Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding UAC in a Junos OS Environment
A Unified Access Control (UAC) deployment uses the following components to secure a network and ensure that only qualified end users can access protected resources:
- Infranet Controllers—An Infranet Controller is a
policy decision point in the network. It uses authentication information
and policy rules to determine whether or not to provide access to
individual resources on the network. You can deploy one or more Infranet
Controllers in your network.
Note: Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series or J Series device will be effective only after the next reconnection of the SRX Series or J Series device with the Infranet Controller.
- Infranet Enforcers—An Infranet Enforcer is a policy enforcement point in the network. It receives policies from the Infranet Controller and uses the rules defined in those policies to determine whether or not to allow an endpoint access to a resource. You deploy the Infranet Enforcers in front of the servers and resources that you want to protect.
- Infranet agents—An Infranet agent is a client-side component that runs directly on network endpoints (such as users’ computers). The agent checks that the endpoint complies to the security criteria specified in Host Checker policies and relays that compliance information to the Infranet Enforcer. The Infranet Enforcer then allows or denies the endpoint access based on the compliance results.
An SRX Series or J Series device can act as an Infranet Enforcer in a UAC network. Specifically, it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from the Infranet Controller. When deployed in a UAC network, an SRX Series or J Series device is called a Junos OS Enforcer. See Figure 38.
Figure 38: Integrating a Junos Security Device into a Unified Access Control Network
| Note: You can use the Junos OS Enforcer with the Infranet Controller and Secure Access devices in an IF-MAP Federation network. In a federated network, multiple Infranet Controllers and Secure Access devices that are not directly connected to the Junos OS Enforcer can access resources protected by the security device. There are no configuration tasks for IF-MAP Federation on the Junos OS Enforcer. You configure policies on Infranet Controllers that can dynamically create authentication table entries on the Junos OS Enforcer. See the Unified Access Control Administration Guide. |
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Unified Access Control Administration Guide
- Enabling UAC in a Junos OS Environment (CLI Procedure)
