With UAC firewall gives access based on combination of resource and ROLE ( not just resource). IC pushes ROLE information to the firewall along with resource subnet. So if user is in remediation vlan and for that role if access is deined , user wont be able to access resource. So firewall doesn't need to know the VLAN id or subnet of remediation VLAN. Decision is done on basis of ROLE. Thats why it is so independent of network subent or source IP .

Hi Friend,

Thanks for reply. Can you please explain your sentence : "IC pushes ROLE information to the firewall along with resource subnet" I am not getting if firewall does not know the source IP then how it can dinguish trusted/untrusted users?

Thanks

When the User connects the machine to the Switch; EAP negotiations starts - authenticating against a Realm which will maps to a Role finally - When a Role is assigned.

Paralley Based on the Role Radius Return Attribute Policy will assign the VLAN.

Similarly basedo n the Role Layer-3 Enforcement policy will be triggered and pushed to the Firewall.

You have to configure the policy with the following details

protocol: tcp or udp

destination ip address

desintation port nos;

Note: The source-ip address it will know when the machine gets the ip address.

So it creates a specefic policy for that user with that source-ip address and destination ip /port details .

Regards

LPW

Thanks for the reply and good explaination. I still didnot get depending upon the role when IC push the resource policies to firewall and that user (already authenticated and compliant with security policy and got the right VLAN) crosses the firewall to access the protected resources behind the firewall, then what happened please correct me if am wrong:

The firewall has the knowledge of user identity and role for that user, pushed by IC to firewall. So user traffic comes to firewall then firewall ask the IC giving the username, role and soruce IP to IC that this user is allowed or not? Then how IC knows this the authenticated user already with IC???? because IC doesnot know the source IP of that user. Should user need to athenticate again to IC???

Kindly explain it. I would highly appreciate your help

Hi,

I am not sure if you are talking about Layer-3 or Layer-2. I assume you are taking about both Layer-2 and Layer-3 combined. I also assuem the end user has an agent installed in the machine.

When the agent is installed, it will first authenticate itself against the IC. So IC will be Server who will be aware of the end users Machine IP Address.

NAC is implemented at this point itself. Additional If I want to protect my servers then i should place the server behind the Juniper Firewall.

In such scenario the IC which is already aware of the authenticated user machine ip address pushes the respective policy to the firewall;

The user need not get authenticated again.

Advantages:

If the user logs off the policy is dynamically removed from the firewall, which means any other user cannot spoof the ip address and get access to the resources; which will be possible if it was a static rule based policy in the firewall.

regards

LPW

Dear

Thanks you very much for your response. Let me clear my question. Actually I want both layer 2 and 3 enforcement for my employee users.

1- Users have OAC installed on thier pc and through OAC they autheticate with IC via 802.1x and got the right VLAN.

2- Now user got the IP from DHCP server

3- But at this point IC doest not know the IP of user bcs user got the IP after authenticaton from IC

So my question is that how IC wil push the policy to the firewall when the user access the servers behind the firewall bcs IC does not know the IP of user. So its means that user have to again authenticate to the IC for the l3 enforcement?

thanks

Thanks Dear

Hello Experts,

I am running a PoC on UAC for a client and ran into this challenge. The switchport refuses to change to the newly assigned VLAN returned by the MAG after successful Remediation.

When a user connects his endsystem to the network, he is being authenticaticated against either the System Local Radius server on the MAG or against AD. After successful authentication of the user, the user endpoint device is checked for posture assessment e.g. updated Anti-Virus patch. The user Role is dependent on the compliance to Host Checker security policy. If user complies, he is assigned to Employee Role(VLAN 10); should user fail posuture test, he is placed in Quarantine Role(VLAN 655). However, i noticed that all users are placed in the Quarantine Role initially, after the Host Checker runs on user PC, a the user role is either upgraded or left in Quarantine Role.

I am the Agent-less mode and i have Cisco devices configured with 802.1x for port-based authentication.

Observation:

From my observation, the MAG or IC series device initially assigns users to Quarantine VLAN(VLAN 655).

When users open the URL page, Host checker is ran and the MAG then assigns a new role to compliant systems, this is the Employee Role(VLAN 10).

Now, even though the user role has changed on the MAG, the switchport still remains in auth-fail/guest vlan, which is the Quarantine VLAN(655).

Switch Sample Config:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

aaa authentication dot1x default group radius

dot1x system-auth-control

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 10

dot1x max-reauth-req 1

dot1x reauthentication

dot1x guest-vlan 655

dot1x auth-fail vlan 655

spanning-tree portfast

spanning-tree bpduguard enable

Please what could be wrong? I want to have the switchport change from VALN 655 to VLAN 10 after successful Host Checker test is ran. Please Help...

Thanks!

Id.