Friday, February 8, 2013

Exam

Well exam was a pass 73%

The passing score changes during the year. So it was close.

In general if you can get your hands on a MAG it will be a lot easier.



Saar

Thursday, February 7, 2013

Learning Bytes

Learning Bytes

This is part of the Juniper partner portal.
These are small videos by the courseware people explaining items.
You can view them from

www.juniper.net/learningbytes


Using the External port for Admin Access Learning Byte




External port might be a public interface.



Ports are in NETWORK
Internal or External.

Their screen looks like this.



Enable ADMIN on external interface
/admin


In Source IP. You can enable the External Port.
You can also limit the access to to specific IPs like your home IP.











Policy Tracing Learning Byte
When to use the Policy tracing tool.


In - Maintenance >>  Troubleshooting >>  User Sessions  >> Policy Tracing




Inside it you put the name
the realm
the source iP
and what you want to record.
Start Recording



Ok, let's say the user types in the wrong password.
On the - System >> Log/monitoring >>  User Access  logs
we can see there is a failure and it will say LDAP.


now if we go to ther
Policy TRACE
now if we click "view Log" we will see a LOT more detail like.



See for example.
username alex
bind failed to the user   "wrong password"
sign in rejected.

e voila, you can tell the user he is a dummy and next time he should remember his password.

Random Questions


Question: 1
A customer wants to create a custom Junos Pulse configuration. Which two are required?
A. Connection set
B. Configuration set
C. Custom installer
D. Component set
Answer: A, D

Ok,
Junos Pulse is the software.


Remember it can do many things like acceleration and other things.

In this case we want to create a Custom configuration which will only have SOME of the items.
Instead of ALL of the items.

Lab3-3
 - USERS > Junos Pulse > Connections > new Connection set
The connection determines the client settings.
Then in the next tab  components
we select "new component set"
Then we select the "minimal components    (only components needed to support the selected config are installed )

Answer C is a custom installer.
In OAC you can use a "preconfigured file"  which does sound like a custom installer.
However the question was about Pulse.

Answer B
Configuration set. no such thing.




Question: 2
What type of firewall enforcers are supported by the Junos Pulse Access Control Service?

Answer SSG and SRX
The SRX was configured using the CLI
the SSG we did it using the Management GUI.




Question: 3
A customer is trying to decide which 802.1X inner protocol to use on their network. The customer
requires that no passwords be sent across the network in plain text, that the protocol be supported
by the Windows native supplicant, and that the protocol supports password changes at Layer 2.
Which protocol would meet the customer's needs?
A. EAP -TTLS
B. EAP -MD5
C. PAP
D. EAP -MSCHAPv2
Answer: D

This is more of an elimination challenge.
PAP  is clear text   so scratch it.
Windows is made by Microsoft    , MS is short for Microsoft  so   MSchap would be supported by microsoft.
That is the answer.



Question: 4
You have a Junos Pulse Secure Access acting as an IF-MAP client, configured to federate all
user roles to a Junos Pulse Access Control Service acting as an IF -MAP Federation server.
A remote user using Junos Pulse logs in What happens next?

A. The Junos Pulse Secure Access Service redirects the user to the Junos Pulse Secure Access Service
for authentication
B. The Junos Pulse Access Control Service provisions enforcement points to enable resource access
for that user.
C. The Junos Pulse Secure Access Service publishes user session and role information to the IF-MAP
Federation server,
D. The Junos Pulse Secure Access Service provisions enforcement points to enable resource access
for that user.
Answer: C



The Answer is C easily simply because logically an IF-MAP client will update the IF-MAP server.

Question 5:
What is the first action you need to do after consoling in to the MAG appliance.
A. Set up a password
B. Set up an admin user
C. Import license
D. Select a personality.

The answer is D, you select either the SA or AC  Access Control Service


What is the function of Host Enforcer?
A. To force clientless access to the network
B. To enforce restrictions on access to protected resources on the network
C. To scan an endpoints for compliance with security policies
D. To push a firewall policy to the endpoint's local firewall application

The answer is D.   Host items run on the endpoint.
Host Checker will check the settings
Host Enforcer will configure the endpoint with your selection of rules.


Scott Newman, Courseware Developer




More questions from Juniper.
You are the administrator of a cluster.
You notice that the passive node takes a long time to respond and take over.
How do you improve the speed of change.
A. Change the inactivity timeout
B. Change the heartbeat
C. Change the Auth table timeout.
D. Change the number of ARP ping failures

Answer is D.
In the Cluster properties.
- System >> Clustering >> (click on the cluster) >>  properties
there is a network healthcheck settings. In it you change the
"number of ARP ping failures before interface is disabled   [3]

Auth table has nothing to do with this.
Heartbeat, the only heartbeat we have is from the AC to the AJAX Java agent and the
heartbeat of the Role Session parameters.
Inactivity timeout is from the Sessions
timeout

None of this is for Clustering Active/Passive  except for D.



Question
Which of the two configuration settings will be the same on the two members of the Junos Pulse Access
Control Service Cluster.
A. Virtual Ports
B. User Roles
C. Authentication Server information
D. Routing tables.

Answer B and C

User Roles are synchronized.
Both devices must use the SAME authentication server.
So the settings will be identical.

Routing tables could be different depending on the location of the device.
Virtual Ports - there are no "virtual ports"  on the MAG.



Question.
Where do you define the OAC configuration when creating a preconfigured install for the OAC.
OAC user interface
Odyssey settings
OAC administrator
OAC component set.

OK. Component set is from Junos.
The Odyssey settings are local to the endpoint
the OAC user interface  is local to the endpoint.

So OAC administrator.
I quote "" to create an installer, you can use the OAC administrator to set the OAC configuration that you want, then export the settings into a zip file.
Options include hiding or disabling configuration icons, allowing users to modify adapter settings, or preventing them from disabling the OAC.
The installer also includes license keys.

So use the OAC administrator , create a customized OAC in a zip file.
Then use that as your preconfiguration file :



Question.
A user is running Linux which options can he use (two)
A. Java agent
B. Agentless
C. Odyssey access client
D. Junos Pulse.

Pulse - works for windows.
OAC - windows and MAC

Agentless - on everything.
Java agent -  on anything that can run Java    , since Linux can run Java.

The answers would be A and B.


Question.
You want to enable Guests some access. Which client would you offer them if you cannot install anything
on their laptops.
A. agentless
B. Host Checker
C. Anonymous
D. Junos Pulse.

Anonymous does jnot exist.
Host checker checks for compliance to the IMV only .
Pulse is a full client you must install
So Agentless A would be the correct choice.

Question.
You want to limit the number of features a ROLE will have in their Junos Pulse client.
What do you use to limit the number of features.
A. Junos Pulse connection type
B. Location awareness
C. Junos pulse client components.
D. Junos preconfiguration installer.

preconfigured or preconfiguration should ding  OAC in your head.
connection type  controls the connection
location aware will determine if the user is in the WAN , LAN or other.

Junos pulse has Client Components.
Role >> Junos pulse client components > New Component Set >> 
junos pulse client components.
here you select the nice.
All components
No components
Minimal components which is just for the features you selected.



Question
Which three sign-in policy components are valid ?? Choose 3.
A. User Role Mapping
B. Host Enforcement
C. Authentication Protocol Set
D. Sign-in URL
E. Authentication Realm.

This is what a "NEW sign-in policy " window looks like.



In it you create a SIGN-IN where users SIGN-IN.
So Sign-in URL should be easy to get.

Every sign-in page leads to some sort of Authentication Realm .(LDAP,Radius,none)













The last one is the Authentication Protocol Set.
(the top screenshot is for an SA and not an AC, sorry screenshots are scarce)

The Authentication protocol set is the option to add 802.1x  to the sign-in

So all those 3 will give you the sign-in policy requirements.
Host Enforcement is on the
Host Checker Policy - which is under
>> Authentication >> Endpoint Security

User Role Mapping  is done at the User Authentication Realms >> 


Question.
OK, this one looks smart.
You administer the network , which has a NEW real using the Junos Pulse Access COntrol Service.
A User complains to you that they can access the network
but they cannot access the Accounting Server.
What are three explanations for this.
A. The user is being subjected to the Host Enforcer Policy
B. The User is subject to a role restriction.
C. The User is failing the host checker policy at the realm level.
D. The user is not mapped to the proper role.
E. The user is entering the incorrect authentication parameters.

So here you use the triage. The ITIL word for eliminating what cannot be possible.
E. The user is entering the incorrect password. - This cannot be because then he would not have ANY
access and we are told he can reach the rest of the network.

C. The user is failing the host checker policy at the REALM Level.   - This cannot be because if he was
failing at the REALM level he would not be allowed in.

So the answers are the rest of the  A,B,D



Questions
What are the Three Secure Access Control Service   Enforcers.
A.     Radius Enforcing Server
B.     Host Enforcer
C.    Infranet Enforcer
D.   802.1x  Switch.

802.1X can enforce 802.1x authentication protocol Set.
Infranet Enforcer    means the SSGor SRX Firewalls   that can enforce IP source or IPSEC or other.
Host Enforcer can run on the client endpoint and enforce some rules of choice.

Radius is not an Enforcer it is an AUTHENTICATING SERVER



Question
You are creating ROLE mapping rules  using your "local database" option.
Which two methods would you choose.
A.    Group Membership
B.    User Attributes
C.    Certificates
D.    Usernames


The catch here is the Local""
If it LDAP or remote then you would use Groups   or Attributes.
HOwever since it is local.
Just use
USERNAME.

The CErtificates is a bit harder as I simply remembered there was an option for that in the lcoal database.
Yeah,
In the Local Database your choices when running the "role mapping rule"
are
Username.
Certificate
Custom Expressions.



Question
Which two parameters do you define for a user role.
A. Type of Agent Access methods
B.  Custom user interface
C.  Prohibited application.
D. Resource Policy.

So if you remember defining a user.
We selected what methods can he use like Pulse/ OAC/ Agentless
The last TAB was   UI options where you can change the background and replace the Juniper image
with your company logo.

We don't have a "prohibited application" in the MAG.
Resource Policy is defined on the INFRANET ENFORCER  


Comment
MAC Authentication Server.
MAC authentication Realm.
Both are unique to the MAC thing as you can tell by the big MAC in front.


The best EAP methods are.
EAP-TTLS
EAP-JUAC
EAP-MD5
EAP-GEneric Token Card.

So token card is with tokens
EAP-MD5 is very old from server 2000
Juac is the Juniper one and is the default.
TTLS is the best too.


Question.
On the MAG series device a Sensor event is configured with the action "replace user role" and make it permanent.
The MAG has quarantined a user based on a sensor event from an IDP.
In the MAG device GUI how do you release him from the Quarantine.

I'll save myself typing all the poisibilities.
It will NOT be in System>>Status >>Users   simply because that would be the system users and not the
end users.

It will be in AUTHENTICATION > AUTH SERVERS >> srv >> tab users  select the user
and click
    ENABLED to release the USER from Quarantine.




Question or reference to CAs



You might get some CA questions.
Remember.
o= organization.
In this example o=Verisign    
C= country
ou= organizational unit.    in LDAP this could be a group.

you should also look at Expiry times.
Expire on  01-07-2010  is no good.

FTP = SCP   the only difference is the S for Secure     Secure Copy Protocol.
There might be a few of these. MAG supports both.


Question
Set Security unified-access-control
Set access unified-access-control
Set services unified-access-control
set security UAC

Which is the correct one.
Very difficult to tell.
From the configs I remembered it was  unified-access-control
Access I know is where you define access profiles for users and groups.
Security is where you define the zones and policies.

In the policy we had  THEN   permit   application-services  UAC-Policy
so I guess services.


EAP-TLS uses PKI


Wednesday, February 6, 2013

Chapter 12 -logging

Chapter 12 -logging
Tab called logs

Event Logs
system>>Logs/ monitoring
event logs system events

User Access log

Admin Access log is for admin items and changes

Sensor Log will be for events reported by the IDP.

Levels of logging.
Critical - is when the ADMIN cannot get in or most subsystems
Major - is when you lose some subsystems.
Minor - are individual request failures.
Info  - when a user request is done or a modification to the device.

Each log has settings you can set as to what to log.
You can also set the size of the log.

In general you can also log externally.
syslog servers
You can set up filters and the format you want to use.
Standard
WELF
W2C
WELC-2.0 can add queries.

You can create custom log filters and apply them to the data being sent
A filter can set up the Query you want to run on the data.

In the log if you click an item it will filter it to a dynamic presentation.

You can also enable CLIENT logs
on the host checker
{}host checker.


System Status Dashboard
allows you to get a quick view.
Build
Config
logging disk
license and how many users are in.
memory and CPU.

SNMP tab.
You can download the MIB and install it.
You can set up traps.
You can enter the community.
The traps will be for what you select in the checkbox and you can specify to send major or critical events.

Statistics TAB
will show you a stat display by day/time.

Troubleshooting
Reachability  (ping trace)
TCP dump
Event log - we talked about that.
Firewall Enforcer logs.

On the TOOLS you will have the reachability items.
ping
traceroute
nslookup fpr servers
ARP to find out MAC
RRTS  round trip response times.

same place TP dump
will get all the TCP running on a port. - Basically sniffing.
You can output it to RAW or human readable which is more like WireShark.

On the Events >Log
we can see some tips on reasons.

To get Firewall Enforcer data we need to switch to the Firewall.
set services unified-access-control traceotions file   ac1_trace.log
set services unified-access-control traceotions flag all

this will flag all events to the tracelog file which we can then open up and read.



Troubleshooting the USER interactions
You can turn on
{}Radius diagnostic logging.
and set up the size of it.

In maintenance > User Sessions > policy tracing
you can set up what events to log on for the MAG policy
you record it and then you view the LOG

To troubleshoot the IPSEC use
the logs on the Firewall enforcer
show log kmd

archiving Files
there is an option to archive your files.
You send them using SCP  which is similar to ftp
You select what you want to archive and send it to an IP
either an archiving server or a local backup of the file.
This is all in Maintenance.

from the WEBui  you can also export the configuration / users
You can also import.
You simply select the TARGET.

JTAC tools
TroubleShooting > System Snapshot
Remote Debugging allows the JTAC to access the system.
open a case from the support website.


View user Role assignment with the policy trace
See if you can reach items using the Troubleshooting >Tools
Exporting configuration files is in BINARY mode.



Tuesday, February 5, 2013

Junos Pulse access control administration guide

Junos Pulse access control administration guide

Great, another 800 pages on a PDF format.
Ain't being an IT person grand.


Overview.
The idea is you can leverage the MAG to control the clients that are allowed on the network.

The enforcement points that you can use are.
SRX/SSG firewalls
802.1x switches
802.1x Accesspoints
The End client itself can have a software called Host Enforcer.
IDP devices (optional)

You can also use the MAG to control devices that cannot authenticate using their MAC addresses.

The solutions is made from
IC device- in this case the MAG that pushes the policies to the enforcers.
UAC client- this client sits on the end device and works with the MAG
The types are.
Odysset client - this client is a software on the end device
Junos Pulse - this is the flagship software on the end device.
Java Agent - mainly for Linux support the Java will run the host checker
Agentless - it installs a temp agent that will run the host-checker.

Pulse itself also supports dynamic VPN and application acceleration.

Enforcers
ScreenOS can do layer 2 and 3
SRX layer 3
802.1x    a wired network runs it.
802.1x   a wireless network will associate you first and then run the 802.1x
IDP    will review the traffic and can signal the MAG about bad traffic to close the session.

Ways of deploying the systems are.

the first one is Layer 2.
The device is in the LAN and will connect to the 802.1x authenticator which will use the MAG
as the Authenticating server.

The second is Layer 3.
The device is on the WAN and will connect using EAPover HTTP to the 802.1x authenticator.

Both of the above system will use the 802.x as the first item
then they will use the Firewall as the second enforcer.

The last way is without the firewall.
Just an 802.1x authentication.


How this is done.
You create policies.
The policies will control the access to the resources and the applications.
1. Succesful client check   (host Checker)
2. Successful client authentication  (RADIUS)
3. Successful client authorization (roles)

These are the requirements from the Manual.

Let's have a look and understand them.
install the IC series device. - This is pretty obvious. You will console into the device, you will set up an ip a subnet a gateway. The first step will be to select a personality either an AC or an SA.
basically enough connectivity to switch to the Web management.

Upgrade and license-  upgrade is using your Jcare support you bought for the device (i Hope you did)
Lincesing is done using the hardware serial and your authorization code on their portal.

Install cetificates - the device, ssl, vpns in general most security and compliance requires the use of CA
certificates for the servers and clients to validate each other. So catch up on this theme.

Install the Enforcers.  - Here you can choose. Firewall enforcer  802.1x  or host enforcer.
Connect the MAG to the enforcer using the GUI

Configure an authentication server-  obviously the list of users and passwords must come from somewhere.
local, radius, or LDAP using the RADIUS.

Set up resource policies for what will be protected.

Setup the IPSEC or IP enforcement   this is for the Firewall enforcer.

configure the sign- in policies    -  like the host checker check
Configure the agents or OAC,Juniper JAVA

configure host checker
configure host enforcer optional   this is the client that can protect the end client by controlling it.

pretty much those are the items.

Be sure to sync the clocks of all the devices so the authentication won't fail. (5 min)

Task guidance
on the right top corner you have the task guidance wizards to assist you on how to configure the devices.

IC series have administrator
read only administrator
users
those are pre-configured.

For each role you create you can specify which clients can use that role.
Then you can configure the settings for the agent or agentless for that role.

Pulse Component set.
All the components includes EES Enhanced Endpoint security + acceleration.
No components is for only updating Pulse.
Distribute to the users through a ROLE


Chapter 9 - Configuring Layer 2 Enforcement

Chapter 9 - Configuring Layer 2 Enforcement


Requirements:
  • Authenticator must support Dynamic configuration using the Radius attributes it will be getting back
  • Authenticator must communicate with the Junos pulse Access control (Radius)
  • 802.1x enabled on the device and the ports.
  • Attributes like the VLAN must be configured on the device
  • If assigning Vlans dynamically  -  a DHCP must be available for the VLANs

Example
Any employee goes on employee VLAN
contractor go on contractor VLAN
Failure or guest go on remediation VLAN.

Each device on route to the supplicant must be configured as an 802.1x layer 2 enforcer.


Adding the RADIUS server to the SRX.
system {
    time-zone America/New_York;
    }
    radius-server {
        172.16.0.101 {
            secret "$9$zFusF9p0ORSlM1Rs4ZjPf1RhcyK"; ## SECRET-DATA
            timeout 4;
            retry 2;
            source-address 1.1.1.12;

access {
    profile AC1 {
        authentication-order radius;
        radius {
                 authentication-server 172.16.0.101;


OK. So the first one sets up the Radius server.
The second one creates an access profile.      Sets up the order of authentication to use RADIUS
then adds the server to use. Which is the one we created first.


1.1.1.12 is the SRX
172.16.0.101 is the MAG Radius

On the 802.1X switch 
protocols {                               # the stanza we will use
    dot1x {                                     # 802.1x
        authenticator {                       # mark the switch as an authenticator
          authentication-profile-name AC1;               #profile access
            interface {
                ge-0/0/2.0 {                          # interface , usually you can mark all in the switch
                    supplicant single;                        #single supplicant can apply at a time.
                     guest-vlan REMEDIATIONVLAN;                #guest vlan for non authenticated
                     server-reject-vlan REMEDIATION;                # Vlan for rejected clients.

That way the REMEDIATION vlan can only have access to the Web
So they can correct their flaws like update the AV or the patches.



Configuring the 802.1x on the MAG
All of this will be applied on the initial connection as they connect.


The PROTOCOL Set is in the sign-in policy .
That is where we will configure it.

Steps.
Verify There is a Dictionary.   - Remember the dictionary of attributes.
Each dictionary is a manufacturer one.
UAC > Network Access >   Radius dictionary.

extreme.dct
juniper.dct

You can verify the RADIUS vendor list 
This is only if you are not using the default list.


Add the Authentication Protocol Set


First select the Authentication Protocol , the order matters and it will try the EAP-TTLS first.
The specify the INNER authentication protocol to use.
In this case it will be under the TTLS block.
It will try EAP-JUAC  the Juniper one first.
Then PAP
then CHAP

Then it will try the EAP-PEAP      here you specify the innter authentication too. It will show under the PEAP box.
In this case it is again EAP-JUAC.

the order matters.

Once you selected the Authentication protocol set
You will create or use the current Sign-in policy.
In the sign-in policy you will select the Authentication protocol you just created.
You select the Authentication protocol in the REALM. ---> Authentication protocol.
So I guess you apply it to the REALM.


Location Group
You can create a location group for people depending on where they sign in.
You can apply this sign-in policy to tha location group.


???


You need to configure EACH 802.1x authenticator as a RADIUS client.
uAC >> netowrk access > RADIUS client       select the make and model and add a location group.


Next you can configure the RADIUS Attribute.
This is the ATTRIBUTE that will be sent from the RADIUS to the  Authenticator once
you ahve made it.
UAC >> Network ACcess  > Radius Attributes
you create a policy and select the LOCATION group. Then you add the RADIUS attributes you want to add.
Then you can make it more granular by selecting which ROLES will this apply to.

Second Example.
You can add an attribute that the Device must be with so and so IP.

Pulse
Outer EAP-TTLS
inner  EAP-JUAC

MAC authentication Server
authentication > AUTH server     new MAC address authentication
add the MAC addresses.
or set up an LDAP server for the MAC addresses to be received from.

then
Create a new REALM
UAC > MAC address Realm.  new
point to the MAC AUTH server you created.

then when the device comes in the user can select that realm
or you can apply that Realm to devices.


Location Group associates devices with a policy.
MAC Auth Server    MAC auth Realm   are only for MAC addresses.





Chapter 5 - user roles

User Roles.



We are looking at the ROLE part.
This is part of the Authorization. What is the role Authorized to...


  1. Enable or disable the type of access you can have  Pulse,OAC,clientless
    1. You can limit the type of access for the role.
      For example if the role is accounting, then you must use Junos Pulse
      and do not get that role if you are agentless.
  2. Personalize your User Interface
  3. Set up user session parameters for the role.

A user role does not mean access to resources YET!!

You can create users manually in the Local Database of the MAG.

You can set a
start time
end time     {these are for access times}

one time use {}   the account will be disabled when he logs out.
enabled/disabled/quarantined  {}
require user to change password {}     must set up so users must change passwords

Creating ROLES

USERS>> user role >> new role.

If you leave the checkbox cleared it will take the default option.

{research this part}}

AGENT tab
In the agent tab you specify

  1. Should the MAG install an agent
    1. Junos
    2. odyssey 
  2. Should you install java 
  3. Should you enable the host enforcer

In the AGENTLESS tab
You can enable the Agentless for this role
You can also disable the AJAx heartbeats.

In the GENERAL tab
You can set up
session options are for the session length + timeouts.

roaming session means they can change IP .

  • enable 
  • disable
  • Limit to subnet    This is ok for the LAN only

Persistent session adds a cookie to HD.
So when you close the explorer tab you can still reconnet.
Junos Pulse only disconnects when you log out.

{{All of the above says for example Employee role you can access only with OAC, depending
on what you chose}}


Customize UI.
You can change the Juniper LOGO to corporate logo background and add
session counter that says how much time you have left to the user in his pulse.

show notification message on the welcome page
show instructions for the users
Show copyright by juniper.

Role restriction
You can restrict the role to only IP network X.
You can restrict Browser type
You can restrict Certificate
You can restrict based on the result of the host checker.

Ok now you have role
The way of signing on.
The UI for hi
and restrictions of the role.

Verify the roles are set up in the User roles main window.


Role Mapping rules
Username - we did this above.
Group membership - ldap
Certificate attributes - expression
Custom Expressions-   you can custom choose.

Role-mapping is in the Authentication Realm.


User realms >> users >> role mapping
You set up rules.
New Rule - When user meet these conditions                 assign these roles      rulename    stop
when username is *****  assign role contractor  STOP will stop processing rules
or move to the next rule.

When you create the Role Mapping Rule. Your choices are based depending on the
servers that is the Authentication Realm.
For example for the local one - username, certificate and custom expressions are only available.

For example RULE   =  if username  is   ss*
then assign these roles
{available roles    select}
{} stop

When you go back to the screen that shows all the rules you can select what happens
when more than one rule matches
Then

  • Merge the settings
  • User must select from among the assigned roles

Users that do not meet any of the rules - will not be able to sign-in to the realm.

reorder rules using the up down arrows.


Sign In policy.
You can create a few policies
You can create different sign in pages with images,error messages, help files.

you can create a custom notification for each role

Creating the actual policy.
URL                    Sign-in page               authentication Realms     Enabled
*/admin/              Admin-page                Admin Users                   V
*/                        User-sign-in                Users (802.1x)                V

There is a NEW policy screen where the above will be selected from tabs.
specific rules come before rules