Configure Unified Access Control in Junos OS
A Unified Access Control (UAC) uses IC Series UAC Appliances, Infranet Enforcers, and Infranet agents to protect your network by ensuring only valid users can access the resources.
Understanding UAC in a Junos OS Environment
Beginning on August 1, 2015, all Junos Pulse software and hardware products will be sold and supported by Pulse Secure. To make the transition as seamless as possible, and to provide support for Juniper customers and partners, please visit https://www.juniper.net/us/en/pulsesecure/.
A Unified Access Control (UAC) deployment uses the following components to secure a network and ensure that only qualified end users can access protected resources:
IC Series UAC Appliances—An IC Series appliance is a policy decision point in the network. It uses authentication information and policy rules to determine whether or not to provide access to individual resources on the network. You can deploy one or more IC Series appliances in your network.
Infranet Enforcers—An Infranet Enforcer is a policy enforcement point in the network. It receives policies from the IC Series appliance and uses the rules defined in those policies to determine whether or not to allow an endpoint access to a resource. You deploy the Infranet Enforcers in front of the servers and resources that you want to protect.
Infranet agents—An Infranet agent is a client-side component that runs directly on network endpoints (such as users’ computers). The agent checks that the endpoint complies to the security criteria specified in Host Checker policies and relays that compliance information to the Infranet Enforcer. The Infranet Enforcer then allows or denies the endpoint access based on the compliance results.
An SRX Series Firewall can act as an Infranet Enforcer in a UAC network. Specifically, it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from the IC Series appliance. When deployed in a UAC network, an SRX Series Firewall is called a Junos OS Enforcer. See Figure 1.
You can use the Junos OS Enforcer with the IC Series appliance and Secure Access devices in an IF-MAP Federation network. In a federated network, multiple IC Series appliances and Secure Access devices that are not directly connected to the Junos OS Enforcer can access resources protected by the security device. There are no configuration tasks for IF-MAP Federation on the Junos OS Enforcer. You configure policies on IC Series appliances that can dynamically create authentication table entries on the Junos OS Enforcer.
Enabling UAC in a Junos OS Environment (CLI Procedure)
Before you begin:
-
Set up the interfaces through which UAC traffic should enter the SRX Series Firewall.
Group interfaces with identical security requirements into zones. See Example: Creating Security Zones.
Create security policies to control the traffic that passes through the security zones. See Example: Configuring a Security Policy to Permit or Deny All Traffic.
Junos OS security policies enforce rules for transit traffic, defining what traffic can pass through the Juniper Networks device. The policies control traffic that enters from one zone (from-zone) and exits another (to-zone). To enable an SRX Series Firewall as a Junos OS Enforcer in a UAC deployment, you must:
Identify the source and destination zones through which UAC traffic will travel. It also needs the list of interfaces, including which zones they are in. The IC Series UAC Appliance uses the destination zone to match its own IPsec routing policies configured on IC Series appliance.
Identify Junos OS security policies that encompass those zones, and enable UAC for those policies.
To configure UAC through a Junos OS security policy, enter the following configuration statement:
user@host# set security policies from-zone zone-name to-zone zone-name policy match then permit application-services uac-policy