Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example 1: Configuring Endpoint Authentication and Enforcement

 

This configuration example illustrates how to configure and integrate an SRX Services Gateway, an EX Series switch, and Aruba ClearPass Policy Manager to enable user-level access control to protected resources on the network.

This topic covers:

Requirements

This example uses the following hardware and software components:

  • An SRX650 device running Junos OS Release 12.3X48-D30 or later

  • An EX4300 switch running Junos OS Release 15.1R3 or later

  • Aruba ClearPass Policy Manager (CPPM) 6.6 on a CP-VA-500 platform

Overview and Topology

This network configuration example uses the topology shown in Figure 1.

Figure 1: Solution Topology for SRX Series Integration with ClearPass
Solution Topology for SRX Series Integration
with ClearPass
Note

All the examples in this document use the same topology.

In this example, user test1 sits at PC Endpoint 1 and wants to access the protected server. User test1 belongs to the QA group. The EX4300 switch has 802.1X authentication enabled on interface ge-0/0/1 and uses CPPM as its RADIUS server. On the SRX650 device, a security policy is defined to allow only users from the QA group to access the protected server.

When the user tries to connect to the protected server, the EX4300 switch authenticates the user using 802.1X authentication. The user is verified against the CPPM user database and is allowed access to the network. CPPM then posts the user’s identity information to the SRX650 device, which can then enforce security policies based on the username or group information to allow or deny the user access to the protected servers.

A DHCP server is used in this example to allocate IP addresses to the authenticated endpoints. As CPPM uses DHCP options to profile the endpoint’s device type, OS info, and so on, the EX4300 switch forwards DHCP packets from the endpoint to CPPM in addition to the DHCP server.

Task Overview

The following tasks are performed in this example:

On the SRX650 device:

  • Configure interfaces and zones

  • Configure a security policy that includes the source-identity statement to allow access control based on a username or group

  • Configure the Web API service to enable communication with CPPM

On the EX4300 switch:

  • Configure interfaces and VLANs.

  • Configure 802.1X authentication and RADIUS settings (specify CPPM as the RADIUS server)

  • Configure DHCP relay to forward DHCP packets to CPPM for device profiling

On CPPM:

  • Add the EX4300 switch as a network device

  • Define the CPPM server’s basic configuration, including enabling the Insight database

  • Add the SRX650 device as an Endpoint Context Server (ECS)

  • Define Context Server Actions for the SRX650 device

  • Add an enforcement profile and policy

  • Add a local user and map it to a role

  • Bind the role mapping and enforcement policy into the 802.1X wired service

Configuration

This section provides instructions for:

Configuring the SRX650 Device

Step-by-Step Procedure

To configure the SRX650 device:

  1. Configure interfaces and zones.
    [edit]
    user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.10.0.201/24
    user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.20.0.1/24
    user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services any-service
    user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    user@host# set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services any-service
    user@host# set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols all
  2. Configure a security policy, and include the source-identity statement to allow users belonging to the QA group to access the protected server.
    [edit]
    user@host# set security address-book servers-zone-addresses address protected-server 10.20.0.2/32
    user@host# set security policies from-zone untrust to-zone trust policy policy1 match source-address any
    user@host# set security policies from-zone untrust to-zone trust policy policy1 match destination-address protected-server
    user@host# set security policies from-zone untrust to-zone trust policy policy1 match application any
    user@host# set security policies from-zone untrust to-zone trust policy policy1 match source-identity QA ## an “interested group”
    user@host# set security policies from-zone untrust to-zone trust policy policy1 then permit
    Note

    CPPM can interwork with various authentication servers. When CPPM uses a Windows Active Directory (AD) LDAP server as the authentication source, the user information sent to the SRX Series device will include the username (or role name) and a domain name. This variation requires adjusting the configuration to support the additional information. The domain name must be added to the username (or role name) identified in the configuration using the format domain\role. For example, for the configuration setting used above, source-identity QA, identifies the role name as QA and is the correct format for local authentication; when using Windows AD, this statement must be adjusted to source-identity juniper\QA, to accommodate the domain name (in this case, juniper).

  3. Configure the Web API service to communicate with Aruba ClearPass.
    [edit]
    user@host# set system services webapi user srx
    user@host# set system services webapi user password <password>
    user@host# set system services webapi client 10.10.0.20
    user@host# set system services webapi http port 8080 ## default port
    user@host# set system services webapi https port 443 ## default port is 8443
    user@host# set system services webapi https default-certificate
    Note

    The username, password, and ports defined for the Web API service, must match what is defined in the Endpoint Context Server (ECS) section of CPPM.

Configuring the EX4300 Switch

Step-by-Step Procedure

To configure the EX4300 switch:

  1. Configure interfaces and VLANs.
    [edit]
    user@host# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members cppm-vlan
    user@host# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members cppm-vlan
    user@host# set vlans cppm-vlan vlan-id 638
    user@host# set vlans cppm-vlan l3-interface irb.638
    user@host# set interfaces irb unit 638 family inet address 10.10.0.202/24
  2. Configure 802.1X authentication and RADIUS settings. Assign CPPM as the RADIUS server.
    [edit]
    user@host# set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single
    user@host# set protocols dot1x authenticator authentication-profile-name cp-pf1
    user@host# set access radius-server 10.10.0.20 secret <password> ## IP address of CPPM
    user@host# set access radius-server 10.10.0.20 source-address 10.10.0.202
    user@host# set access profile cp-pf1 authentication-order radius
    user@host# set access profile cp-pf1 radius authentication-server 10.10.0.20
    user@host# set access profile cp-pf1 radius accounting-server 10.10.0.20
    user@host# set access profile cp-pf1 radius options nas-port-type ethernet ethernet
    user@host# set access profile cp-pf1 radius-server 10.10.0.20 secret <password>
    user@host# set access profile cp-pf1 radius-server 10.10.0.20 source-address 10.10.0.202
    user@host# set access profile cp-pf1 accounting order radius
    user@host# set access profile cp-pf1 accounting accounting-stop-on-access-deny
    user@host# set access profile cp-pf1 accounting coa-immediate-update
    user@host# set access profile cp-pf1 accounting address-change-immediate-update
    Note

    The RADIUS shared secret must match what is defined in CPPM.

  3. Configure DHCP relay to forward DHCP packets to CPPM for device profiling.
    [edit]
    user@host# set forwarding-options dhcp-relay server-group cppm 10.10.0.20
    user@host# set forwarding-options dhcp-relay active-server-group cppm
    user@host# set forwarding-options dhcp-relay group cppm-dhcp interface ge-0/0/0.0
    user@host# set forwarding-options dhcp-relay group cppm-dhcp interface irb.638
    user@host# set vlans cppm-vlan forwarding-options dhcp-security group dhcp-group overrides trusted
    user@host# set vlans cppm-vlan forwarding-options dhcp-security group dhcp-group interface ge-0/0/0.0
    user@host# set vlans cppm-vlan forwarding-options dhcp-security option-82
    Note

    As the DHCP server is in the same subnet as Endpoint 1, the switch will broadcast the DHCP packets to the DHCP server, even with DHCP relay configured.

Configuring Aruba ClearPass Policy Manager

Step-by-Step Procedure

To configure CPPM interworking with the EX4300 switch and SRX650 device:

  1. Add the EX4300 switch as a network device.

    Navigate to Configuration > Network > Devices and add the EX4300 switch on the Network Devices page.

    Note

    The RADIUS shared secret must match what is defined on the EX4300 switch.

  2. Define the CPPM server’s basic configuration.
    1. Navigate to Administration > Server Manager > Server Configuration. On the System tab, click the Enable Insight check box. and configure IP addressing for the Data/External Port.

      Note

      The Insight database must be enabled, otherwise CPPM will not post any information to the SRX650 device.

    2. On the Service Parameters tab, under RADIUS Server Service, set Log Accounting Interim-Update Packets to TRUE.

  3. Add the SRX650 device as the Endpoint Context Server.Note

    For more detailed information on this step, see Integrating ClearPass with Juniper Networks SRX in the CPPM User Guide.

    Navigate to Administration > External Servers > Endpoint Context Servers, and on the Server tab set the Server Type to Juniper Networks SRX.

    Note

    By default, CPPM uses HTTPS port 443 to send user information to the SRX Series device. To change the port number, adjust the Server Base URL field using the format https://<ip address>:<port>, for example https://10.10.0.201:8443.

    The username and password must match what is defined in the SRX Series device’s Web API configuration.

  4. Define Context Server actions for the SRX650 device.

    Navigate to Administration > Dictionaries > Context Server Actions, and verify that the two entries with Server Type Juniper Networks SRX exist.

  5. Add an enforcement profile and policy.
    1. Navigate to Configuration > Enforcement > Profiles, and on the Profile tab select the Template Session Notification Enforcement, this triggers CPPM to send a notification on user login or logout.

    2. On the Attributes tab, add (or edit) the attribute values for the profile, as shown below.

    3. On the Summary tab, review and save the configuration.

    4. Navigate to Configuration > Enforcement > Policies, and on the Enforcement tab select the Default Profile [Deny Access Profile].

    5. On the Rules tab, click Add Rule and add a new rule.

      Configure the rule so that if the condition matches the role User Authenticated (i.e. the role assigned by CPPM when a user authenticates successfully), then the profile SRX650 jetstar post profile profile (created earlier) is enforced.

    6. On the Summary tab, review and save the configuration.

  6. Add a local user and map the user to a role.
    1. Navigate to Configuration > Identity > Roles and define a new role.

      For this example, the role is called QA.

    2. Navigate to Configuration > Identity > Local users, and enter a User ID (in this case, test1), Password, and select the QA Role, as shown below.

      Note

      The value selected in the Role field must match the value used in the source-identity statement of the SRX650 device configuration.

    3. Navigate to Configuration > Identity > Role Mapping, and add a new role mapping.

    4. On the Mapping Rules tab, click Add Rule to assign a role to a specific user.

      Configure the rule so that if the condition matches the username test1, assign the role QA.

      Note

      This sub-step facilitates CPPM pushing role information to the SRX device.

    5. On the Summary tab, review and save the configuration.

  7. Bind the role mapping and enforcement policy into the 802.1X wired service.
    1. Navigate to Configuration > Services, and add a new service. On the Service tab, specify the Type as 802.1X Wired.

    2. On the same page, remove the Service Rule named Service-Type.

      Note

      This rule is not needed, and if kept will cause the scenario to not work properly.

    3. On the Authentication tab, arrange the Authentication Methods and Authentication Sources as shown below.

    4. On the Authorization tab, add the two Authentication Sources as shown below.

    5. On the Roles tab, select role-mapping from the Role Mapping Policy drop-down list to bind the role mapping rule created earlier to this service.

    6. On the Enforcement tab, select SRX post-policy from the Enforcement Policy drop-down list to bind the policy created earlier to this service.

    7. On the Summary tab, review and save the configuration.

Verification

Confirm that the configuration is working properly.

Verifying User Authentication

Purpose

Verify that user test1 on Endpoint 1 has successfully authenticated with the various network elements.

Action

  1. On the EX4300 switch, verify that user test1 is authenticated through 802.1X.
    user@host> show dot1x interface ge-0/0/1
  2. In CPPM, verify that user test1 is authenticated.
    1. Navigate to Monitoring > Live Monitoring > Access Tracker, find the relevant RADIUS event and verify that user test1 has Login Status of ACCEPT.

    2. Click on the RADIUS event, and on the Summary tab that appears, verify that user test1 with role QA has Login Status of ACCEPT and Online Status of Online. Note also that CPPM has enforced the SRX650 jetstar post trigger profile, which will send (post) the user information to the SRX650 device.

  3. On the SRX650 device, verify that user test1’s authentication information has been received from CPPM.
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass extensive

Meaning

The user has successfully authenticated with all network elements.

Verifying User Access to the Protected Server

Purpose

Verify that user test1 on Endpoint 1 can access the protected server.

Action

From Endpoint 1, ping the protected server (10.20.0.2).

Meaning

The user can successfully reach the protected server.