Solved: Re: UAC Users Role and Source IP

arslan.nawaz_ · ‎04-08-2014

Hi

I have a query about UAC. I have two roles. One is the "Users-Trust" and Second is the "Users-Wireless". Users-Trust role is for users who connected via network cable using Junos Pulse. User-Wireless role is for users who connected via wifi devices and the role is configured as Agentless.

The users with Users-Trust role have resource access policy with allow everything and I control thier accesses on SRX firewall on the basis of thier source ip addresses. However I configure the resource access policies for Wifi users as deny all the corporate network access and allow only direct internet access with cap portal.

Now the issue is as user connect on Cable he get the role "Users-Trust" and start using network resources. Later on user disconnect the cable and connect to wifi and as his session remains on UAC he starting using his same session with the new ip address (wifi dhcp ip). and start using the resources allow only to specific wifi users. I also configure role mapping policies for User-Wireless role allow this role only for specific users and not allow everyone.

As I understand when user switched to wifi his source ip is changed but his session was remain exist on device. UAC will not check user credientials/roles and start using the same session with new ip address.

I want to not allow user to use same session on UAC when his ip address is change.

Can any one help me......

Regards

Arslan Nawaz

arslan.nawaz_ · ‎04-08-2014

Hi

Now the problem is solved.

I notice that once user connected to UAC and assign a role (e.g. "Users-Trust") and then he disconnect the network cable and connect to Wifi start using his previous connection on UAC with the same role (i.e, "Users-Trust" instead of "Users-Wireless" ).

The problem is solved by adding the source ip restriction on role level. So if user changes his source IP he canÍt use the same role which he was already connected on the device and lost the connection. He needs to provide the credentials of "Users-Wireless" role in order to connect this new role.

Yes I can also restrict user on firewall policies via security policy source identity command. But this feature is available on Junos 12.1 while I am using Junos 11.4 (for high end srx devices still junos 11.4 is recommended by juniper. )

Thanks for the help

Regards

Arslan

View solution in original post

kalagesan_ · ‎04-08-2014

Hi Arslan,

I understand your issue.

I hope you are using one Authentication realm with one rolemapping rule for each role.

Can you have the Dynamic policy evaluation enabled with lesser value like 5- 10 minutes under Realms in IC admin GUI

Also have Refresh roles & Refresh resource policies enabled on the Realm.

Enabling this will ensure the policies are checked

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

Regards,
Kannan

apaul_ · ‎04-08-2014

Listing below few other quick things to check

Under Role --> Session Option --> Disbale Roaming Session
If you are using dot1.x Enable Accounting on the switches.

Thanks

Ashish Paul

arslan.nawaz_ · ‎04-08-2014

Thanks Kanann/Ashish Paul

@Kanan

No... I am using the two different realms for both roles. Reason is because I want to ensure that all the users with role "Users-Wireless" will get agent less connection with no client installation. and the all the users with "Users-Trust" role will have option to install the pulse client via web. I configure two different realms and sign in policies for both roles.

If i configure the same realm and segregate users on the basis of role mapping, then users with role "Users-Wireless" will also start junos pulse client installation whereas we want to get them connected to UAC directly (means no pulse client installation - only the agent less connection).

With dynamic policy evaluation the minimum time I can set for role evaluation is 5 minute. Or I need to manually refresh the role. It means users still can use his active session with the same role but with new IP address. And as the end user IP is change the user remain connected to UAC (using his previious UAC session with new IP address) and with same role. It means however his role is not change on UAC but as his IP is change and he is already authenticated on UAC he start using unauthorized accesses on the basis of his sourece IP address.

@Ashish

I disable the Roaming Session option on all the roles. I am using L3 enforcement no 802.1x.

arslan.nawaz_ · ‎04-08-2014

Hi

Now the problem is solved.

I notice that once user connected to UAC and assign a role (e.g. "Users-Trust") and then he disconnect the network cable and connect to Wifi start using his previous connection on UAC with the same role (i.e, "Users-Trust" instead of "Users-Wireless" ).

The problem is solved by adding the source ip restriction on role level. So if user changes his source IP he canÍt use the same role which he was already connected on the device and lost the connection. He needs to provide the credentials of "Users-Wireless" role in order to connect this new role.

Yes I can also restrict user on firewall policies via security policy source identity command. But this feature is available on Junos 12.1 while I am using Junos 11.4 (for high end srx devices still junos 11.4 is recommended by juniper. )

Thanks for the help

Regards

Arslan

kalagesan_ · ‎04-08-2014

Hi Arslan,

I am glad that you resolved the issue by using source ip restriction

Regards,

Kannan