Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Technical Overview

 

The SRX Series integrated ClearPass authentication and enforcement feature gives you granular control at the user level over access to protected resources and the Internet. As administrator of an SRX Series device, you can now leverage the user and role information in ClearPass Policy Manager (CPPM) by specifying it within the device configuration, effectively making security policies “identity-aware.” You are no longer restricted to relying solely on the IP address of the device as a means of identifying the user. User-level (or group-level) awareness enhances your control over security enforcement.

In addition to providing the SRX Series device with authenticated user information, CPPM can map a device type to a role and assign users to that role. It can then send that role mapping to the SRX Series device. This capability allows you to control (through security policies) a user’s access to resources when they are using a specific type of device.

The integration of SRX Series devices with ClearPass delivers a set of network protection services to defend against a wide range of attack strategies. In addition to protecting the company’s network resources, the SRX Series device can make available to CPPM log records generated by these protective security features in response to attacks or attack threats.

Support for the SRX Series integrated ClearPass authentication and enforcement feature begins with the following software releases:

  • Junos OS Release 12.3X48-D30, for SRX Series Services Gateways

  • Aruba ClearPass Policy Manager (CPPM) 6.6

Authentication and Enforcement

SRX Series device security policies protect the company’s resources and enforce access control at a fine-grain level, taking advantage of the user authentication and identity information sent to the device from CPPM. CPPM can act as the authentication source, using its own internal RADIUS server to authenticate users. It can also rely on an external authentication source, such as an external RADIUS server or Windows Active Directory LDAP server, to perform authentication.

CPPM authentication is triggered by requests from network access server (NAS) type devices, such as switches (including EX Series switches) and access controllers. CPPM then sends POST request messages containing authenticated user identity and device posture information to the SRX Series device.

Web API

The SRX Series device exposes its Web API daemon (webapi) interface to CPPM, which enables CPPM to efficiently send authenticated user identity information to the SRX Series device. In this scenario, the SRX Series Web API daemon acts as an HTTP(S) server and CPPM is a client.

Note

For security reasons, we recommend using HTTPS.

ClearPass Authentication Table

When the SRX Series device receives information posted to it from CPPM, the device creates a ClearPass authentication table. The device extracts the user authentication and identity information, analyzes it, and generates an entry in the table for the authenticated user. When the SRX Series device receives an access request from a user, it can check its ClearPass authentication table to verify that the user is authenticated, and then apply the appropriate security policy to match the traffic from the user.

Figure 1 illustrates the interworking of the network elements under normal conditions, as a user attempts to access a protected server. The EX4300 switch, CPPM, and SRX650 device work together to authenticate the user and provide access to the server. The devices also maintain awareness of the user, in case enforcement measures are required later in the user session.

Figure 1: Integrated Authentication and Enforcement - Normal Behavior
Integrated Authentication and Enforcement
- Normal Behavior

User Query Function

In rare cases, it may happen that an SRX Series device loses a user’s authentication information, or does not receive it from CPPM. When this occurs, and user traffic arrives at the SRX Series device, the device does not have the identity awareness to recognize and authenticate the user. To protect against this scenario, you can configure the SRX Series device’s query function, which enables it to query the ClearPass server for authentication information for a user. The SRX Series device bases the query on the IP address of the user’s device (which it obtained from the incoming user traffic).

When the user query function is configured, the query process is triggered automatically when the SRX Series device receives traffic from a user but does not find an entry for the user in its ClearPass authentication table.

Figure 2 illustrates the interworking of the networks elements in a case where the SRX Series device does not have a user’s authentication information. In this case, when the user’s traffic arrives at the SRX650, the device sends a query to CPPM to obtain the necessary information. When the SRX650 device receives the user information, it creates an entry for the user in its ClearPass authentication table, authenticates the user, and grants access to the server.

Figure 2: Integrated Authentication and Enforcement - User Query Function
Integrated Authentication and Enforcement
- User Query Function

Threat and Attack Detection and Notification

As noted earlier, the SRX Series integrated ClearPass authentication and enforcement feature enables not only the ability to use user information from CPPM to make the SRX Series device “identity-aware,” it also enables the SRX Series device to send attack and threat event logs to CPPM for further action on existing users.

When an SRX Series device detects threat and attack events, they are recorded in the device’s event log. The SRX Series device uses syslog to forward the logs to CPPM, which can evaluate the logs and take action based on configured matching conditions.

Note

SRX Series devices can provide CPPM with information on any kind of security threat event that can be sent though syslog. This includes core services such as SCREEN options, IDP, and UTM, as well as extended services such as Sky Advanced Threat Prevention, and so on.

Figure 3 illustrates the interworking of the networks elements in a case where an authenticated user attempts to attack the protected server. The SRX650 device detects the attack and sends log information to CPPM. Based on this information, CPPM sends a RADIUS disconnect request message to the EX4300, which terminates the session and disconnects the user.

Figure 3: Integrated Authentication and Enforcement - Threat/Attack Detection
Integrated Authentication and Enforcement
- Threat/Attack Detection
Note

For more detailed information on these scenarios, and the SRX Series integrated ClearPass authentication and enforcement feature, see the Junos OS Release 12.3X48 Feature Guide  .