Configure Prelogon Compliance (CLI Procedure)
Read this topic to know about prelogon compliance checks and how to configure them in Juniper Secure Connect.
What is Prelogon Compliance
Juniper Secure Connect application exchanges details with the SRX Series Firewall to perform prelogon compliance checks. The administrator configures the prelogon compliance rules on the SRX Series Firewall to validate the status of a connecting client device. These prelogon compliance checks refers to validations that are performed prior to authentication. Based on the different match criteria, action is taken to admit or reject a connecting client device.
This feature ensures that the Juniper Secure Connect application fulfills the connection criteria with the SRX Series Firewall, thereby providing enhanced security measures set by the administrator.
The purpose of prelogon compliance policies is to validate the endpoint's current context based on the compliance criteria set by your organization. You authorize the access based on these compliance policies. The device performs the prelogon compliance check using prelogon compliance policies prior to the user authentication.
As an administrator you configure a set of rules on your SRX Series Firewall to allow or reject an endpoint before establishing a remote access VPN connection. Here endpoint refers to the client or the host on which Secure Connect application is installed. You create rules based on the supported client platforms like Windows, macOS, Android and iOS. You can use multiple other match criteria like Device ID, hostname, ms-domain name and ms-workgroup name for the match criteria.
The SRX Series Firewall processes these rules based on certain evaluation criteria. See compliance (Juniper Secure Connect) evaluation criteria for further details on evaluation criteria. For more details on the compliance rule name, term rule name, match criteria and action, see compliance (Juniper Secure Connect).
How to Configure Prelogon Compliance Rules
Let us consider the following rules mentioned in Table 1 for this configuration task -
Compliance Rule Name | Term Name | Match Criteria (Values) |
Action |
---|---|---|---|
Compliant | SecureConnect |
platform
|
reject |
Decommissioned | deviceid
|
reject | |
BYOD | deviceid
|
accept | |
CorpDevices |
|
accept |
To configure prelogon compliance rules using the command line interface:
-
Log in to your SRX Series Firewall using the command line interface (CLI).
-
Configure remote-access VPN in full tunnel configuration mode. See one of the following procedures based on the authentication method used -
-
Refer to the prelogon compliance rules as shown in Table 1 to configure the rules on your SRX Series Firewall.
-
Configure prelogon compliance policy Compliant at
[edit security remote-access]
hierarchy level --
With term rule SecureConnect and its match criteria and action -
[edit security remote-access] user@host# set compliance pre-logon Compliant term SecureConnect match platform windows app-version less-than 23.4.13.14.29669 user@host# set compliance pre-logon Compliant term SecureConnect match platform macos app-version less-than 23.3.4.70.29996 user@host# set compliance pre-logon Compliant term SecureConnect action reject
In this term rule, for the specified Juniper Secure Connect app-version for Windows and macOS endpoints, the connection will be rejected. To know your app-version, see Juniper Secure Connect User Guide for the specific endpoint based on the supported Operating System.
-
With term rule OS and its match criteria and action -
[edit security remote-access] user@host# set compliance pre-logon Compliant term OS match platform windows os-version less-than 10.21H2.19044.2604 user@host# set compliance pre-logon Compliant term OS match platform macos os-version less-than 12.5.1 user@host# set compliance pre-logon Compliant term OS action reject
In this term rule, for the specified os-versions for Windows and macOS endpoints, the connection will be rejected.
-
With term rule Decommissioned and its match criteria and action -
[edit security remote-access] user@host# set compliance pre-logon Compliant term Decommissioned match deviceid c8163be5d7077d35989e0b0e6b9271bfa53003e4251a24e588c10302c4972123 user@host# set compliance pre-logon Compliant term Decommissioned action reject
In this term rule, for the specified Device ID, the connection will be rejected. To get the Device ID, seeJuniper Secure Connect User Guide
-
With term rule BYOD and its match criteria and action -
[edit security remote-access] user@host# set compliance pre-logon Compliant term BYOD match deviceid c8163be5d7077d35989e0b0e6b9271bfa5312fa2251a24e588c10302c4903kd2 user@host# set compliance pre-logon Compliant term BYOD action accept
In this term rule, for the specified Device ID, the connection will be accepted. To know the Device ID, see Juniper Secure Connect User Guide
-
With term rule CorpDevices and its match criteria and action -
[edit security remote-access] user@host# set compliance pre-logon Compliant term CorpDevices match hostname device1 user@host# set compliance pre-logon Compliant term CorpDevices match hostname device2 user@host# set compliance pre-logon Compliant term CorpDevices match ms-domain example.net user@host# set compliance pre-logon Compliant term CorpDevices match deviceid c8163be5d7077d35989e0b0e6b9271bfa5300fa2251a24e578c10302c4972aff user@host# set compliance pre-logon Compliant term CorpDevices match deviceid c8163be5d7077d35989e0b0e6b9271bfa5300fa2251a24e588c10302c4972124 user@host# set compliance pre-logon Compliant term CorpDevices action accept
In this term rule, for the specified hostnames, ms-domain name and Device ID the connection will be accepted. To know the Device ID, seeJuniper Secure Connect User Guide
-
-
For any other criteria that is not defined in this compliance rule Compliant, i.e. when no further term rule is specified for an unmatched rule, the default action is
reject
. -
Once the compliance rules are defined for a compliance policy, attach the compliance policy to the remote-access profile, ra.example.com created in step 2 -
[edit security remote-access profile ra.example.com] user@host# set compliance pre-logon SecureConnect
-
When you are done configuring the feature on your device, enter commit from configuration mode.
-
Based on the use case, you can create multiple compliance policies like SecureConnect and attach each of them to the remote-access profiles that you create. Ensure one compliance policy is associated to a remote-access profile.
This features ensures that the Juniper Secure Connect application fulfills the connection criteria with the SRX Series Firewall, thereby providing enhanced security measures set by the administrator.