So on the last box.
Access Control Service Policy.
Firewall Enforcement
Host Enforcement.
802.1x (comes later on)
MAG Secure Acecss can send items to the
Firewall, like Set up the IPSEC VPN
Firewall, set up a resource access
Client, Host Enforcer - Set up a rule on the host. like block certain incoming TCP.
Enforcement
Source IP - Control Access based on source destination IP, protocol, ports
{no encryption}
Does not support third party ??
IPSEC
The Firewall uses IKE and can use the XAUTH to validate the user credentials. Pulse.
ESP or AH {AH does not do encryption}
So let's see a sample configuration on the SRX.
set security policy from-zone WAN to-zone LAN policy access_ac source any
set security policy from-zone WAN to-zone LAN policy access_ac destination ac1
then permit
set security policy from-zone WAN to-zone LAN policy any_resource source any
set security policy from-zone WAN to-zone LAN policy access_ac destination any
then permit application-services unified access control.
First rule, fine, get in, go to the ac1 and login.
Second rule. Nah, can't come in unless you went to the ac1
They recommend setting up
Junos Pulse AC service IPSEC first
General VPN second
Source IP third.
Associating a given user with a policy occurs during the role-mapping
Junos Pulse will build a table.
The table will match the user to the polcy rules.
It is merely creating the rules and not enforcing them.
It evaluates the policies only.
When the user types in the sign-in page.
After the user authentication.
When the user requests a resource enforcer will check
when the host checker changes.
So when you make any changes to the MAG unless any of the above happens the
users will still have the same access.
Pulse OAC
At the start enforcer does not know if you are allowed it only knows to consult the MAG appliance.
There is an AUTH table where the data is cached.
This is called Dynamic Authentication table allocation.
Resource Access
Auth tables on the Enforcers match the User role with the resource access required.
The policies are distributed by the MAG to the enforcers.
Endpoint tries, he is dropped, the SRX tells the MAG about this.
The MAG sends a policy to the Auth Table
next retry the endpoint is allowed in.
{{If the DNS is behind the enforcer it might create DNS timeout issues.}}
So basically the SRX is set up as normal.
set security policies from zone wan to zone lan policy access_resource match source any
set security policies from zone wan to zone lan policy access_resource match destination any
set security policies from zone wan to zone lan policy access_resource match application any
set security policies from zone wan to zone lan policy access_resource then permit
permit
{ application-services
uac-policy
}
So the uac-policy is the AUTH table.
It basically tells the traffic match to then match the AUTH table.
The AUTH table will have the permit to the resource and the user role allowed.
IPSEC to resource.
Must have both an IPSEC policy and the resource policy for it to work.
Host Enforcer is on the MAG
when you connect with the OAC it will push it to you.
Auth Policy
Either Dynamic which will be for all.
or you can set up the enforcer to support certain roles so you can limit the size.
If the Devices Enforcer and client are in between NAT you can use the NAT IP Address pools.
Firewall Enforcer Configuration
Basically the usual first part.
set security policies from zone wan to zone lan policy access_resource match source any
set security policies from zone wan to zone lan policy access_resource match destination any
set security policies from zone wan to zone lan policy access_resource match application any
set security policies from zone wan to zone lan policy access_resource then permit
permit
{ application-services
uac-policy
Set up the MAG as the Radius Server
set access profile Employees authentication-order radius
set access profile Employees radius-server 172.16.15.1 secret password
set up the IKE phase 1 parameters
set security ike proposal Employee authentication-method pre-shared-keys
set security ike proposal Employee authentication-method pre-shared-keys
set security ike policy Employee mode aggressive
set security ike policy Employee pre-shared-key ascii-text passwordIPSEC
set security ike gateware Employee ike-policy Employee
set security ike gateware Employee ike-policy hostname endpoint.pulse.local
set security ike gateware Employee ike-policy xauth access-profile Employees
set security ipsec proposal Employee protocol esp
set security ipsec policy Employee proposals Employee
set security ipsec vpn pulse ike gateway Employee
set security ipsec vpn pulse ike ipsec-policy Employee
set security ipsec vpn pulse ike estblish-tunnels immediately
NOW
Basically the usual first part but this time it leads to the tunnel
set security policies from zone wan to zone lan policy TUNNEL match source any
set security policies from zone wan to zone lan policy TUNNEL match destination any
set security policies from zone wan to zone lan policy TUNNEL match application any
set security policies from zone wan to zone lan policy TUNNEL then permit
permit
{tunnel ipsec-vpn pulse}
{application-services
uac-policy}
the above was on the enforcer, pretty easy to tell today as it used JUNO.
Now on the MAG.
You need to configure this too.
You need to configure this too.
UAC --> Infranet Enforcer {This is where most of the SRX firewall items are} --> resource Access
resource --> new policy
name
description
resources
Infranet Enforcers -- map out which Infranet Enforcers will be enforcing this.
Which roles will have this policy applied to them.
Allow/Deny
You can add additional enforcer options {web/anti-spam/av/logging/idp}
Next tab is IPSEC
you can set up the IPSEC tunnel which will be created when you want to access that resource.
you can set up the IPSEC tunnel which will be created when you want to access that resource.
Specify the enforcer
Specify the roles this will apply to .
AUTH table mapping allows you to map
specific items to specific user roles this way you can keep the table nice and short.
specific items to specific user roles this way you can keep the table nice and short.
IP address pools.
For the above settings you can aslo force the enforcer to use an IP from the NAT pool.
Then again add that to the relevant enforcers
For the above settings you can aslo force the enforcer to use an IP from the NAT pool.
Then again add that to the relevant enforcers
then add it to the relevant roles.
host Enforcer.
UAC >> host enforcer
You set it up,
you select the resources
you select the resources
{{on this you set up the rules you want the enforcer to run.
<protocol>:<host>:<netmask:<destination ports>:<source ports>:
You apply it to the roles.
Verify
show services unified-access-control authentication-table
show security ipsec statistics
show security ike security-associations
User access logs
Pulse diagnostic viewer.
pdv.exe
from the OAC you can run diagnostics.
Captive portal is only for http
set services unified-access-control captive-portal guests
redirect-traffic-unauthenticated
redirect-rul httsp://x..xx.x./guest
set policty
then permit application-services uac-policy captive-portal guests
No comments:
Post a Comment