12-31-2009 11:24 PM
With UAC 802.1x authentication, I want when security status of user is not correct it should be put by IC in remediation VLAN. I succussfully tested it. My question is that now I want for remediation VLAN, resource policies to limited resources should be pushed by IC to Juniper firewalls (Infranet Enforcer) BUT is it possible because IC does not know the subnet of remediation of VLAN it only knows the VLAN id OR for remediation VLAN we have to always specify the static policies on firewalls for remediation VLAN?
Solved! Go to Solution.
01-04-2010 03:45 AM
With UAC firewall gives access based on combination of resource and ROLE ( not just resource). IC pushes ROLE information to the firewall along with resource subnet. So if user is in remediation vlan and for that role if access is deined , user wont be able to access resource. So firewall doesn't need to know the VLAN id or subnet of remediation VLAN. Decision is done on basis of ROLE. Thats why it is so independent of network subent or source IP .
01-06-2010 03:53 AM
Thanks for reply. Can you please explain your sentence : "IC pushes ROLE information to the firewall along with resource subnet" I am not getting if firewall does not know the source IP then how it can dinguish trusted/untrusted users?
07-08-2010 04:25 AM
When the User connects the machine to the Switch; EAP negotiations starts - authenticating against a Realm which will maps to a Role finally - When a Role is assigned.
Paralley Based on the Role Radius Return Attribute Policy will assign the VLAN.
Similarly basedo n the Role Layer-3 Enforcement policy will be triggered and pushed to the Firewall.
You have to configure the policy with the following details
protocol: tcp or udp
destination ip address
desintation port nos;
Note: The source-ip address it will know when the machine gets the ip address.
So it creates a specefic policy for that user with that source-ip address and destination ip /port details .
07-10-2010 03:29 AM
Thanks for the reply and good explaination. I still didnot get depending upon the role when IC push the resource policies to firewall and that user (already authenticated and compliant with security policy and got the right VLAN) crosses the firewall to access the protected resources behind the firewall, then what happened please correct me if am wrong:
The firewall has the knowledge of user identity and role for that user, pushed by IC to firewall. So user traffic comes to firewall then firewall ask the IC giving the username, role and soruce IP to IC that this user is allowed or not? Then how IC knows this the authenticated user already with IC???? because IC doesnot know the source IP of that user. Should user need to athenticate again to IC???
Kindly explain it. I would highly appreciate your help
07-10-2010 11:55 PM
I am not sure if you are talking about Layer-3 or Layer-2. I assume you are taking about both Layer-2 and Layer-3 combined. I also assuem the end user has an agent installed in the machine.
When the agent is installed, it will first authenticate itself against the IC. So IC will be Server who will be aware of the end users Machine IP Address.
NAC is implemented at this point itself. Additional If I want to protect my servers then i should place the server behind the Juniper Firewall.
In such scenario the IC which is already aware of the authenticated user machine ip address pushes the respective policy to the firewall;
The user need not get authenticated again.
If the user logs off the policy is dynamically removed from the firewall, which means any other user cannot spoof the ip address and get access to the resources; which will be possible if it was a static rule based policy in the firewall.
07-11-2010 12:59 PM
Thanks you very much for your response. Let me clear my question. Actually I want both layer 2 and 3 enforcement for my employee users.
1- Users have OAC installed on thier pc and through OAC they autheticate with IC via 802.1x and got the right VLAN.
2- Now user got the IP from DHCP server
3- But at this point IC doest not know the IP of user bcs user got the IP after authenticaton from IC
So my question is that how IC wil push the policy to the firewall when the user access the servers behind the firewall bcs IC does not know the IP of user. So its means that user have to again authenticate to the IC for the l3 enforcement?
07-12-2010 06:53 AM
the IC wil know the IP Address because OAC is running which will infrom the IP Address to the IC. You can see the ip address in the logs of IC.
I hope it clarifies;
11-19-2011 03:26 AM
I am running a PoC on UAC for a client and ran into this challenge. The switchport refuses to change to the newly assigned VLAN returned by the MAG after successful Remediation.
When a user connects his endsystem to the network, he is being authenticaticated against either the System Local Radius server on the MAG or against AD. After successful authentication of the user, the user endpoint device is checked for posture assessment e.g. updated Anti-Virus patch. The user Role is dependent on the compliance to Host Checker security policy. If user complies, he is assigned to Employee Role(VLAN 10); should user fail posuture test, he is placed in Quarantine Role(VLAN 655). However, i noticed that all users are placed in the Quarantine Role initially, after the Host Checker runs on user PC, a the user role is either upgraded or left in Quarantine Role.
I am the Agent-less mode and i have Cisco devices configured with 802.1x for port-based authentication.
From my observation, the MAG or IC series device initially assigns users to Quarantine VLAN(VLAN 655).
When users open the URL page, Host checker is ran and the MAG then assigns a new role to compliant systems, this is the Employee Role(VLAN 10).
Now, even though the user role has changed on the MAG, the switchport still remains in auth-fail/guest vlan, which is the Quarantine VLAN(655).
Switch Sample Config:
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authentication dot1x default group radius
switchport access vlan 10
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 10
dot1x max-reauth-req 1
dot1x guest-vlan 655
dot1x auth-fail vlan 655
spanning-tree bpduguard enable
Please what could be wrong? I want to have the switchport change from VALN 655 to VLAN 10 after successful Host Checker test is ran. Please Help...
11-21-2011 03:14 AM - edited 11-21-2011 03:15 AM
You can't use 802.1x Vlan assignment with clientless configuration.
clientless need Infranet Enforcer (ScreenOS or Junos Firewall) as Layer 3 enforcer.
802.1x need either OAC or JunOS Pulse. with one of these clients, the host is checked before the first VLAN assignment. there is no temporary vlan assignement as some other unsecured NAC competitors.
11-22-2011 11:19 AM
Thanks a million Stanislas.
I thought i could make this work with the agentless mode, just using the native windows supplicant. I shall implement using OAC and let us know how it goes. Here are a few questions needing prompt response regaring this deployment:
1. I get this debug message from my Cisco switch on the port connecting to my PC. Any idea what this is sbout?
04:35:30: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/2.
2. I have an AD server connected to the MAG for user authentication. However, each time i try to authenticate a user via the AD, i get the following error message:
2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm) - Radius authentication rejected for ZENITHLAB\testuser2 (realm 'TestRealm') from location-group 'Firstfloor' and attributes are: NAS-IP-Address = 10.0.1.99,NAS-Port = 50002,NAS-Port-Type = 15
Please could be wrong with my setup?
12-21-2011 02:49 AM
I'm not sure about your setup, but:
- If you make the HC evaluation at the realm level, you can then make a role mapping rule based on the status of the Host Checker (if HC=OK -> role employee, else -> role quarantine).
- You can make vlan assignment without agent, but it is needed if you want host checker.
I'm pretty sure you can allow agent AND agentless client to a same realm, by selecting the rights protocols in protocol set, then make distinction with role mapping rules.
With an AD configuration, make sure the NTP is configured on IC/MAG and its the same than AD server, cause this type of authentication requires time sync to work (linked to kerberos tickets I think), and it can generate authentication failed log you linked. Please make sur that the username is in the right format by the policy tracing option, you may need to remove/add the realm suffix to the username value.
Hope it will help.