Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Centralized Access Control to Network Resources, with an EX Series Switch Connected to Junos Pulse Access Control Service

 

You can deploy an EX Series switch and Junos Pulse Access Control Service to control who is admitted to your network and what resources—servers, applications, stored data, and other devices—the user can access after being admitted to the network. Access Control Service provides both authentication and authorization:

With this combination of products, the switch serves as an Infranet Enforcer, that is, a policy enforcement point for Access Control Service. Access Control Service sends auth table entries and resource access policies when an endpoint successfully completes 802.1X or MAC authentication (unmanaged devices). Access for any endpoint is governed by the resource access policies that you configure on Access Control Service. The switch converts the resource access policies into filter definitions and applies these to the appropriate port. Because resource access policies are employed, firewall filters are not required for the switch configuration.

This example describes how to configure the switch to use Access Control Service for authentication and authorization and how to configure Access Control Service to use the switch as an Infranet Enforcer.

Note

This example configures the switch prior to configuring the Access Control Service. However, you can configure the Access Control Service first, if you prefer. The sequence does not matter.

The example also describes the requisite configuration procedures on Access Control Service for configuring user roles, user realms, and resource access policies:

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 12.2 or later for EX Series switches

  • One EX Series switch acting as an Infranet Enforcer and an authenticator port access entity (PAE)

  • Junos Pulse Access Control Service Release 4.2 or later

  • Access Control Service IC Series device or MAG Series device

Before you configure the switch to use Access Control Service, be sure you have:

Note

Within the example, the IC Series or MAG Series device is referred to as a Network Access Control (NAC) device.

Overview and Topology

You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. You can use Access Control Service as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.

In addition, Access Control Service functions as a centralized policy management server. It eliminates the need to configure firewall filters on the individual switch. Instead, you define resource access policies centrally on Access Control Service. The resource access policy defines which network resources are allowed and denied for a user, based upon the user’s role. Access Control Service NAC device distributes these policies to all connected switches. For messages relating to access policies, the NAC device communicates with the switch using the Junos UAC Enforcer Protocol (JUEP).

The Access Control Service IC Series device or MAG Series device acts as your centralized NAC device. Specific resources are allocated through resource access policies from the Access Control Service device. The ports on the switch form a control gate that blocks all traffic to and from supplicants until they are authenticated.

Limit access to protected resources by defining user roles and user realms with accompanying resource access policies in the UAC admin console.

In this example, we are configuring access control for a medical facility. Because we are using Access Control Service for centralized access control, we specify the permissions and limitations on the UAC NAC device.

To ensure patient privacy, the patient medical history files are accessible only to the medical staff (med-staf). The patient insurance information and payment records are available only to the accounts personnel (accounts). Other information pertaining to the patients is available to anyone of the general staff (other).

The switch acts as an Infranet Enforcer and an authenticator port access entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.

Table 1 shows the configuration components used for the switch and the Access Control Service NAC device in this example.

Table 1: Components of the Topology for Access Control Service and the EX Series Switch

PropertySettings

Access Control Service NAC device properties that must be specified on the switch

IP address—10.204.88.148

hostname—my_nac

password—MyUACPassword

Password to use for connecting the switch with the RADIUS server

MySecret

Access profile, specified on the switch, to define the connection to the UAC

myuac_profile

Switch hostname

myswitch

User roles on the NAC device

med-staff

accounts

general-user

User realm on the NAC device

hospital-staff

Location group on the NAC device

medical-group

Figure 1 shows the topology used in this example.

Figure 1: Centralized Access Control to Network Resources with an EX Series Switch Connected to Junos Pulse Access Control Service
Centralized Access Control to Network
Resources with an EX Series Switch Connected to Junos Pulse Access
Control Service

Configuring the EX Series Switch to Connect to the Junos Pulse Access Control Device

CLI Quick Configuration

To quickly connect the switch to Access Control Service, copy the following commands and paste them into the switch terminal window:

Note

This example uses the default values for timeout, interval, and timeout-action.

[edit]


set ethernet-switching-options uac-policy
set access profile myuac_profile authentication-order radius
set access profile myuac radius authentication-server 10.204.88.148
set access radius-server 10.204.88.148
set access radius-server secret MySecret
set services unified-access-control infranet-controller my_nacaddress 10.204.88.148
set services unified-access-control infranet-controller myswitch interface me0.0
set services unified-access-control infranet-controller myswitch password MyUACPassword


set protocols dot1x authenticator authentication-profile-name myuac_profile
set protocols dot1x authenticator interface ge-0/0/10.0

Step-by-Step Procedure

To connect the switch to your UAC NAC device:

  1. Configure the switch to use Access Control Service for authentication and authorization:
    [edit ethernet-switching-options]

    user@switch# set uac-policy
  2. Configure the access profile to specify Access Control Service. The access profile contains the authentication and authorization configuration that aids in handling authentication and authorization requests, including the authentication method and sequence, and Access Control Service address:
    1. Configure radius as the authentication method to be used when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches:

      [edit access profile]

      user@switch# set myuac_profile authentication-order radius
    2. Define the access profile for connecting to the UAC by specifying the IP address of the authentication server:

      Note

      Specify the same IP address that you use for the RADIUS server and the NAC device.

      [edit access profile]

      user@switch# set myuac_profile radius authentication-server 10.204.88.148
  3. Configure the RADIUS server to use the same IP address that you specified for the authentication server:
    [edit access]

    user@switch# set radius-server 10.204.88.148
  4. Configure the password to use for connecting the switch with the RADIUS server: Note

    The password specified here is used for RADIUS communications between the switch and Access Control Service. It does not need to match the password that is specified on Access Control Service through the administrative interface on Access Control Service.

    [edit access]

    user@switch# set radius-server secret MySecret
  5. Configure the address of Access Control Service NAC device:Note

    Specify the hostname and IP address of the NAC device. This is the same IP address that you used for specifying the authentication server.

    [edit services united-access-control infranet-controller my_nac ]

    user@switch# set address 10.204.88.148
  6. Configure the switch’s management Ethernet interface for the NAC device:
    [edit services united-access-control infranet-controller myswitch]

    user@switch# set interface me0.0
  7. Configure the password for connecting the switch to the Access Control Service NAC device:Note

    This password must match the password specified on Access Control Service though its administrative interface. It is used for Junos UAC Enforcer Protocol (JUEP) communications between the switch and Access Control Service.

    [edit services united-access-control infranet-controller myswitch]

    user@switch# set password MyUACPassword
  8. Specify the name of the access profile to use for 802.1X, MAC RADIUS, or captive portal authentication:Note

    Use the same access profile that you configured previously (step 2).

    [edit protocols dot1x]

    user@switch# set authenticator authentication-profile-name myuac_profile
  9. Configure the 802.1X interface that the switch will use for communicating with Access Control Service:
    [edit protocols dot1x]

    user@switch# set authenticator interface ge-0/0/10.0

Results

Display the results of the configuration:

user@switch> show configuration

Creating an Authentication Server Instance on the UAC NAC Device

Step-by-Step Procedure

Access Control Service supports a variety of user authentication and authorization servers. To quickly set up user authentication, you can use local authentication on the Access Control Service NAC device. This example uses the preconfigured local authentication server, System Local.

To set up local user authentication on the NAC device:

  1. In the NAC device admin console, select Authentication > Auth. Servers.
  2. Click System Local.
  3. Select the Users tab.
  4. Click New.
  5. In the dialog box for New Local User, enter information into the text boxes of the following fields:
    • Username

    • Full Name

    • Password

    Note

    All other fields are optional.

  6. Click Save Changes.
  7. Repeat this procedure for each user that you want to include in the device database. For example, we created three users: bobbarker, joansmith, and stevejones

Results

The users bobbarker, joansmith, and stevejones are available in the NAC device database and can be associated with a role.

Configuring User Roles on the UAC NAC Device

Step-by-Step Procedure

To set up the user roles:

Note

In this example, either Odyssey Access Client or the Junos Pulse client is installed on the client.

  1. In the NAC device admin console, select Users > User Roles.
  2. Click New Role and then enter the Name of the role that allows users with compliant endpoints to access the protected resources. You can also enter additional information about this role into the Description text box.
  3. Click Save Changes.
  4. Repeat these steps to create the additional user roles. For example, we created three roles: med-staff, accounts, and general-user

Results

The roles, med-staff, accounts, and general-user, are available in the NAC database.

Configuring a User Realm

Step-by-Step Procedure

To configure a user realm within the authentication server instance.

Note

Only one user realm is required.

  1. In the NAC device admin console, select Users > User Realms.
  2. In the dialog box User Authentication Realms, click New.
  3. In New Authentication Realm, :
    • Enter information into the text boxes:

      • Name—Name of the realm. For this example, we are using hospital-staff.

      • Description:—(Optional) Any additional information that you wish to provide.

    • Under Servers:

      • Authentication—Select System Local.

      • Directory/Attribute—Select None.

      • Accounting—Select None.

  4. Click Save Changes.

Results

The new user realm can be associated with the roles you have created.

Mapping User Roles to the User Realm

Step-by-Step Procedure

To map each user role to a rule within the user authentication realm.

  1. In the NAC device admin console, select Users > User Realms>Role Mapping hospital-staff.
  2. Click New Rule.
  3. In the Role Mapping Rule dialog box, for a rule based on username, enter the information for the appropriate fields:
    • Under Rule: If username, is———bobbarker.

    • Under then assign these roles, select med-staff role and then click Add.

  4. Create additional role mapping rules for additional users. For example, create a role mapping rule to associate user joansmith with accounts, and a role mapping rule to associate user stevejones with medical-staff.
  5. Click Save Changes.

Results

Each user is associated with a role.

Configuring Sign-In Policies

Step-by-Step Procedure

To create a user sign-in policy:

  1. In the admin console, select Authentication > Signing in > Sign-in Policies.
  2. To create a new sign-in policy, click New URL and select Users.
  3. In the Sign-in URL field, enter the URL that you want to associate with the policy. Use the format <host>/<path> where <host> is the hostname of the NAC device, and <path> is any string users must enter. For example */testsite/.
  4. (Optional) Enter a Description for the policy.
  5. In the Sign-in Page list, select Default Sign-in Page.
  6. Under Available realms, select the hospital-staff that you created.
  7. Under Authentication protocol set, select 802.1X.
  8. Click Save Changes.

Results

A sign-in URL is available for users.

Configuring a Location Group

Step-by-Step Procedure

You must create a location group to associate with an Infranet Enforcer instance.

  1. In the admin console, select Network Access > Location Group.
  2. Select New Location Group.
  3. For Name, type medical-group.
  4. Add an optional description.
  5. Leave the default sign-in policy.
  6. Click Save Changes.

Results

A location group that can be assigned to the EX Series switch is created.

Configuring an EX Series Switch Infranet Enforcer Instance on the UAC NAC Device

Step-by-Step Procedure

To configure Junos Pulse Access Control Service to accept a connection from the switch:

  1. On the left navigation bar in the NAC device admin console, select UAC > Infranet Enforcer > Connection.
  2. Click New Enforcer. The New Infranet Enforcer dialog box appears. By default, the new ScreenOS Enforcer page is displayed.
  3. Select the Junos EX option button. The New Infranet Enforcer page is displayed.
  4. Enter the name of the switch in the Name box.
  5. Enter the password for the switch. This password is a shared secret that administrators of both the switch and Junos Pulse Access Control Service can use for connectivity between the two devices.
  6. Enter the serial number of the switch.
  7. For Location Group, select medical-group.
  8. Click Save Changes.

Results

Junos Pulse Access Control Service and the EX switch can be connected.

Configuring Resource Access Policies on the UAC NAC Device

Step-by-Step Procedure

To create a resource access policy:

  1. In the Infranet Enforcer admin console, select UAC > Infranet Enforcer > Resource Access.
  2. Click New Policy.
  3. On the New Policy page:

    1. For Name and Description, enter any name and description for this policy, such as MedicalServer.
    2. For Resources, specify the protocol, IP address, network mask, and port of each resource (or range of addresses) for which this Infranet Enforcer resource access policy applies, one per line. You cannot specify a hostname in an Infranet Enforcer resource access policy. You can specify only an IP address. You can use TCP, UDP, or ICMP.

      For example, type:10.204.91.20 to specify the med-staff protected resources on the switch.

    3. In the Infranet Enforcer box, add the switch you created to selected Enforcers.
    4. In the Roles box, select Policy applies to SELECTED roles, select med-staff, and click Add to apply this resource access policy to users who are mapped to the med-staff role.
    5. In the Action box, select Allow access.
  4. Click Save Changes.
  5. Complete two additional resource access policies:
    • Allow role accounts with the IP address 10.204.91.21.

    • Allow role general-access with the IP address 10.204.91.22.

Results

Individual users, through their assigned roles, are provided access to the proper protected assets.

Verification

The following procedures verify the connections between the switch and the NAC device.

Verifying That the Switch Is Connected to Access Control Service

Purpose

Verify that the switch is connected to Access Control Service.

Action

Confirm the status of the connection to Access Control Service.

Meaning

Confirm that the State indicates that the Access Control Service is connected.

Verifying the Configuration of Resource Access Policies

Purpose

After you have configured the access resource policies on the UAC device admin console, verify that they have been deployed to the switch.

Action

Confirm that resource access policies for the switch have been configured on Access Control Service .

Note

There must always be a resource access policy to allow traffic to the Access Control Service.

Meaning

The results show the resource access policies that were configured in this example. The policy with identifier 4 is the policy that allows traffic to the Access Control Service. It lists the IP address of the Access Control Service and an additional resource for udp indicating that it allows dhcp/dns traffic, too.

Verifying the Mapping of Roles to Resources

Purpose

Display the content of the authentication table in a user role firewall implementation. The table, pushed from a supporting Access Control Service device, provides the user roles associated with incoming traffic.

Action

Display the contents of the authentication table to show the mapping of roles to resources.

Meaning

This output shows the mapping for username bobbarker. The output shows only one user, because only this user is connected at the time that the command is issued. If additional users were connected, the other users would also be displayed.