for the document which throws light on the Captive Portal configuration on the enforcer, however I would like to understand the following
1) Users to connect on the Juniper EX3200 switch for access.
2) User gets assigned to a red VLAN and is prompted for authentication,
.Post succesful authentication user gets assigned to the respective VLAN if OAC is installed in the PC (Authorized Users)
.Guest users to be redirected to a Captive portal and credentials to be verified against local user database configured on the IC. Once authenticated user gets assigned to Guest VLAN.
3) Guest users access would be limited to HTTP / HTTPS traffic on the firewall.
4) Juniper SRX 650 acting as Firewall can be used as Infranet Enforcer.
Questions / Queries
1) Users to get IP address from Red VLAN ( not possible without DOT1X)
2) Do I need to have DOT1X configured on all the ports of the switch for the above mentioned scenario.
01-12-2012 04:36 AM
I am not a solution expert, and especially since the below scenario includes multiple devices.
So I will not know whether this is the best way to implement your requirement.
However your steps seems ok to me, definitely from IC stand point and dot1.x seem to me as a requirement on all ports.