Click here to load reader

Junos Pulse Access Control Service Junos SRX Enforcer Feature · PDF file 2014. 2. 10. · Author: Juniper Networks Created Date: 20140210181505Z

  • View
    0

  • Download
    0

Embed Size (px)

Text of Junos Pulse Access Control Service Junos SRX Enforcer Feature · PDF file...

  • Junos Pulse Access Control Service

    Junos SRX Enforcer Feature Guide

    Release

    5.0

    Published: 2014-02-10

    Copyright © 2014, Juniper Networks, Inc.

  • Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

    Copyright © 2014, Juniper Networks, Inc. All rights reserved.

    Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

    Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

    Junos Pulse Access Control Service Junos SRX Enforcer Feature Guide Release 5.0 Copyright © 2014, Juniper Networks, Inc. All rights reserved.

    The information in this document is current as of the date on the title page.

    YEAR 2000 NOTICE

    Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

    ENDUSER LICENSE AGREEMENT

    The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

    Copyright © 2014, Juniper Networks, Inc.ii

    http://www.juniper.net/support/eula.html

  • Table of Contents

    About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

    Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

    Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

    Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

    Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

    Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

    Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

    Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

    Part 1 Overview

    Chapter 1 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    Understanding Deployments with Junos Infranet Enforcers . . . . . . . . . . . . . . . . . . 3

    Communication Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Version Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Using Certificate-Based Security with Junos Enforcer Deployments . . . . . . . . . . . . 6

    Chapter 2 Infranet Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Infranet Enforcer Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Using the Infranet Enforcer as a Policy Enforcement Point . . . . . . . . . . . . . . . . . . 10

    Understanding Infranet Enforcer Source IP Security Policies . . . . . . . . . . . . . . . . . . 11

    Source IP Security Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    ScreenOS Infranet Enforcer Configuration Summary . . . . . . . . . . . . . . . . . . . 12

    Junos Infranet Enforcer Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . 13

    Chapter 3 Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Understanding the Infranet Enforcer Captive Portal Feature . . . . . . . . . . . . . . . . . 15

    Before Configuring Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

    Chapter 4 User-Role-Based Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    User-Role Firewall Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

    Terminology for Active Directory SPNEGO Authentication with User Role

    Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    User Authentication Sequence for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Active Directory Integration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Sample Active Directory Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    User Log Messages on the MAG Series Device . . . . . . . . . . . . . . . . . . . . . . . . 24

    Supported Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

    iiiCopyright © 2014, Juniper Networks, Inc.

  • Chapter 5 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    IPsec and the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    IPsec Policies on the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    Using IPsec with the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

    IPsec Enforcement on the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

    Before Configuring IPsec on the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

    IPsec Routing Policies for the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

    Before Configuring IPsec Routing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

    Using IP Address Pool Policies for IPsec in a NAT Environment . . . . . . . . . . . . . . . 29

    Understanding IP Address Pool Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

    Chapter 6 Resource Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

    About Resource Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

    Using the Juniper Networks EX Series Ethernet Switch as an Enforcer with

    a Resource Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    Specifying Resources for User Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    Chapter 7 User Role Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    User Role Policies on the Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    Chapter 8 Auth Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

    Understanding Infranet Enforcer Auth Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

    Understanding Dynamic Auth Table Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

    Part 2 Configuration

    Chapter 9 Junos Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    Configuring the Junos Enforcer to Communicate with the Access Control

    Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    Setting Up the Junos Enforcer to Work with the Access Control Service . . . . . . . 46

    Chapter 10 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

    Configuring Junos Enforcer IPsec Routing Policies . . . . . . . . . . . . . . . . . . . . . . . . . 49

    Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

    Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

    Configuring an IPsec Routing Policy for the Junos Enforcer . . . . . . . . . . . . . . . . . . 53

    Configuring an IP Address Pool Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

    Chapter 11 Resource Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

    Configuring Resource Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

    Chapter 12 Auth Tables and Mapping Policies . . . . . . . . . . . . . . . . . . .

Search related