cancel
Showing results for 
Search instead for 
Did you mean: 

UAC and SPENGO

SOLVED
Highlighted
Valued Contributor

UAC and SPENGO

Has anyone implmented this? If so any comments on exactly how it should work? I find the Juniper documentation to be totally useless. Multiple errors in it. Really no good explaiination of how to use it, etc. 

 

Sounds like an interesting concept. If only I could figure it out. 

4 REPLIES 4
Super Contributor

Re: UAC and SPENGO

Hi Mutt,

 

I have tested SPNEGO solution with UAC with SRX as enforcer. It work as expected.

 

You should have SRX as enforcer connected to IC, you should have windows  AD Domain authentication server enabled in IC with Kerbroes.

 

This is mainly used for agentless access and captive portal redirection, you need have Inetgrated Authentication for windows enabled in your Browser.

 

The below Juniper KB's will give you more information with respect to troubleshooting.


KB24183-Troubleshooting SPNEGO SSO issues in IC 4.2Rx or later

 

KB25351-Can we add IC's machine account in back end AD for SPNEGO SSO

 

KB24435-Enforcer (SRX) integration with Source-Identity

 

 

Regards,

Kannan

 

 

Valued Contributor

Re: UAC and SPENGO

Kannan - thanks for the reply. Appreciate the KB's and will check them out. A couple of comments

 

1. My statement about the documentation stands - it has errrors in it. I mentioned this to JTAC and they had no comment. 

2. One question for you - from what I can tell Spengo authorization is only initiated / functions under the following conditions: A - user is already logged into an AD Domain. B - user attempts to access a resource through a browser (80 / 443.) 

 

So if the user attempted to access a a resource via another protocol (say ftp) Spengo would not trigger an authorization attempt through the UAC box. Am I correct in that assumption? - IE - is is like a "hidden" captive portal from a functionality perspective. 

 

If I am right then a follow up question. User attempts to access a resource through the browser. Authorization occurs, access is granted. They then attempt an ftp - will that ftp be successful? Assumptions are that in the UAC the resource policy is defined to allow access to both the http and the ftp traffic. 

 

Just trying to gain an understanding of how this works and when to use it. Again, I am coming to think of it as a captive portal solution with no credential entry.

 

Super Contributor

Re: UAC and SPENGO

Hi Kevin,

 

Yes, your comment #2 & the understanding is correct.

 

User attempts to access a resource through the browser. Authorization occurs, access is granted. They then attempt an ftp?

 

Yes FTP will be successful.

 

 

Hope this helps

 

Regards,

Kannan

Valued Contributor

Re: UAC and SPENGO

Thanks!