Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Laptop

SOLVED
Go to solution
zilou_
New Contributor
‎07-19-2012 12:54:AM
‎07-19-2012 12:54:AM

MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Laptop

Hello all,

I set up a MAG with SRX Enforcer linked to an Active Directory and I still have questions / or issues.

The users are authenticated for Internet Access using their Active Directory account with opening their browser.

1. Is it possible to get the authentication completely seamless from a user perspective ? (just using the ad authentication entered at the boot)

2. The user needs to enter login / pwd once until the laptop reboot (is it the normal behavior ?)

3. We are using Citrix for some users and when one user on the Citrix is authenticated all others benefit from this authentication ? is it normal ? Is there a way to bypass this behaviour ?

Thanks for your help

SRX Release : 12.1R2.9

UAC Release : 4.2R2

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
kalagesan_
Super Contributor
‎07-19-2012 05:18:AM
‎07-19-2012 05:18:AM

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hi,

Your requirement can be achived through "User Role Access with the SRX Series" feature introduced in IC 4.2 R1, I.e SPNEGO SSO feature.

Using this feature, A user role firewall policy that does not require an agent on endpoints that provides
user role support on the SRX Series device for specific applications.

Active Directory support that allows authenticated users with Kerberos single sign on
(SSO) to access different resources without passing through Junos Pulse Access
Control Service for reauthentication.

UAC Solution Guide for SRX Series Services Gateways:

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-srxsolution.pdf

IC 4.2 admin guide , refer User Role Access with the SRX Series
Firewall, chapter 8 , page#219 for more information:

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-adminguide.pdf

Hope this clarifies your query

Regards,

Kannan

View solution in original post

0 Kudos
4 REPLIES 4
kalagesan_
Super Contributor
‎07-19-2012 05:18:AM
‎07-19-2012 05:18:AM

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hi,

Your requirement can be achived through "User Role Access with the SRX Series" feature introduced in IC 4.2 R1, I.e SPNEGO SSO feature.

Using this feature, A user role firewall policy that does not require an agent on endpoints that provides
user role support on the SRX Series device for specific applications.

Active Directory support that allows authenticated users with Kerberos single sign on
(SSO) to access different resources without passing through Junos Pulse Access
Control Service for reauthentication.

UAC Solution Guide for SRX Series Services Gateways:

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-srxsolution.pdf

IC 4.2 admin guide , refer User Role Access with the SRX Series
Firewall, chapter 8 , page#219 for more information:

http://www.juniper.net/techpubs/software/uac/4.2xguides/j-ic-uac-4.2-adminguide.pdf

Hope this clarifies your query

Regards,

Kannan

0 Kudos
zilou_
New Contributor
‎07-19-2012 06:18:AM
‎07-19-2012 06:18:AM

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hello

Thanks for your reply, I've implemented this solution which works well.

Except that when using Citrix, it seems that once a user is authenticated from this Citrix Server (IP address) all other users are authenticated too and benefit from the rights of the first authenticated user.

Any idea ?

Regards

0 Kudos
rrosiak_
Occasional Contributor
‎07-19-2012 12:48:PM
‎07-19-2012 12:48:PM

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Hi,

SRX is an L3 auth enforcer. L3 auth means that MAG pushes an auth entry based on role-mapped resource on SRX. SRX is using an IP of the end-user station to create a proper IP-source UAC rule. When first user will authenticate, then all other users will share the same resource access, because SRX is simply not able to distinguish those users. For the SRX that particular IP address (Citrix server) is already authenticated.

0 Kudos
zilou_
New Contributor
‎07-20-2012 01:48:AM
‎07-20-2012 01:48:AM

Re: MAG 2600 UAC/SRX Infranet Enforcer/Active Directory - Issue with Multiple Users on a single Lapt

Thanks a lot for your answer.

The setup is fine and works well except for Citrix but a workaround exists by dedicating one ip pers Citrix Session.

Regards

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.