 |
Note: IPsec is currently not supported in JUNOS-Unified Access Control (UAC) deployments. As such, you should use IP-based security policies. |
An authentication table entry contains the source IP address and user role(s) of a user who has already successfully established a UAC session. A user role identifies a group of users based on criteria such as type (for instance, “Engineering” or “Marketing”) or status (for instance, “Antivirus Running”). The JUNOS Enforcer determines whether to allow or deny the traffic to pass based on the authentication results stored in the appropriate authentication table entry. (For more information about authentication tables and user roles, see the Unified Access Control Administration Guide.)
The Infranet Controller pushes authentication table entries to the JUNOS Enforcer when the devices first connect to one another (as explained in Communications Between the JUNOS Enforcer and the Infranet Controller) and as necessary throughout the session. For example, the Infranet Controller might push updated authentication table entries to the JUNOS Enforcer when the user’s computer becomes noncompliant with endpoint security policies, when you change the configuration of a user’s role, or when you disable all user accounts on the Infranet Controller in response to a security problem such as a virus on the network.
If the JUNOS Enforcer drops a packet due to a missing authentication table entry, the device sends a message to the Infranet Controller, which in turn may provision a new authentication table entry and send it to the JUNOS Enforcer. This process is called dynamic authentication table provisioning.
To display a summary of the authentication table entries configured from the Infranet Controller, use the show services unified-access-control authentication-table command.
A resource access policy specifies a particular resource to which you want to control access based on user role. For instance, you might create a resource access policy that only allows users who are members of the “Engineering” and “Antivirus Running” user roles access to the “Engineering-Only” server. Or you might create a resource access policy that allows members of the “No Antivirus Running” user role access to the “Remediation” server where antivirus software is available for download. (For more information about resource access policies, see the Unified Access Control Administration Guide.)
The Infranet Controller pushes resource access policies to the JUNOS Enforcer when the devices first connect to one another (as explained in Communications Between the JUNOS Enforcer and the Infranet Controller) and when you modify your resource access policy configurations on the Infranet Controller.
If the JUNOS Enforcer drops the packet due to a “deny” policy, the JUNOS Enforcer sends a message to the Infranet Controller, which in turn sends a message to the endpoint’s Odyssey Access Client (if available). (The Infranet Controller does not send “deny” messages to the “agentless” client.)
To display a summary of UAC resource access policies configured from the Infranet Controller, use the show services unified-access-control policies command.
