Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Example: Configuring the SRX Series Integrated ClearPass Feature to Allow the Device to Receive User Authentication Data from ClearPass

The SRX Series device and the ClearPass Policy Manager (CPPM) collaborate to control access to your protected resources and to the Internet. To carry this out, the SRX Series device must authenticate users in conjunction with applying security policies that match their requests. For the integrated ClearPass authentication and enforcement feature, the SRX Series device relies on ClearPass as its authentication source.

The Web API function, which this example covers, exposes to the CPPM an API that enables it to initiate a secure connection with the SRX Series device. The CPPM uses this connection to post user authentication information to the SRX Series device. In their relationship, the SRX Series device acts as an HTTPS server for the CPPM client.

Requirements

This section defines the software and hardware requirements for the topology for this example. See Figure 5 for the topology design.

The hardware and software components are:

  • Aruba ClearPass (CPPM). The CPPM is configured to use its local authentication source to authenticate users.

    Note: It is assumed that the CPPM is configured to provide the SRX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.

  • SRX Series device running Junos OS that includes the integrated ClearPass feature.

    See SRX Series Supported Platforms for the Integrated ClearPass Authentication and Enforcement Feature.

  • A server farm composed of six servers, all in the servers-zone:
    • marketing-server-protected (1.2.3.4)
    • human-resources-server (1.3.4.5)
    • accounting-server (1.4.5.6)
    • public-server (1.5.6.7)
    • corporate-server (1.6.7.8)
    • sales-server (1.7.8.9)
  • AC 7010 Aruba Cloud Services Controller running ArubaOS.
  • Aruba AP wireless access controller running ArubaOS.

    The Aruba AP is connected to the AC7010.

    Wireless users connect to the CPPM through the Aruba AP.

  • Juniper Networks EX4300 switch used as the wired 802.1 access device.

    Wired users connect to the CPPM using the EX4300 switch.

  • Six end-user systems:
    • Three wired network-connected PCs running Microsoft OS
    • Two BYOD devices that access the network through the Aruba AP access device
    • One wireless laptop running Microsoft OS

Overview

You can configure identity-aware security policies on the SRX Series device to control a user’s access to resources based on username or group name, not the IP address of the device. For this feature, the SRX Series device relies on the CPPM for user authentication. The SRX Series device exposes to ClearPass its Web API (webapi) to allow the CPPM to integrate with it. The CCPM posts user authentication information efficiently to the SRX Series device across the connection. You must configure the Web API function to allow the CPPM to initiate and establish a secure connection. There is no separate Routing Engine process required on the SRX Series device to establish a connection between the SRX Series device and the CPPM.

Figure 4 illustrates the communication cycle between the SRX Series device and the CPPM, including user authentication.

Figure 4: ClearPass and SRX Series Device Communication and User Authentication Process

ClearPass and SRX Series Device
Communication and User Authentication Process

As depicted, the following activity takes place:

  1. The CPPM initiates a secure connection with the SRX Series device using Web API.
  2. Three users join the network and are authenticated by the CPPM.
    • A tablet user joins the network across the corporate WAN.
    • A smartphone user joins the network across the corporate WAN.
    • A wireless laptop user joins the network from a wired laptop connected to a Layer 2 switch that is connected to the corporate LAN.
  3. The CPPM sends the user authentication and identity information for the users who are logged in to the network to the SRX Series device in POST request messages using the Web API.

    When traffic from a user arrives at the SRX Series device, the SRX Series device:

    • Identifies a security policy that the traffic matches.
    • Locates an authentication entry for the user in the ClearPass authentication table.
    • Applies the security policy to the traffic after authenticating the user.
  4. Traffic from the smartphone user who is requesting access to an internal, protected resource arrives at the SRX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the SRX Series device allows the user connection to the protected resource.
  5. Traffic from the wired laptop user who is requesting access to a protected resource arrives at the SRX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the SRX Series device allows the user connection to the resource.
  6. Traffic from the tablet user who is requesting access to the Internet arrives at the SRX Series device. Because all of the conditions identified in Step 3 are met and the security policy permits it, the SRX Series device allows the user connection to the Internet.

The Web API daemon is not enabled by default for security reasons. When you start up the Web API daemon, by default it opens either the HTTP (8080) or the HTTPS (8443) service port. You must ensure that one of these ports is configured, depending on which version of the HTTP protocol you want to use. We recommend that you use HTTPS for security reasons. Opening these ports makes the system more vulnerable to service attacks. To protect against service attacks that might use these ports, the Web API daemon will start up only after you enable it.

The Web API is a RESTful Web services implementation. However, it does not fully support the RESTful Web services. Rather, it acts as an HTTP or HTTPS server that responds to requests from the ClearPass client.

Note: The Web API connection is initialized by the CPPM using the HTTP service port (8080) or HTTPS service port (8443). For ClearPass to be able to post messages, you must enable and configure the Web API daemon.

To mitigate abuse and protect against data tampering, the Web API daemon:

  • Requires ClearPass client authentication by HTTP or HTTPS basic user account authentication.
  • Allows data to be posted to it only from the IP address configured as the client source. That is, it allows HTTP or HTTPS POST requests only from the ClearPass client IP address, which in this example is 10.208.111.177.
  • Requires that posted content conforms to the established XML data format. When it processes the data, the Web API daemon ensures that the correct data format was used.

Note: Note that if you deploy Web management and the SRX Series device together, they must run on different HTTP or HTTPS service ports.

See Understanding How ClearPass Initiates a Session and Communicates User Authentication Information to the SRX Series Device Using the Web API for further information on how this feature protects against data tampering.

The SRX Series UserID daemon processes the user authentication and identity information and synchronizes it to the ClearPass authentication table on the Packet Forwarding Engine. The SRX Series device creates the ClearPass authentication table to be used for information received only from the CPPM. The ClearPass authentication table does not contain user authentication information from other authentication sources. The SRX Series device checks the ClearPass authentication table to authenticate users attempting to access protected network resources on the Internet using wired or wireless devices and local network resources.

For the CPPM to connect to the SRX Series device and post authentication information, it must be certified using HTTPS authentication. The Web API daemon supports three methods that can be used to refer to an HTTPS certificate: a default certificate, a PKI local certificate, and a customized certificate implemented through the certificate and certificate-key configuration statements. These certificate methods are mutually exclusive.

This example uses HTTPS for the connection between the CPPM and the SRX Series device. To ensure security, the integrated ClearPass feature default certificate key size is 2084 bits.

Whether you use any method—the default certificate, a PKI-generated certificate, or a custom certificate—for security reasons, you must ensure that the certificate size is 2084 bits or greater.

The following example shows how to generate a certificate and key using PKI:

user@host>request security pki generate-key-pair certificate-id aruba size 2048user@host>request security pki local-certificate generate-self-signed certificate-id aruba domain-name mycompany.net email jxchan@mycompany.net ip-address 1.1.1.1 subject “CN=John Doe,OU=Sales ,O=mycompany.net ,L=MyCity ,ST=CA,C=US"

Topology

Figure 5 shows the topology used for the integrated ClearPass deployment examples.

Figure 5: Integrated ClearPass Authentication and Enforcement Deployment Topology

Integrated ClearPass Authentication
and Enforcement Deployment Topology

Configuration

This section covers how to enable and configure the SRX Series Web API.

Note: You must enable the Web API. It is not enabled by default.

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set system services webapi user sunny password i4%rgd set system services webapi client 10.208.111.177set system services webapi https port 8443set system services webapi https default-certificateset system services webapi debug-level alertset interfaces ge-0/0/3.4 vlan-id 340 family inet address 10.1.5.4set security zones security-zone trust interfaces ge-0/0/3.4 host-inbound-traffic system-services webapi-sslset security user-identification authentication-source aruba-clearpass priority 110set security user-identification authentication-source local-authentication-table priority 120set security user-identification authentication-source active-directory-authentication-table priority 125set security user-identification authentication-source firewall-authentication priority 150set security user-identification authentication-source unified-access-control priority 200

Configuring the SRX Series Web API Daemon

Step-by-Step Procedure

Configuring the Web API allows the CPPM to initialize a connection to the SRX Series device. No separate connection configuration is required.

It is assumed that the CPPM is configured to provide the SRX Series device with authenticated user identity information, including the username, the names of any groups that the user belongs to, the IP addresses of the devices used, and a posture token.

Note that the CPPM might have configured role mappings that map users or user groups to device types. If the CPPM forwards the role mapping information to the SRX Series device, the SRX Series device treats the role mappings as groups. The SRX Series device does not distinguish them from other groups.

Step-by-Step Procedure

To configure the Web API daemon:

  1. Configure the Web API daemon (webapi) username and password for the account.

    This information is used for the HTTPS certification request.

    [edit system services]user@host# set webapi user sunny password i4%rgd
  2. Configure the Web API client address–that is–the IP address of the ClearPass webserver’s data port.

    The SRX Series device accepts information from this address only.

    Note: The ClearPass webserver data port whose address is configured here is the same one that is used for the user query function, if you configure that function.

    [edit system services]user@host# set webapi client 10.208.111.177
  3. Configure the Web API daemon HTTPS service port.

    If you enable the Web API service on the default TCP port 8080 or 8443, you must enable host inbound traffic on that port.

    In this example, the secure version of the Web API service is used (webapi-ssl), so you must configure the HTTPS service port, 8443.

    [edit system services]user@host# set webapi https port 8443
  4. Configure the Web API daemon to use the HTTPS default certificate.
    [edit system services]user@host# set webapi https default-certificate
  5. Configure the trace level for the Web API daemon.

    The supported trace levels are notice, warn, error, crit, alert, and emerg. The default value is error.

    [edit system services]user@host# webapi debug-level alert
  6. Configure the interface to use for host inbound traffic from the CPPM.
    user@host# set interfaces ge-0/0/3.4 vlan-id 340 family inet address 10.1.5.4
  7. Enable the Web API service over HTTPS host inbound traffic on TCP port 8443.
    [edit security zones]user@host# set security-zone trust interfaces ge-0/0/3.4 host-inbound-traffic system-services webapi-ssl

Results

From configuration mode, confirm your Web API configuration by entering the show system services webapi command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user {sunny;password "$9$2B4JDqmf3n/k.F/9A1I"; ## SECRET-DATA}
client {10.208.111.177;}
https {port 8443;default-certificate;}
debug-level {alert;}

From configuration mode, confirm the configuration for the interface used for host inbound traffic from the CPPM by entering the show interfaces ge-0/0/3.4 command. If the output does not display the intended configuration, repeat the verification process in this example to correct it.


vlan-id 340;
family inet {
    address 10.1.5.4/32;
}

From configuration mode, confirm your security zone configuration that allows host-inbound traffic from the CPPM using the secure Web API service (web-api-ssl) by entering the show security zones security-zone trust command. If the output does not display the intended configuration, repeat the verification process in this example to correct it.

interfaces {ge-0/0/3.4 {host-inbound-traffic {system-services {webapi-ssl;}}}}

If you are done configuring the device, enter commit from configuration mode.

Configuring the ClearPass Authentication Table Entry Timeout and Priority

Step-by-Step Procedure

This procedure configures the following information:

  • The timeout parameter that determines when to age out idle authentication entries in the ClearPass authentication table.
  • The ClearPass authentication table as the first authentication table in the lookup order for the SRX Series device to search for user authentication entries. If no entry is found in the ClearPass authentication table and there are other authentication tables configured, the SRX Series device will search them, based on the order that you set.
  1. Set the timeout value that is used to expire idle authentication entries in the ClearPass authentication table to 20 minutes.
    [edit services user-identification]user@host# set authentication-source aruba-clearpass authentication-entry-timeout 20

    The first time that you configure the SRX Series device to integrate with an authentication source, you must specify a timeout value to identify when to expire idle entries in the ClearPass authentication table. If you do not specify a timeout value, the default value is assumed.

    • default = 30 minutes
    • range = If set, the timeout value should be within the range [10,1440 minutes]. A value of 0 means that the entry will never expire.
  2. Set the authentication table priority order to direct the SRX Series device to search for user authentication entries in the ClearPass authentication table first. Specify the order in which other authentication tables are searched if an entry for the user is not found in the ClearPass authentication table.

    Note: You need to set this value if the ClearPass authentication table is not the only authentication table on the Packet Forwarding Engine.

    [edit security user-identification]user@host# set authentication-source aruba-clearpass priority 110user@host# set authentication-source local-authentication-table priority 120user@host# set authentication-source active-directory-authentication-table priority 125user@host# set authentication-source firewall-authentication priority 150user@host# set authentication-source unified-access-control priority 200

    The default priority value for the ClearPass authentication table is 110. You must change the local authentication table entry from 100 to 120 to direct the SRX Series device to check the ClearPass authentication table first if there are other authentication tables on the Packet Forwarding Engine. Table 6 shows the new authentication table search priority.

    Table 6: SRX Series Device Authentication Tables Search Priority Assignment

    SRX Series Authentication Tables

    Set Value

    ClearPass authentication table

    110

    Local authentication table

    120

    Active Directory authentication table

    125

    Firewall authentication table

    150

    UAC authentication table

    200

Results

From configuration mode, confirm that the timeout value set for aging out ClearPass authentication table entries is correct. Enter the show services user-identification command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

authentication-source aruba-clearpass {authentication-entry-timeout 20;}

Related Documentation

Modified: 2016-05-01