Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring the Device Identity Feature in an Active Directory Environment on NFX Devices

 

This example shows how to configure the integrated user firewall device identity authentication feature to control access to network resources based on the identity of an authenticated device, not its user. For various reasons, you might want to use the identity of a device for resource access control. For example, you might not know the identity of the user. Also some companies might have older switches that do not support 802.1, or they might not have a network access control (NAC) system. The device identity authentication feature offers a solution to these and other similar situations by enabling you to control network access based on the device identity. You can control access for a group of devices that fit the device identity specification or an individual device.

Requirements

This example uses the following hardware and software components:

  • An NFX Series device

  • Microsoft Active Directory with a domain controller and the Lightweight Directory Access Protocol (LDAP) server

    The Active Directory domain controller has a high-performance configuration of 4 cores and 8 gigabytes of memory.

    Note

    The NFX Series device obtains the IP address of a device by reading the domain controller event log. The process that reads the event log consumes domain controller CPU resources, which might lead to high CPU usage. For this reason, the Active Directory domain controller should have a high-performance configuration of at least 4 cores and 8 gigabytes of memory.

  • A server on the internal corporate network.

Overview

This example uses Microsoft Active Directory as the authentication source. It covers how to configure a device identity profile that characterizes a device, or set of devices, and how to reference that profile in a security policy. If a device matches the device identity and the security policy parameters, the security policy’s action is applied to traffic issuing from that device.

Note

You must configure the authentication source for this feature to work.

This example covers the following configuration parts:

  • Zones and their interfaces

    You must configure the zones to which the source and destination entities specified in the security policy belong. If you do not configure them, the security policy that references the device identity profile will be invalid.

  • A device identity profile

    You configure the device identity profile apart from the security policy; you refer to it from a security policy. A device identity profile specifies a device identity that can be matched by one or more devices. For Active Directory, you can specify only the device-identity attribute in the profile.

    In this example, the device-identity attribute specification is company-computers.

    Note

    The device identity profile is referred to as end-user-profile in the CLI.

  • A security policy

    You configure a security policy whose action is applied to traffic issuing from any device that matches the device identity profile attributes and the rest of the security policy’s parameters.

    Note

    You specify the name of the device identity profile in the security policy’s source-end-user-profile field.

  • Authentication source

    You configure the authentication source to be used to authenticate the device. This example uses Active Directory as the device identity authentication source.

    If Active Directory is the authentication source, the NFX Series device obtains identity information for an authenticated device by reading the Active Directory domain’s event log. The NFX Series device then queries the LDAP interface of Active Directory to identify the groups that the device belongs to, using the device’s IP address for the query.

    For this purpose, the NFX Series device implements a Windows Management Instrumentation (WMI) client with Microsoft Distributed COM/Microsoft RPC stacks and an authentication mechanism to communicate with the Windows Active Directory controller in the Active Directory domain. It is the NFX Series device wmic daemon that extracts device information from the event log of the Active Directory domain.

    The wmic daemon also monitors the Active Directory event log for changes by using the same WMI DCOM interface. When changes occur, the NFX Series device adjusts its local device identity authentication table to reflect those changes.

Topology

In this example, users who belong to the marketing-zone zone want to access resources on the internal corporate servers. Access control is based on the identity of the device. In this example, company-computers is specified as the device identity. Therefore, the security policy action is applied only to devices that fit that specification and match the security policy criteria. It is the device that is either granted or denied access to the server resources. Access is not controlled based on user identification.

Two zones are established: one that includes the network devices (marketing-zone) and one that includes the internal servers (servers-zone). The NFX Series device interface ge-1/0/3.1, whose IP address is 192.0.2.18/24, is assigned to the marketing-zone zone. The NFX Series device interface ge-1/0/3.2, whose IP address is 192.0.2.14/24, is assigned to the servers-zone zone.

This examples covers the following activity:

  1. The NFX Series device connects to the Active Directory domain controller using the WMI DCOM interface to obtain information about devices authenticated by Active Directory.

    When a user logs in to the network and is authenticated, information about the user’s device is written to the event log.

  2. The NFX Series device extracts the device information from the event log of the Active Directory domain controller.

  3. The NFX Series device uses the extracted information to obtain a list of the groups that the device belongs to from the Active Directory LDAP server.

  4. The NFX Series device creates a local device identity authentication table and stores the device identity information that it obtained from the domain controller and LDAP server in the table.

  5. When traffic from a device arrives at the NFX Series device, the NFX Series device checks the device identity authentication table for a matching entry for the device that issued the traffic.

  6. If the NFX Series device finds a matching entry for the device that is requesting access, it checks the security policy table for a security policy whose source-end-user-profile field specifies a device identity profile with a device-identity specification that matches that of the device requesting access.

  7. The matching security policy is applied to traffic issuing from the device.

Figure 1 shows the topology for this example.

Figure 1: Topology for the Device Identity Feature with Active Directory as the Authentication Source
Topology for the Device Identity Feature
with Active Directory as the Authentication Source

Configuration

To configure the device identity feature in an Active Directory environment, perform these tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring the Integrated User Firewall Device Identity Authentication Feature in an Active Directory Environment

Step-by-Step Procedure

This procedure includes the configuration statements required to configure the NFX Series device to support the device identity authentication feature in an Active Directory environment.

  1. Configure the interfaces to be used for the marketing-zone and the servers-zone.
  2. Configure the marketing-zone and the servers-zone and assign interfaces to them.
  3. Configure the authentication source to specify Microsoft Active Directory. You must specify the authentication source for the device identity feature to work. This is a required value.
  4. Configure the device identity specification for the device identity profile, which is also referred to as end-user-profile.
  5. Configure a security policy, called mark-server-access, that references the device identity profile called marketing-west-coast. The security policy allows any device that belongs to the marketing-zone zone (and that matches the device identity profile specification) access to the target server’s resources.
  6. Configure the NFX Series device to communicate with Active Directory and to use the LDAP service.

    To get the group information necessary to implement the device identity authentication feature, the NFX Series device uses the Lightweight Directory Access Protocol (LDAP). The NFX Series device acts as an LDAP client communicating with an LDAP server. Typically, the Active Directory domain controller acts as the LDAP server. The LDAP module in the NFX Series device queries the Active Directory in the domain controller.

Results

show interfaces

show security zones

show services user-identification device-information end-user-profile

show services user-identification device-information authentication-source

show security policies

show services user-identification active-directory-access

show services user-identification active-directory-access domain example-net

Verification

Verify the Device Identity Authentication Table Contents

Purpose

Verify that the device identity authentication table contains the expected entries and their groups.

Action

In this case, the device identity authentication table contains three entries. The following command displays extensive information for all three entries.

Enter show services user-identification device-information table all extensive to display the table’s contents.

Sample Output

Meaning

The table should contain entries with information for all authenticated devices and the groups that they belong to.

Verify the Domain Configuration on the NFX Series Device

Purpose

Ensure that the NFX Series device is configured with the correct domain information.

Action

Enter show services user-identification active-directory-access domain example-net.

Meaning

The output should reflect the correct information configured for the domain.