Configure Captive Portal on Junos OS Enforcer
By enabling the captive portal on the Junos OS enforcer, you can redirect a user to authenticate through IC Series UAC Appliance without their knowledge. After successful authentication, the IC Series appliance redirects the user to the protected resource that they want to access.
Understanding the Captive Portal on the Junos OS Enforcer
In a Unified Access Control (UAC) deployment, users might not be aware that they must first sign in to the IC Series UAC Appliance for authentication and endpoint security checking before they are allowed to access a protected resource behind the Junos OS Enforcers. To help users sign in to the IC Series appliance, you can configure the captive portal feature. The captive portal feature allows you to configure a policy in the Junos OS Enforcer that automatically redirects HTTP traffic destined for protected resources to the IC Series appliance or to a URL configured in the Junos OS Enforcer.
You can configure a captive portal for deployments that use either source IP enforcement or IPsec enforcement, or a combination of both enforcement methods.
Figure 1 shows the captive portal feature enabled on a Junos OS Enforcer. Users accessing protected resources are automatically redirected to the IC Series appliance:
- Users point to a protected resource using the browser.
- The Junos OS Enforcer determines that the user is not authenticated and redirects the request to the IC Series appliance or another server.
- Users enter their Infranet username and password to log in.
- The IC Series appliance passes the user credentials to an authentication server.
- After authentication, the IC Series appliance redirects the users to the protected resource they wanted to access.
By default, the Junos OS Enforcer encodes and forwards to the IC Series appliance the protected resource URL that the user entered. The IC Series appliance uses the protected resource URL to help users navigate to the protected resource. The manner in which the IC Series appliance uses the protected resource URL depends on whether or not the user’s endpoint is running the Odyssey Access Client or Junos Pulse. If the user’s endpoint is not running the Odyssey Access Client or Junos Pulse (that is, it is in an agentless or Java agent configuration), the IC Series appliance automatically opens a new browser window and uses HTTP to access the protected resource after the user signs in. If the endpoint is using the Odyssey Access Client, the IC Series appliance inserts a hypertext link in the webpage that automatically opens after the user signs in. The user must then click that hypertext link to access the protected resource by means of HTTP in the same browser window.
The Junos OS Enforcer supports the captive portal feature only for HTTP traffic. If you attempt to access a protected resource by using HTTPS or a non-browser application (such as an e-mail application), the Junos OS Enforcer does not redirect the traffic. When using HTTPS or a non-browser application, you must manually sign in to the IC Series appliance first before attempting to access protected resources.
Understanding Captive Portal Configuration on the Junos OS Enforcer
To configure the captive portal feature, you create a security policy on the Junos OS Enforcer and then specify a redirection option for the captive portal security policy. You can choose to redirect traffic to an external server or to the IC Series UAC Appliance. You can also choose to redirect all traffic or unauthenticated traffic only.
Redirecting traffic to an external webserver—You can configure the Junos OS Enforcer to redirect HTTP traffic to an external webserver instead of the IC Series appliance. For example, you can redirect HTTP traffic to a webpage that explains to users the requirement to sign in to the IC Series appliance before they can access the protected resource. You could also include a link to the IC Series appliance on that webpage to help users sign in.
Redirecting unauthenticated traffic—Select this option if your deployment uses source IP only or a combination of source IP and IPsec. The Junos OS Enforcer redirects clear-text traffic from unauthenticated users to the currently connected IC Series appliance or to an IP address or domain name that you specify in a redirect URL. After a user signs in to the IC Series appliance and the user’s endpoint system meets the requirements of the IC Series appliance security policies, the Junos OS Enforcer allows the user’s clear-text traffic to pass through in source IP deployments. For IPsec deployments, the Odyssey Access Client creates a VPN tunnel between the user and the Junos OS Enforcer. The Junos OS Enforcer then applies the VPN policy, allowing the encrypted traffic to pass through.
Redirecting all traffic—Specify this option if you want to redirect all traffic to the URL that you specify in a redirect URL.
Redirecting traffic with multiple IC Series appliances—You can configure multiple IC Series appliances on your Junos OS Enforcer, but it is connected to only one IC Series appliance at any given time. If the connection to the IC Series appliance fails, the Junos OS Enforcer tries to connect to next configured IC Series appliance. As a result, you cannot be sure which IC Series appliance is connected to the Junos OS Enforcer at any given time. To ensure that the Junos OS Enforcer redirects traffic to the connected IC Series appliance, configure the default redirect URL or the %ic-ip% option in the URL.
Understanding the Captive Portal Redirect URL Options
By default, after you configure a captive portal policy, the Junos OS Enforcer redirects HTTP traffic to the currently connected IC Series UAC Appliance by using HTTPS. To perform the redirection, the Junos OS Enforcer uses the IP address or domain name that you specified when you configured the IC Series appliance instance on the Junos OS Enforcer. The format of the URL that the Junos OS Enforcer uses for default redirection is:
https://%ic-ip%/?target = %dest-url% &enforcer = %enforcer-id% &policy = %policy-id% &dest-ip = %dest-ip%
If you configured your Junos OS Enforcer to work with multiple IC Series appliances in a cluster, and the current IC Series appliance becomes disconnected, the Junos OS Enforcer automatically redirects HTTP traffic to the next active IC Series appliance in its configuration list. The Junos OS Enforcer redirects traffic to only one IC Series appliance at a time.
Otherwise, the browser displays a certificate warning to users when they sign in. You do not need to override the default redirection destination except in these situations:
You are using a VIP for a cluster of IC Series appliances, and the Junos OS Enforcer is configured to connect to the IC Series appliance physical IP addresses.
You want to redirect traffic to a webserver instead of the IC Series appliance.
If, because of split DNS or IP routing restrictions at your site, the Junos OS Enforcer uses a different address for the IC Series appliance than endpoints, you must specify the domain name or IP address that endpoints must use to access the IC Series appliance.
If a captive portal policy is configured with the IC Series UAC Appliance URL as the target, then use only HTTPS to redirect traffic.
Table 1 lists different options that you can configure in the redirect URL string.
Table 1: Redirect URL String Options
Specifies the protected resource which the user is trying to access.
Specifies the ID assigned to the Junos OS Enforcer by the IC Series appliance.
Specifies the encrypted policy ID for the captive portal security policy that redirected the traffic.
Specifies the IP address or hostname of the protected resource which the user is trying to access.
Specifies the IP address or hostname of the IC Series appliance to which the Junos OS Enforcer is currently connected.
Example: Creating a Captive Portal Policy on the Junos OS Enforcer
This example shows how to create a captive portal policy on the Junos OS Enforcer. In this example, you deploy a Junos OS Enforcer in front of the data center resources you want to protect and configure the captive portal feature on the Junos OS Enforcer. The Junos OS Enforcer then automatically redirects HTTP traffic destined for the protected resource to the IC Series UAC Appliance for authentication.
Before you begin:
Deploy the IC Series appliance in the network so that users can access the device. Use the internal port on the IC Series appliance to connect users, the Junos OS Enforcer, and authentication servers. See Configuring Communications Between the Junos OS Enforcer and the IC Series UAC Appliance (CLI Procedure).
Set up security zones and interfaces on the Junos OS Enforcer. Make sure that end users are in a different security zone than protected resources. For example, protected resources in the data center are configured in the trusted zone and users in an untrusted zone. See Example: Creating Security Zones.
Add individual users to either an external authentication server or the local authentication server. Set up roles and realms for individual users. You can provision access to protected resources based on your network security needs.
In this example, you want to protect the trusted zone from users on the LAN by making sure that only compliant and authenticated users are granted access. New users join your network every month. You want to configure the captive portal feature on your system so that unauthenticated users are redirected to the IC Series appliance automatically without requiring new users to remember to log in to the IC Series appliance.
The configuration instructions in this topic describe how to create a security policy called my-policy, specify a match condition for this policy, specify the captive portal policy as a part of the UAC policy, and set criteria for redirecting traffic to the IC Series appliance. In this example, the policy my-policy:
Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust.
Specifies the captive portal policy called my-captive-portal-policy as part of the UAC policy.
Specifies the redirect-traffic criteria as unauthenticated.
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To create a captive portal policy on the Junos OS Enforcer:
- Specify the match condition for the policy. [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set match destination-address any source-address any application junos-http
- Specify the captive portal policy as part of the UAC policy
to be applied on the traffic that matches the conditions specified
in the security policy. [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set then permit application-services uac-policy captive-portal my-captive-portal-policy
- Redirect all unauthenticated traffic to the IC Series
appliance. [edit services unified-access-control]user@host# set captive-portal my-captive-portal-policy redirect-traffic unauthenticated
Confirm your configuration by entering the show services and show security policies command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.
To confirm that the configuration is working properly, perform this task:
Verifying the Captive Portal Policy
Verify that the captive portal policy was created.
From operational mode, enter the show security policies detail command.