cancel
Showing results for 
Search instead for 
Did you mean: 

UAC deployment

pras_2903_
Occasional Contributor

UAC deployment

I am to deploy IC4500 in a customer site. The plan of deployment is 802.X. I have only the IC4500 ( No infranet Controller)

I have 4 user vlans. I have created on the core another vlan for remediation. So in total I got five vlans.

 

1) Should the IC controller internal interface connected to the core be trunk or access? Switches are all juniper

2) Since the remediation vlan is l3 interface on the core, if the user is placed on this vlan provided that he doesnot fullfil the policy, wouldn;t the user still be able to reach all the subnets?

3) Is certificate necessary in my senario

4) Cisco IP phones are deployed in the network. How can I bypass the ip phones from UAC

5) Can anyone provide step by step configuration on deploying the UAC for 802.1x. I went through documents in Juniper, unfortunately everything involves the Infranet Controller

 

 

Regards

Prasanth George

8 REPLIES 8
Kashif_
Occasional Contributor

Re: UAC deployment

 

Hi Prasanth

 

IC4500 is the infranet controller or also known us Unified Access Controller (UAC).

 

How many users you have and how are they spread on access switches?

 

1) Should the IC controller internal interface connected to the core be trunk or access? Switches are all juniper

 

it can be access or trunk as well or Layer 3 as well,depends how many users and VLANs you have.

 

2) Since the remediation vlan is l3 interface on the core, if the user is placed on this vlan provided that he doesnot fullfil the policy, wouldn;t the user still be able to reach all the subnets?

 

You can configure your VLAN as remediation having access list configured on interface or you can use host enforcement when assigning a role to user to limit host traffic.

 

3) Is certificate necessary in my senario

 

Certificate is used to encrpt credential info from end point to IC , You can use IPSEC option too..Not so sure about this.

 

 

4) Cisco IP phones are deployed in the network. How can I bypass the ip phones from UAC

 

You can build a authserver of MACs in IC for these or use a third party software like Great Bay

 

5) Can anyone provide step by step configuration on deploying the UAC for 802.1x. I went through documents in Juniper, unfortunately everything involves the Infranet Controller

 

 

you can refer to Quick start guide on Juniper website.

 

Regards

Kashif

pras_2903_
Occasional Contributor

Re: UAC deployment

 

I did a trial test today testing with one user vlan and the remediation vlan. If the policies are fulfilled I am placed on correct vlan. If i do not have the required policy, I loose my network connectivity with the agent replying my security policies are not complying.

I already have both the vlans mapped under the radius attributes. User profile on vlan 10 and remediation profile on vlan 210. Any help with this regard?

 

Regards

Prasanth George

Kashif_
Occasional Contributor

Re: UAC deployment

 

 

are you using layer 3 or layer 2 topology?

 

how are you mapping non-compliant users to quarantine role?

harry.voip_
Occasional Contributor

UAC deployment

Hi

 

Im new to UAC.

 

I would like to achieve few things in my Deployment

  1. What is different between Realm & group (Admin Realm & Admin Group)
  2. Im trying to perform Auth & Host check, Only sucessfull users will reach LAN else others will reach Remedial VLAN
  3. IM gong with Agent Less (Hence the End-point PC will not have an UAC Agent
  4. I will ask the User to access the URL - https://ic4500.com/user1 >>>>> user1 is a group & url will point tio the Internal Inteface
  5. Initially PC should have IP to reach IC? If so, which mean im allowing an PC to get into the LAN to reach IC !
  6. I dont want to do it, is there any other way to acheive, PC should reach IC without beeing the Part of Trusted LAN
  7. What will be the typical deployment setup

I could have used 802.1x if IC act as an Radius, but I have Dedicated LDAP server

 

Please assist

 

Regards

Harry

kalagesan_
Super Contributor

Re: UAC deployment

Hi Hary, Please find my response for your queries : 1. What is different between Realm & group (Admin Realm & Admin Group)? Admin realms in IC are used for managing the IC where its mappend to a admin sign in page of IC admin UI. Admin realm maps admin roles and corresponding admin authentication servers to manage the admin userauthentication to IC. Groups are used in backend authentication server like LDAP and AD where the domain admin, user, computer groups comes in to picture. Please refer CHAPTER 12 for realms in IC admin guide for more information,You can access the admin guide from the below URL http://www.juniper.net/techpubs/en_US/uac4.3/information-products/topic-collections/Junos-Pulse-Acce... UAC deployment information is also documented in the above guide, I have the page numbers for reference. Understanding Access Control Service Deployment Options, page #10 Deploying the Access Control Service Solution to Users on page#16 , Junos Pulse Access Control Service Deployment Summary on page #18 2. Iam trying to perform Auth & Host check, Only sucessfull users will reach LAN else others will reach Remedial VLAN This is possible through IC solution 3. I am going with Agent Less (Hence the End-point PC will not have an UAC Agent I will ask the User to access the URL - https://ic4500.com/user1 >>>>> user1 is a group & url will point tio the Internal Inteface Initially PC should have IP to reach IC? If so, which mean im allowing an PC to get into the LAN to reach IC ! I dont want to do it, is there any other way to acheive, PC should reach IC without beeing the Part of Trusted LAN What will be the typical deployment setup With agentless access hostchecking options are easily possible. With agent based both hostcheking and VLAN mapping is possible. The above requirement can be easily achievedusing Layer 2 authentication method with 802.1x enabled on the radius client (switch) and you can also enabled the radius VLAN attribute policies on IC optionally.For thsi you can either use agent based (OAC) or windows native supplicant at the endpoints 4. I could have used 802.1x if IC act as an Radius, but I have Dedicated LDAP server. You can integarate your LDAP server in IC and 802.1 authentication is possible through IC with LDAP server integaration NOTE: Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!! Regards, Kannan

kalagesan_
Super Contributor

Re: UAC deployment

Hi Hary,

 

Please find my response for your queries :

 

1. What is different between Realm & group (Admin Realm & Admin Group)?

Admin realms in IC are used for managing the IC where its mappend to a admin sign in page of IC admin UI. Admin realm maps admin roles and corresponding admin authentication servers to manage the admin userauthentication to IC.

 

Groups are used in backend authentication server like LDAP and AD where the domain admin, user, computer groups comes in to picture.

Please refer CHAPTER 12 for realms in IC admin guide for more information,You can access the admin guide from the below URL

 

http://www.juniper.net/techpubs/en_US/uac4.3/information-products/topic-collections/Junos-Pulse-Acce...

 

UAC deployment information is also documented in the above guide, I have the page numbers for reference.

 

Understanding Access Control Service Deployment Options, page #10

Deploying the Access Control Service Solution to Users on page#16 ,

Junos Pulse Access Control Service Deployment Summary on page #18

 

2. Iam trying to perform Auth & Host check, Only sucessfull users will reach LAN else others will reach Remedial VLAN

Yes, This is possible through IC solution

 

3. I am going with Agent Less (Hence the End-point PC will not have an UAC Agent I will ask the User to access the URL - https://ic4500.com/user1 >>>>> user1 is a group & url will point tio the Internal Inteface Initially PC should have IP to reach IC? If so, which mean im allowing an PC to get into the LAN to reach IC ! I dont want to do it, is there any other way to acheive, PC should reach IC without beeing the Part of Trusted LAN What will be the typical deployment setup.

 

A.With agentless access hostchecking options are easily possible.

 

B.With agent based both hostcheking and VLAN mapping is possible.

 

The above requirement can be easily achievedusing Layer 2 authentication method with 802.1x enabled on the radius client (switch) and you can also enabled the radius VLAN attribute policies on IC optionally.For thsi you can either use agent based (OAC) or windows native supplicant at the endpoints

 

4. I could have used 802.1x if IC act as an Radius, but I have Dedicated LDAP server. You can integarate your LDAP server in IC and 802.1 authentication is possible through IC with LDAP server integaration

 

NOTE: Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!! Regards, Kannan

kalagesan_
Super Contributor

Re: UAC deployment

Hi Hary,

 

To add further note to my previuos update: since this is new deployment I would also recommend you to work with
your local Juniper account team who can explain the UAC solution with a POC if need based on your requierment.

You can also open a case with JTAC Support for any configuration assistance.

 

Regards,
Kannan

harry.voip_
Occasional Contributor

Re: UAC deployment

Thanks for Reply