Great, another 800 pages on a PDF format.
Ain't being an IT person grand.
Overview.
The idea is you can leverage the MAG to control the clients that are allowed on the network.
The enforcement points that you can use are.
SRX/SSG firewalls
802.1x switches
802.1x Accesspoints
The End client itself can have a software called Host Enforcer.
IDP devices (optional)
You can also use the MAG to control devices that cannot authenticate using their MAC addresses.
The solutions is made from
IC device- in this case the MAG that pushes the policies to the enforcers.
UAC client- this client sits on the end device and works with the MAG
The types are.
Odysset client - this client is a software on the end device
Junos Pulse - this is the flagship software on the end device.
Java Agent - mainly for Linux support the Java will run the host checker
Agentless - it installs a temp agent that will run the host-checker.
Pulse itself also supports dynamic VPN and application acceleration.
Enforcers
ScreenOS can do layer 2 and 3
SRX layer 3
802.1x a wired network runs it.
802.1x a wireless network will associate you first and then run the 802.1x
IDP will review the traffic and can signal the MAG about bad traffic to close the session.
Ways of deploying the systems are.
the first one is Layer 2.
The device is in the LAN and will connect to the 802.1x authenticator which will use the MAG
as the Authenticating server.
The second is Layer 3.
The device is on the WAN and will connect using EAPover HTTP to the 802.1x authenticator.
Both of the above system will use the 802.x as the first item
then they will use the Firewall as the second enforcer.
Just an 802.1x authentication.
How this is done.
You create policies.
The policies will control the access to the resources and the applications.
1. Succesful client check (host Checker)
2. Successful client authentication (RADIUS)
3. Successful client authorization (roles)
These are the requirements from the Manual.
Let's have a look and understand them.
install the IC series device. - This is pretty obvious. You will console into the device, you will set up an ip a subnet a gateway. The first step will be to select a personality either an AC or an SA.
basically enough connectivity to switch to the Web management.
Upgrade and license- upgrade is using your Jcare support you bought for the device (i Hope you did)
Lincesing is done using the hardware serial and your authorization code on their portal.
Install cetificates - the device, ssl, vpns in general most security and compliance requires the use of CA
certificates for the servers and clients to validate each other. So catch up on this theme.
Install the Enforcers. - Here you can choose. Firewall enforcer 802.1x or host enforcer.
Connect the MAG to the enforcer using the GUI
Configure an authentication server- obviously the list of users and passwords must come from somewhere.
local, radius, or LDAP using the RADIUS.
Set up resource policies for what will be protected.
Setup the IPSEC or IP enforcement this is for the Firewall enforcer.
configure the sign- in policies - like the host checker check
Configure the agents or OAC,Juniper JAVA
configure host checker
configure host enforcer optional this is the client that can protect the end client by controlling it.
pretty much those are the items.
Be sure to sync the clocks of all the devices so the authentication won't fail. (5 min)
Task guidance
on the right top corner you have the task guidance wizards to assist you on how to configure the devices.
IC series have administrator
read only administrator
users
those are pre-configured.
For each role you create you can specify which clients can use that role.
Then you can configure the settings for the agent or agentless for that role.
Pulse Component set.
All the components includes EES Enhanced Endpoint security + acceleration.
No components is for only updating Pulse.
Distribute to the users through a ROLE
No comments:
Post a Comment