Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

End User Profile Overview

 

An end user profile is a device identity profile. It is a collection of attributes that are characteristics of a specific group of devices, or of a specific device, depending on the attributes configured in the profile. The Packet Forwarding Engine of the SRX Series device maps the IP address of a device to the device identity profile. This feature supports Microsoft Windows Active Directory and third-party network access control (NAC) systems as authentication sources.

When traffic from device A arrives at an SRX Series device, the SRX Series device obtains the IP address of device A from the first traffic packet and uses it to search the device identity authentication table for a matching device identity entry. Then it matches that device identity profile with a security policy whose End User Profile field specifies the device identity profile name. If a match is found, the security policy is applied to traffic issuing from device A.

The same device identity profile can also apply to other devices sharing the same attributes. However, to apply the same security policy, the device and its traffic must match all other fields in the security policy.

A device identity profile must contain a domain name. It might contain more than one set of attributes, but it must contain at least one value in each attribute.

The end user profile feature is useful when you cannot or do not want to use user identity to control access to network resources. The device identity feature allows you to use the identity of a device and its attributes to control access to network resources instead of the identity of the user of that device. You might want to control network access based on the device identity for various reasons. For example, you might allow users to use their own devices (BYOD) to access network resources and you do not want to use captive portal authentication. Also, some companies might have older switches that do not support 802.1, or they might not have a NAC system.