Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Set Up Communication between Junos OS Enforcer and IC Series UAC Appliance

 

In a Unified Access Control (UAC) network, an SRX Series device is called as Junos OS Enforcer when it is deployed in the UAC environment. The SRX Series device verifies the certificate which IC Series appliance submits. The SRX Series device and IC Series appliance perform mutual authentication. After authentication, the IC Series appliance sends user and resource access policy information to the SRX Series device to act as the Junos OS Enforcer.

Understanding Communications Between the Junos OS Enforcer and the IC Series UAC Appliance

When you configure an SRX Series device to connect to an IC Series UAC Appliance, the SRX Series device and the IC Series appliance establish secure communications as follows:

  1. If more than one IC Series device are configured as Infranet Controllers on the SRX Series device, a round-robin algorithm determines which of the configured IC Series devices is the active Infranet Controller. The others are failover devices. If the active Infranet Controller becomes inoperative, the algorithm is reapplied to the remaining IC Series devices that are configured to establish the new active Infranet Controller.

  2. The active IC Series appliance presents its server certificate to the SRX Series device. If configured to do so, the SRX Series device verifies the certificate. (Server certificate verification is not required; however, as an extra security measure you can verify the certificate to implement an additional layer of trust.)

  3. The SRX Series device and the IC Series appliance perform mutual authentication using the proprietary challenge-response authentication. For security reasons, the password is not included in the message sent to the IC Series appliance.

  4. After successfully authenticating with the SRX Series device, the IC Series appliance sends its user authentication and resource access policy information. The SRX Series device uses this information to act as the Junos OS Enforcer in the UAC network.

  5. Thereafter, the IC Series appliance and the Junos OS Enforcer can communicate freely with one another over the SSL connection. The communications are controlled by a proprietary protocol called Junos UAC Enforcer Protocol (JUEP).

Understanding Communications Between Junos OS Enforcer and a Cluster of IC Series UAC Appliances

You can configure a Junos OS Enforcer to work with more than one IC Series UAC Appliance in a high availability configuration known as an IC Series appliance cluster. The Junos OS Enforcer communicates with only one IC Series appliance at a time; the other IC Series appliances are used for failover. If the Junos OS Enforcer cannot connect to the first IC Series appliance you added to a cluster, it tries to connect to the failed IC Series appliance again. Then it fails over to the other IC Series appliances in the cluster. It continues trying to connect to IC Series appliances in the cluster until a connection occurs.

When the Junos OS Enforcer cannot establish a connection to an Infranet Enforcer, it preserves all its existing authentication table entries and Unified Access Control (UAC) policies and takes the timeout action that you specify. Timeout actions include:

  • close—Close existing sessions and block any further traffic. This is the default option.

  • no-change—Preserve existing sessions and require authentication for new sessions.

  • open—Preserve existing sessions and allow new sessions access.

Once the Junos OS Enforcer can reestablish a connection to an IC Series appliance, the IC Series appliance compares the authentication table entries and UAC policies stored on the Junos OS Enforcer with the authentication table entries and policies stored on the IC Series appliance and reconciles the two as required.

Note

The IC Series appliances configured on a Junos OS Enforcer should all be members of the same IC Series appliance cluster.

Configuring Communications Between the Junos OS Enforcer and the IC Series UAC Appliance (CLI Procedure)

To configure an SRX Series device to act as a Junos OS Enforcer in a UAC deployment, and therefore to enforce IC Series UAC Appliance policies, you must specify an IC Series appliance to which the SRX Series device should connect.

Before you begin:

  1. Enable UAC through the relevant Junos OS security policies. See Enabling UAC in a Junos OS Environment (CLI Procedure).

  2. (Optional) Create a profile for the certificate authority (CA) that signed the IC Series appliance’s server certificate, and import the CA certificate onto the SRX Series device. See Example: Loading CA and Local Certificates Manually.

  3. Configure user authentication and authorization by setting up user roles, authentication and authorization servers, and authentication realms on the IC Series appliance.

  4. Configure resource access policies on the IC Series appliance to specify which endpoints are allowed or denied access to protected resources.

To configure an SRX Series device to act as a Junos OS Enforcer:

  1. Specify the IC Series appliance(s) to which the SRX Series device should connect.

    • To specify the IC Series appliance hostname:

    • To specify the IC Series appliance IP address:

    Note

    When configuring access to multiple IC Series appliances, you must define each separately. For example:

    Make sure that all of the IC Series appliances are members of the same cluster.

    Note

    By default, the IC Series appliance should select port 11123.

  2. Specify the Junos OS interface to which the IC Series appliance should connect:

  3. Specify the password that the SRX Series device should use to initiate secure communications with the IC Series appliance:

    Note

    Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series device will be effective only after the next reconnection of the SRX Series device with the IC Series appliance.

  4. (Optional) Specify information about the IC Series appliance’s server certificate that the SRX Series device needs to verify the certificate.

    • To specify the server certificate subject that the SRX Series device checks:

    • To specify the CA profile associated with the certificate:

Note

An IC Series appliance server certificate can be issued by an intermediate CA. There are two types of CAs—root CAs and intermediate CAs. An intermediate CA is secondary to a root CA and issues certificates to other CAs in the public key infrastructure (PKI) hierarchy. Therefore, if a certificate is issued by an intermediate CA, you need to specify the complete list of CA profiles in the certification chain.

Understanding Junos OS Enforcer Implementations Using IPsec

To configure an SRX Series device to act as a Junos OS Enforcer using IPsec, you must:

  • Include the identity configured under the security IKE gateway. The identity is a string such as “gateway1.mycompany.com”, where gateway1.mycompany.com distinguishes between IKE gateways. (The identities specify which tunnel traffic is intended.)

  • Include the preshared seed. This generates the preshared key from the full identity of the remote user for Phase 1 credentials.

  • Include the RADIUS shared secret. This allows the IC Series UAC Appliance to accept RADIUS packets for extended authentication (XAuth) from the Junos OS Infranet Enforcer.

When configuring IPsec between the IC Series appliance, the Odyssey Access Client, and the SRX Series device, you should note that the following are IKE (or Phase 1) proposal methods or protocol configurations that are supported from the IC Series appliance to the Odyssey Access Client:

  • IKE proposal: authentication-method pre-shared-keys (you must specify pre-shared-keys)

  • IKE policy:

    • mode aggressive (you must use aggressive mode)

    • pre-shared-key ascii-text key (only ASCII text preshared-keys are supported)

  • IKE gateway: dynamic

    • hostname identity (you must specify a unique identity among gateways)

    • ike-user-type group-ike-id (you must specify group-ike-id)

    • xauth access-profile profile (you must specify xauth)

The following are IPsec (or Phase 2) proposal methods or protocol configurations that are supported from the IC Series appliance to the Odyssey Access Client.

  • IPsec proposal: protocol esp (you must specify esp)

  • IPsec VPN: establish-tunnels immediately (you must specify establish-tunnels immediately)

Note
  • Only one IPsec VPN tunnel is supported per from-zone to to-zone security policy. This is a limitation on the IC Series appliance.

  • Junos OS security policies enable you to define multiple policies differentiated by different source addresses, destination addresses, or both. The IC Series appliance, however, cannot differentiate such configurations. If you enable multiple policies in this manner, the IC Series appliance could potentially identify the incorrect IKE gateway.

Example: Configuring the Device as a Junos OS Enforcer Using IPsec (CLI)

To configure an SRX Series device to act as a Junos OS Enforcer using IPsec:

  1. Set system and syslog information using the following configuration statements:
    Note

    On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.

    To modify the factory defaults, use the following commands:

    root@host# set system max-configurations-on-flash number
    root@host# set system max-configuration-rollbacks number

    where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.

  2. Configure the interfaces using the following configuration statements:
  3. Configure routing options using the following configuration statements:
  4. Configure security options using the following configuration statements:
  5. Configure IPsec parameters using the following configuration statements:
  6. Configure screen options using the following configuration statements:
  7. Configure zones using the following configuration statements:
  8. Configure policies for UAC using the following configuration statements:
  9. Configure RADIUS server authentication access using the following configuration statements:
  10. Configure services for UAC using the following configuration statements: