Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Access Policy and Security for the Midsize Enterprise Campus

 

Requirements

Table 1 shows the hardware and software requirements for this example.Table 2 shows the scaling and performance targets used for this example.

Table 1: Hardware and Software Requirements

Hardware

Device Name

Software

MX240

cs-edge-r01, cs-edge-r02

13.2 R2.4

SRX650

cs-edge-fw-01, cs-edge-fw02

12.1 X44-D39.4

EX9200/9250

cs-core-sw01, cs-core-sw02

13.2 R3.7

EX4600

cs-agg-01

12.3 R3.4

EX2300

cs-2300-ab5

12.3 R3.4

EX3400

cs-3400-ab4

12.3 R3.4

EX4300

cs-4300-ab1

12.3 R3.4

EX4300

cs-4300-ab2, cs-4300-ab3

13.2 X51-D21.1

Table 2: Node Features and Performance/Scalability

Node

Features

Performance/Scalability Target Value

Edge (MX240, SRX650)

MC-LAG, OSPF, BGP, IRB

3k IPv4

Core (EX9200/EX9250)

VLANs, MC-LAG, LAG, IGMP snooping, OSPF, PIM-SM, IGMP, DHCP relay, IRB

3k IPv4 routes

128k MAC table entries

16k ARP entries

Aggregation (EX4600)

VLANs, LAG, IGMP snooping, OSPF, PIM-SM, IGMP, DHCP relay, RVI

3k IPv4 routes

5 IGMP groups

Access (EX3400, EX4300)

VLANs, LAG, 802.1X, IGMP snooping, DHCP snooping, ARP inspection, IP source guard

55k MAC table entries

13k 8021.x users

5 IGMP groups

The configuration details that follow assume that:

  • All physical cabling necessary has been completed.

  • All basic logical interfaces have been configured.

  • All devices have loopback interfaces configured.

Overview

This example covers access policy and security for the midsize enterprise campus solution. This includes the complete configuration for 802.1X policy and access, as well as firewall provisioning for Juniper Networks devices. This configuration was tested with active LAN, RADIUS server, and supplicant environment.

Topology

Figure 1 shows the topology used in the example configuration.

Figure 1: Access Security and Policy Topology
Access Security and
Policy Topology

Configuration

To configure access policy and security, follow these procedures:

Configuring Access Port Security for the Midsize Enterprise Campus

Step-by-Step Procedure

To configure access port security:

  1. Enable ARP inspection and DHCP snooping.
    • To enable ARP inspection on access devices that are EX4300, EX3400, and EX2300 switches:

    • To enable DHCP snooping on access devices that are EX4300, EX3400, and EX switches:

    • To enable ARP inspection and DHCP snooping on access devices that are EX4300 switches:

  2. Enable IP source guard.

    Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    Note

    IP Source Guard was disabled in the configuration for the EX4300 switches. This is a known hardware issue. PR 1001232 - Enabling IPsource guard on the data vlans impact the traffic on the voice vlan.

Configuring 802.1X in the Midsize Enterprise Campus

Step-by-Step Procedure

To configure 802.1X:

  1. On access devices, create the access policy for wired endpoints that will use RADIUS authentication and authorization as a condition of access to the network.

    The RADIUS profile here is named MY-RADIUS-profile.

    • Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

    Note

    You can adjust the RADIUS timer to timeout according to your network by configuring set access radius-server <$ip-address$> timeout <$value$> to your preference.

  2. Configure the 802.1X authenticator interface that is connected to the RADIUS server on the access device.
    • Configuration on access devices that are EX4300, EX3400, and EX3200 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

    Note

    You can adjust the supplicant timer to timeout according to your network by configuring set protocols dot1x authenticator interface <$int_name$> supplicant-timeout <$value$>to your preference.

  3. Configure MAC authentication with 802.1X.
    • Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

    You can either configure MAC RADIUS authentication on an interface that also has 802.1X authentication configured, or you can configure either authentication method alone. If both MAC RADIUS and 802.1X authentication are enabled on the same interface, the switch first sends three EAPOL requests to the host. If there is no response from the host, the switch sends the host MAC address to the RADIUS server to determine if it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that the MAC address is a permitted address, and the switch opens LAN access to the host on the interface to which it is connected.

    If MAC RADIUS authentication only is configured on the interface (by using the mac-radius restrict option only), the switch attempts to authenticate the MAC address with the RADIUS server directly without delay.

  4. Configure firewall filters for each group profile.

    This configuration assumes that the RADIUS server has the coordinating group policy.

    • Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

  5. In some cases the client will not have an 802.1X supplicant, or there could be a supplicant that is non-responsive. For those scenarios, we have created a guest VLAN where the switch will assign the port to and filter access only to the RADIUS server and remediation server.

    Configure the guest VLAN.

    • Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

    Note

    In this example, guest access does not mean that the user will be granted minimum access to the Internet and other resources.

  6. Include a filter for remediation if a remediation service available.

    The following configuration assumes that a VLAN for remediation has already been configured.

    • Configuration on access devices that are EX4300, EX3400, and EX2300 switches is as follows:

    • Configuration on access devices that are EX4300 switches is as follows:

Configuring NAT Security for the Midsize Enterprise Campus

Step-by-Step Procedure

Network Address Translation (NAT) is a method for modifying or translating network address information in packet headers. Either the source or destination address, or both addresses, in a network packet can be translated. NAT can include the translation of port numbers in addition to IP addresses.

In this example, we used source and destination NAT:

  • Source NAT is the translation of the source IP address of a packet leaving the device. Source NAT is used to allow hosts with private IP addresses to access a public network. In this example, we have defined the translation of the original source IP address to an IP address from a user-defined address pool with port address translation. The association between the original source IP address to the translated source IP address is dynamic. Proxy ARP is also configured on the device. This allows the security device to respond to ARP requests received on the interface for a translated address.

  • Destination NAT is the translation of the destination IP address of a packet entering the device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address). When destination NAT is performed, the destination IP address is translated according to configured destination NAT rules first and then security policies are applied after translation. Remote access connections also use destination NAT. Proxy ARP is also configured on the device. This allows the security device to respond to ARP requests received on the interface for a translated address.

    In this example, NAT security was configured on the SRX650 firewall device.

    To configure NAT security:

  1. Configure source NAT interface on the security device.
  2. Configure proxy ARP for source NAT.
  3. Configure destination NAT on the security device.
  4. Configure proxy ARP for the destination NAT interface.

Configuring the Firewall Zones

Step-by-Step Procedure

The midsize enterprise campus security gateway is configured with two zones, for trusted and untrusted traffic. This example configuration follows the topology shown in Figure 2.

Figure 2: Security Firewall Zone Topology
Security Firewall Zone
Topology

To configure the firewall zones:

  1. Set reth interfaces to the appropriate zones and virtual routers.
  2. Configure security zones and address books.

    The reth0 and reth1 interfaces were left in the default virtual router inet.0.

  3. Configure security policies for traffic coming from the trust zone (reth0) to the untrust zone (reth1).
  4. Configure security policies for traffic coming from the untrust zone (reth1) to the trust zone (reth0).

Verification

This section covers verifying the configuration described for access security and policy in the midsize enterprise campus. Figure 3 shows the topology used for testing and the verification output details that follow.

Figure 3: Test Topology for the Midsize Enterprise Campus
Test Topology for the
Midsize Enterprise Campus

Verifying 802.1X on Access Devices

Purpose

Verify that 802.1X has been properly configured on access ports.

Action

  • Verify that clients are able to authenticate properly on wired ports.

    This is example verification output on an access device that is an EX4300.

    root@cs-4300-ab1# run show dot1x interface | match 42.0

    This is example verification output on an access device that is an EX4300.

  • Display detailed authentication reports by using the detail command.

    This is example verification output on an access device that is an EX4300.

    root@cs-4300-ab1# run show dot1x interface ge-0/0/42.0 detail

    This is example verification output on an access devices that is an EX4300.

    root@cs-4300-ab3# run show dot1x interface ge-2/0/42.0 detail

Meaning

Confirm that 802.1X has been configured and operating properly on devices.

Verifying Port Security on Access Devices

Purpose

Verify that port security has been configured properly on access devices.

Action

  • Verify that DHCP snooping has been configured and operating properly.

    The following example verification output is on an access device that is an EX4300.

    root@cs-4300-ab1# run show dhcp snooping binding

    The following example verification output is on an access device that is an EX4300.

    root@cs-4300-ab3# run show dhcp-security binding
  • Verify IP source guard configuration on devices.

    root@cs-4300-ab1# run show ip-source-guard

Verifying Security Zone Configuration

Purpose

Verify that the security zones have been properly configured.

Action

  • Verify security policies from the trust zone to the untrust zone.

    root@cs-edge-fw01-node0# show security policiies from-zone trust to-zone untrust
  • Verify security policies from the untrust zone to the trust zone.

    root@cs-edge-fw01-node0# show security policies from-zone untrust to-zone trust

Meaning

Confirm that the security zones were configured properly on the security device.

Verifying Source NAT Security

Purpose

Verify that the source NAT security configuration on the security devices is set up and operating properly.

Action

Show the source NAT summary on the security device.

root@cs-edge-fw01-node0# run show security nat source summary

Meaning

Confirm that the configuration is working properly.