cancel
Showing results for 
Search instead for 
Did you mean: 

UAC Policies on SRX not Funtional After Junos Software Upgrade

arslan.nawaz_
Contributor

UAC Policies on SRX not Funtional After Junos Software Upgrade

 

hi

 

I have an urgent query. I was using UAC 5.0 on MAG and SRX 1400 in Chassis cluster with Junos 10.4 as the L3 enforcer. 

 

The solution was deployed successfully and everthing was rorking fine until recently I upgrade my SRX 1400 junos software from version 10.4 to 12.1. After the upgrade junos software, all the UAC policies configured on SRX 1400 is not working. The device is connected to UAC properly and users are shown in auth table of SRX device...

 

Any help

 

Regards

6 REPLIES 6
tgatewood_
Occasional Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

I recently saw the same thing, did you go to 12.1x44d40? I removed all the config under services unified-access-control, committed, then pasted the same lines back in and did another commit.
arslan.nawaz_
Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

 

Yes I upgrade junos software to 12.1x44d40. I remove all the unified-access-control configuration on SRX then commit and then reconfigure the uac settings, but still no luck.

 

here is uac configuration on srx

-------------------------------------------------------------------------------------------------------------------------------------------------------

set services unified-access-control infranet-controller MAG-UAC address 10.50.50.100
set services unified-access-control infranet-controller MAG-UAC interface reth1.50
set services unified-access-control infranet-controller MAG-UAC password [email protected]

 

set security policies from-zone Wifi to-zone Internet policy test-uac match source-address Arslan-1.12
set security policies from-zone Wifi to-zone Internet policy test-uac match destination-address any
set security policies from-zone Wifi to-zone Internet policy test-uac match application any
set security policies from-zone Wifi to-zone Internet policy test-uac then permit application-services uac-policy
set security policies from-zone Wifi to-zone Internet policy test-uac then log session-init

--------------------------------------------------------------------------------------------------------------------------------------------------------

 

Following is the output of few show commands.

 

> show services unified-access-control status                                                           
node0:
--------------------------------------------------------------------------
Host           Address         Port   Interface     State
MAG-UAC        10.50.50.100   11123  reth1.50     connected

 

> show services unified-access-control roles     
node0:
--------------------------------------------------------------------------
Name                                     Identifier
Trust-User                              0000000001.000005.0  

Remediate-User                  1396270434.123514.0
Trust-Agentless                    1395391788.690864.0      
GUAM                                      1395991600.414804.0      
Guest-Users                          1395992372.36996.0       
Corporate-Wifi                        1395994939.110403.0

 

> show services unified-access-control policies
node0:
--------------------------------------------------------------------------
Id    Resource                Action Apply        Role identifier
1     10.100.111.111:*          allow  selected     1396270434.123514.0
2     *:*                     allow  selected     0000000001.000005.0

 

> show services unified-access-control counters                   
node0:
--------------------------------------------------------------------------

 

 

(Counter command showing nothing...............)

 

Should i use the source-identity in security policy?

tgatewood_
Occasional Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

With 12.1 you can get rid of the the permit application services line and use source-identity with normal SRX policies. I personally don't like the resource access policies that load from the UAC to SRX.
arslan.nawaz_
Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

Since we use capitive portal in srx uac policy, If I dont use the application-services in security policies than how I can redirect the users towards UAC (captive portal)?

 

Second I cant understand the behavior of security policy. If I use the source-identity with unauthenticated user and uac-policy with application-services the policy is bypass (not matched even user is still unautheticated), and if I did not use source-identity with application services uac-policy the policy is matched but policy did not allow the user traffic...

 

 

tgatewood_
Occasional Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

You can still use the line for captive portal to force the unauthenticated users to the portal, but I wouldn't use the application services uac-policy to push resource access policies from uac.
tgatewood_
Occasional Contributor

Re: UAC Policies on SRX not Funtional After Junos Software Upgrade

Are you still having this problem? It seems to be happening to our firewall again...