02-02-2009 12:50 AM
I have setup a whole UAC olution in our LAB for a customer demo (today) and I am using 802.1x authentication, using the OAC client, ISG1000 and a EX4200 switch.
Currently I have a host checker policy setup that checks the endpoint machine for a specific AV, whether it is running and up to date. If the AV is not running or out of date, the user receives a message with remediation instructions. One of these instructions (out of date) point directly to the Update download website of the AV Vendor and the other (no tinstalled) points directly to the AV Verndor's download site.
Ok, so the question is, can you setup UAC that when a client machine is out of compliance, meaning if the user does not have this specific AV installed or does not have AV installed at all, that the remediation process gives the user the option to install the AV directly and become in compliance with the policy ?
Will I have to setup an IMV serrver and use that for the remediation ?
I am looking forward to your response.
02-12-2009 09:51 AM
The way I have seen this done was to use a URL in the remediation message that would point at an installer file.
That way, the user can just click on a link in the remediation message and it would launch an installer.
Also, you can use auto-remediation to have the AV client request new signatures.
Currently there is no integration with SMS to trigger a package install.
The only other way I could think to do this would be with a session start script assigned to the remediation role. Start scripts aren't as nice because it would run everytime the roll was assigned and it would also require the script to already be on a local workstation (a .bat file in some c: directory)
02-12-2009 10:48 PM
The picture has since changed, they wat to see how the whole UAC solution works in conjunction withIDP.
So I have to show 802.1x authentication,
Agentless authentication and access,
LDAP authentication, but make the LDAP authentication as seamless aspossible, in other words the user must only login to Windows and automaticallybe authenticated via LDAP to the UAC.
They also want to see the IDP in action, in other words, if anendpoint is in compliance and assigned to the trusted VLAN, then suddenlystarts an attack on a trusted server (web server for instance), IDP should then block access for theendpoint to the trusted VLAN, infrom the Enforcer about this and move the endpoint to the untrusted VLAN.
Currently I have it setup with the following equipment:
EX4200 Switch that has two VLANs configured
Authentication using802.1x and Radius
LDAP authenticationserver configured
Local authenticationconfigured (radius)
ISG 1000 as the enforcer
Windows 2003 Server
Windows XP Professional as the Endpoint
The problems that I have:
When using 802.1x authentication with OAC, everything seems to beworking perfectly. The endpoint is assigned to the correct VLAN once the hostchecker policy has been run, although when the endpoint is in the untrustedVLAN, he is still able to access the trusted VLAN resources.
When using LDAP authentication, the endpoint stays in the trusted VLAN,even if the host checker policy fails.
When a user is not authenticated and tries to access the internet, itgoes through. The browser is not redirected to the IC for authentication priorto loading the web page. I have setup the Redirection rule on the ISG as statedby the UAC Administration guide.
With Agentless access, I only want the user to be able to access theinternet and nothing else, but I only receive a message on the browser windowwhen authenticating on the IC, that the user has not been assigned to anyprotected resources although I am able to connect to the protected resources.
With regards to the IDP integration, how will I do this ?
02-13-2009 03:45 PM
It sounds like you are having some network issues.
Do you have any kind of network diagram? You can add pictures to the forum, so even if you could draw something up in paint that would be fine.
Where do the vlan's terminate? Do they feed into the ISG1000? Are you using the ISG1000 as the gateway for both the trusted and untrusted vlans? Can you post your ISG1000 configuration?
It sounds like you may be missing an infranet auth firewall policy. When OAC authenticates to the IC, are you seeing auth table entries on the FW? You can check via the cli with get auth table infranet
Also, I'm not sure I follow on the LDAP setup. Are you doing LDAP via an IC AAA server, or are you doing LDAP from the workstation? Are you using OAC with windows XP GINA?
02-22-2009 11:32 PM
02-24-2009 09:24 AM
If your machines are done doing 802.1x, and you aren't using the ISG for infranet auth, then UAC wouldn't be causing any issues. OAC does 802.1x at L2, but then everything else is windows. So from DHCP to all L3 activity, OAC isn't involved. Once 802.1x has completed, OAC tells windows that it has a "media connect". At that point windows goes out and does DHCP, and OAC will report back the IP address received through the OAC interface, but its done at that point.
The only other thing I could think of would be switch timers. Maybe you are getting kicked off the network every now and then? I would think you'd be seeing a lot worse symptoms than outlook communications issues though.
Are you looking to do source IP enforcement or VPN with UAC? You would want to configure your policies on your fw for infranet auth if you were going to do that.
Also, for your vlan's, one reminder is that if you are using host checker with UAC, then your vlan's need to route back to the IC at least. The vlans don't need to go anywhere else, but they should allow traffic back to the IC's IP address so that the clients can talk to the IC at L3. Initital host checks can take place at L2, but periodic host checks or "monitor this policy for change" host checks require an active L3 connection back to the IC.
If you continue to have problems, you could open a tac case and we can review the OAC logs to see if you are seeing disconnects.
Otherwise I would try some debugging on the FW or running simple ping tests from your workstations.
02-24-2009 11:01 PM
>>With regards to the IDP integration, how will I do this ?
do you have a Juniper Network's standalone IDP or do you have IDP security module in the ISG-1000?
either way, before you start configuring IC for integration with IDP you need "Coordinated Threat Control License" on IC.
do you have the license already?
02-26-2009 06:31 AM
I saw that you all posted responses, but I did not have the time to actually answer them. Was on a JNCIP-M course last week and have been busy working on a tender since Monday.
Well, I have both appliances, but not the license.
I have an IDP75 stand alone appliance and also an ISG-1000 with the IDP module (i am not entirely sure about this one though, but accoring to my collegue it does). I am still very unclear as to how I will be integrating IDP with the UAC solution as I have never worked on a Juniper IDP appliance before and have limited skills on the ISG. I have only worked a little bit on a SSG50 FW, so I have a little bit of a background on ScreenOS.
Unfortunately I do not have a diagram. I want to draw up one when I am finished of the whole UAC solution, but currently we are running a whole bunch of Juniper kit in our LAB and we are two engineers that are busy with customer demo's and simulations, so its a bit chaos with regards to what goes where and on top of that, I am new at the company and new to Juniper. Still struggling a bit to keep head above water.
Actually I have no idea where the VLANs terminate. Our switching expert did that for me and I am now not able to get a hold of him to find out how he configured it. I am not at liberty to post the ISG config as we are busy with other simulations and also have live sensitive customer data running, sorry for that.
With regards to the Infranet Auth Firewall Policy, I have to confirm that when I am back at the office.
I have an Active Directory LDAP server setup with some user configured on it and on the IC I have enabled LDAP authentication, when a user authenticates on the IC, the IC runs an LDAP query to the LDAP server to verify that the username and password are indeed correct. Are you still unclear ?
I want to use OAC with the XP GINA, but I haven't had any success with implementing that. Do you perhaps have a document on how to configure that ?
Thanks for all the information and help thus far guys.
03-01-2009 09:54 PM
I have had a look just now with regards to the Infranet Auth Policy. There are no users listed in the auth table.
What can be the cause to this ?
03-02-2009 12:44 AM
I don't know whether this will help, but below is a quick written overview of my UAC config that I confirmed just now:
I had a look in our LAB and to give you an overview of how it is connected:
Equipment in Rack:
IC4000 Infranet Controller
The IC plugs directly into the top EX4200 switch and the ISG plugs directly into the bottom EX4200 switch. Communication between the IC and ISGis working perfectly.
What the switches are setup like, I am not sure as my one colleuge completed this for me (I do not have the relevant knowledge to setup the switches.
I have two VLAN's
> VLAN2000 - Trust VLAN
> VLAN2001 - Untrust VLAN
IP Ranges for the VLAN's
> Trust - 10.10.101.0/24
> Untrust - 10.10.102.0/24
Config for IC4000:
> Signing in
> Signing-In Policies
> Default Sign-In Page
> Users (802.1X)
> Endpoint Security
> AV Protection - Policy where it checks for specific AV
> Windows Update - Policy where it check for specific Update
> Auth Servers
> IP of AD LDAP Server
> Active Directory
> System Local
> testuser > Full Access and Quarantine
> trust > Full Access
> utrust > Quarantine
> User Realms
> Role Mapping
> Group "trusted" > Full Access
> Group "untrusted" > Quarantine
> Role Mapping
> Username "trust" > Full Access
> Username "utrust" > Quarantine
> Username "testuser" > Full Access and Quarantine
> User Roles
> Full Access
> Host Checker
> AV Installed and up to date
> Windows Update installed
> Host Checker
> AV Installed and up to date
> Windows update installed
> Infranet Enforcer
> ISG1000 hostname
> Screen OS Policies
> SRC "Untrust"
> DST "Trust"
> Type "Source IP
> Full Access
> TCP/ICMP allow to all Trust IP's
> TCP/ICMP allow to all Untrust IP's
> Auth Table Mapping
> No Policy due to Dynamic Auth Table Assignment
> Network Access
> Location Group
> Sign-In Policy
> Radius Client
> IP Address: 10.10.101.2 (EX4200 Switch)
> IP Range: 100
> Host Enforcer
> Trust network TCP/ICMP
> Full Access
> Untrust network TCP/ICMP
03-02-2009 08:31 AM
Off the top of my head there are a couple of things that could cause auth table entries not to get pushed:
1) If the IC believes the client machines communicaiton is natted to the IC
2) If the FW does not have any defined infranet auth policies
3) if the IC auth table mapping policy is configured for dynamic (for testing, you should start out with always provision setting - that is the default)
4) if no IE resource policies are defined on the IC
So first, I would say verify that the IC and the client are communicating directly (without nat)
Second, make sure you have some infranet auth policies defined on the FW (in the FW gui, these policies will show with a little shield icon)
Third, verify your IC configuration to make sure your resource policies and your auth table mapping policies are defined correctly.
Hope some of that helps. If not, it might be time to call JTAC
03-11-2009 02:03 AM - edited 03-11-2009 02:10 AM
The Authtable is now published to the Enforcer andeverything seems to be working.
The rest to be done:
I am able to authenticate to the IC directly (by opening up IE and connecting to a specific URL on the IC) by means of using the "System Local" and "LDAP/AD" databases as authentication servers.
With regards to LDAP and RADIUS, I have a quick question:
Do I have to create a "Location Group" and "RADIUS Client" under "UAC>Network Access>Location Group" and also under "UAC>Network Access>Radius Client" for LDAP to work in conjunction with the local RADIUS (SBR) setup on the IC, for seemless authentication ?
I am however still experiencing some problems with authenticating to the IC by means of the Oddessy client (OAC), but I think this may be a slight misconfiguration that I have done on the IC.
Ok, so all that is left for me to do now is the following:
When all this is done, I will be able to do the demo to our partners customer as they want to see it.