cancel
Showing results for 
Search instead for 
Did you mean: 

Infranet Enforcer Auth. Table

SOLVED
andre_
Contributor

Infranet Enforcer Auth. Table

Hi Guys,

 

I have an question about Auth. Table in Infranet Enforcer SSG:

 

When SSG connected to IC and user behind SSG authenticated to IC then will be show up in Auth. table in SSG.

 

Let say i have 10 SSG connected to IC when user authenticated ti IC, all SSG/10 SSG will share the auth. table entry (in one SSG auth table entry appears information from all SSG).

 

I want to if user behind SSG-A authenticated to IC, it will only in SSG-A auth. table ( not in all SSG).

 

anyone have expericed like this and any suggestion?

 

Thanks Guys

1 ACCEPTED SOLUTION

Accepted Solutions
apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

Hi Andre,

 

Use Dynamic Auth table provisioning, 

Prior to ScreenOS Release 6.1, you manually created auth table mapping policies to use Source IP enforcement. Each authenticated user had an auth table entry on the Infranet Enforcer, whether they were accessing resources or not. With the Junos Enforcer and ScreenOS 6.1 or greater on the ScreenOS Enforcer you can dynamically create auth table entries when a user attempts to access a protected resource, eliminating the need to provision Auth Table Mapping Policies always.

Dynamic auth table allocation reduces auth table entries to only those that are needed,enabling you to deploy smaller firewalls with a larger user population. After the user disconnects, the Infranet Enforcer automatically expires the auth table entry.

 

Hope this helps

View solution in original post

14 REPLIES 14
apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

Hi Andre,

 

You could achieve this while configuring Infranet Enforcer Auth Table Mapping Policies.

You have the option to specify the Infranet Enforcer devices to which you want to apply that specific auth table mapping policy

 

Thanks

andre_
Contributor

Re: Infranet Enforcer Auth. Table

Hi Paul,

 

With Auth. Table mapping policy in IC can we define that each authenticated user behind it's own SSG firewall only appears in it's own SSG's auth table, not in all SSG that connected to IC?

 

Thanks 

apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

I am not sure whether I understand your question fully.

Can you elaborate using a Example  ?

andre_
Contributor

Re: Infranet Enforcer Auth. Table

Hi Paul,

 

Sorry for confusing you.

This the example :

 

 

SSG20 site A & SSG20 site B   ------------connected-------------------> IC Cluster A/P

 

let say user 1 & user 2 are behind SSG site A and user 3 & user 4 are behind SSG site B.

 

When user 1 & 2 authenticated to IC, in auth. table in SSG site A can see user 3 and user 4 also,eventhough user 3 and 4 in different SSG (SSG site B).

 

What i want is : in SSG site A only user 1 and 2 in auth table or user 3 & 4 only in auth. table SSG Site B.

 

because there are more than 200 SSG20 will connected to IC and users in each site SSG are many, i concern if all users authenticated to IC appears in each SSG auth. table , will make resource of SSG increase and maybe decrease performance of SSG. i dont want like this.

 

Any idea?

 

Thanks

 

 

 

 

apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

Hi Andre,

 

One way of doing this

  • Group User 1 & 2 in Role A and User 3 & 4 in Role B
  • Create Auth Table Mapping Policies SSG Site A and Select SSG @ site A as the available Enforcer and Role A for Policy applies to SELECTED roles option.
  • Create another Auth Table Mapping Policies SSG Site B and Select SSG @ site B as the available Enforcer and Role B for Policy applies to SELECTED roles option.

This should take care of your requirement.

Additional you have the option to Provision Auth Table as Needed.By selecting this IC provision auth table entries only when a user with a chosen role attempts to access a resource behind the specified Infranet Enforcer.

 

Hope this helps.

If I have answered your question correct, you could mark this post as accepted solution, that way it will help others as well. A Kudo will be bonus thanks!

andre_
Contributor

Re: Infranet Enforcer Auth. Table

 

Hi Paul,

 

If doing like that, we have to configure more role per site and define more group in AD (because auth server using AD, right now users in all site using one group in AD) right?

If so there are many things to configure. Does any other way that more simple?

apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

Hi Andre,

 

Use Dynamic Auth table provisioning, 

Prior to ScreenOS Release 6.1, you manually created auth table mapping policies to use Source IP enforcement. Each authenticated user had an auth table entry on the Infranet Enforcer, whether they were accessing resources or not. With the Junos Enforcer and ScreenOS 6.1 or greater on the ScreenOS Enforcer you can dynamically create auth table entries when a user attempts to access a protected resource, eliminating the need to provision Auth Table Mapping Policies always.

Dynamic auth table allocation reduces auth table entries to only those that are needed,enabling you to deploy smaller firewalls with a larger user population. After the user disconnects, the Infranet Enforcer automatically expires the auth table entry.

 

Hope this helps

View solution in original post

andre_
Contributor

Re: Infranet Enforcer Auth. Table

Hi Paul,

 

Abou dynamic auth. table provisioning i have already read it in knowledge base. 

One more question about dynamic auth.table provisioning :

If using this feature, let say user A authenticated to IC, so this user information will added to all SSG's auth table entry? 

Because what i understand if using manual auth.table mapping policy we can define which user and role connecting to which ssg and if using dynamic auth table provisioning each authenticated user information wiil be added to auth table entry in all ssg but will be remove automaticaly after user disconnected, am i right?

 

And if using dynamic auth table provisioning we just delete auth table configuration in IC, right?

 

How many auth table entry in ssg20 can support?

apaul_
Regular Contributor

Re: Infranet Enforcer Auth. Table

Hi Andre,

 

While using the Dynamic Auth table provisioning, IC is not going to push an Auth Table entry as soon user A is authenticated with IC.The auth table entry will be pushed only when the user A tries to access the protected resource.

When user A tries to access the protected resource the Infranet enforcer is going to send drop notification to IC, which in turn is followed up with a Auth table provisioning by IC.