2) For redundant configuration, you need purchase one more hardware and one more license : IC4000-CL. Without this new license, the new hardware cannot be used. 4) You can configure the cluster in Active/Active configuration with an external Load Balancer. I have never configure this type of architecture. In Active/Passive Configuration, you configure one IP for IC4000 and one virtual IP. Stanislas ... View more

UAC Admin Guide, Section "Clustering"! ... View more

Hi, With old Cisco NAC Framework (based on Cisco ACS 4.0, not available on 5.X), you can authenticate users with cisco 802.1X switches and push ACLs in Cisco Routers and PIX. NAC Framework Host checker is based on DLL files which must be added and configured manually on host. This solution is not developped by Cisco since 2006/2007. Juniper permit to authenticate user for: - 802.1X Lan access with OAC Client (including host checker component) - 802.1X Wifi access with OAC Client (including host checker component) - 802.1X Lan access with Microsoft XPSP3, Vista SP1 802.1X supplicant and NAP host checker component - L3 Authentication (through HTTPS connection) with OAC client (including host checker component) - HTTPS authentication and Java / ActiveX hostchecker - Mac Address authentication for printers, IP phones, ... Host Enforcement can be done by: - Any 802.1x compatible switch - Juniper SSG/ISG/SRX Firewall with source based authorization for Clientless users - Juniper SSG/ISG/SRX Firewall with source based authorization for OAC clients - Juniper SSG/ISG/SRX Firewall with dynamic VPN for OAC clients (VPN client included in OAC) - Juniper SSG/ISG Firewall redirect HTTP connections to IC appliance for unauthenticated clients (non implemented in SRX) - Host enforcer (included in OAC) activate local firewall on OAC agent with rules based on Role identified by IC policy Juniper UAC is compatible with TNC components: - IF-TNCCS (NAP compatibility) - IF-MAP (Metadata Access Point) To deploy OAC agent, the procedure is: - Install OAC agent on admin host - Configure connection parameters according with company policy (authentication type, Machine authentication vs user authentication, SSID for wifi usage, ...) - create a MSI file based on this configuration - install MSI files through company solutions (AD GPO, Microsoft SMS, ...) ... View more

Hi, Guest VLAN is not managed by IC or any 802.1X Radius server. It is managed by the switch when no 802.1X supplicant is detected on the switch port. If no supplicant is negociating authentication with the switch after connection, three solutions are available : - Swich port is closed (Default mode) - Guest VLAN (VLAN ID configured in the switch configuration) - Mac Address Authentication which send : - Mac Address as Username - Combination of different values (Mac Address, switch port number, ...) as password (depend of switch capability) - EAP-MD5-Challenge as authentication Method In IC configuration, Mac Address authentication use "Mac Address Realm" to authenticate known non-802.1X hosts (printers, IPphones, ...) ... View more

The next configuration was validated on the version 12.1: C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1) aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius dot1x system-auth-control interface FastEthernet0/48 switchport mode access dot1x port-control auto dot1x timeout reauth-period server dot1x reauthentication spanning-tree portfast radius-server host XXXXXXXXX auth-port 1645 acct-port 1646 key <KEY> radius-server retransmit 3 ... View more

Hi, when you select VLAN in Radius Attribute Policy, it replace the following three attributes: Tunnel-Type : Set this to VLAN (type 13). Tunnel-Medium-Type : Set this to 802 (type 6) Tunnel-Private-Group-ID : Set this to VLAN ID. configuration of switch must contain (validated on 3750) : aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius dot1x system-auth-control radius-server attribute 8 include-in-access-req radius-server host XXXXXX auth-port 1645 acct-port 1646 key <KEY> interface FastEthernet0/48 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x reauthentication spanning-tree portfast ... View more

To configure UAC/802.1X with remediation VLAN, you need to: - create one role per authentication group with Host Checker restriction - create one role "Authenticated" without any Host Checker restriction - configure Role Mapping to add "Authenticated" role to all users authenticate. - create one "RADIUS Attributes" policy in last position to attribute Remediation VLAN to "Authenticated" role Stanislas ... View more

Hi, Organise You AD Architecture With OU and Move Computers on them. when the Certificate will be created on PC, it wil contain this organisation. After that, you have to create Role Mapping rules based On Certificate. in Attribute, enter OU. in "IS", enter the name of the OU. Regards, Stanislas Message Edited by StanislasP on 10-29-2008 08:05 PM ... View more

Hi, did you add Microsoft CA in Trusted Client CAs? In this CA properties, you need to validate - "Trusted for Client Authentication?" is checked - Verify Trusted Client CA is unchecked - Client certificate status checking is set to None Did you configure */ Sign-in URL to use you new Realm with 802.1X Protocol Set? (and only this one when using Machine authentication) On OAC, you need to configure the profile with these setting: - Logging Name : (erase default one) - on Password Tab, disable "permit login using Password" - on Certificate Tab, enable "permit login using my certificate" and check "use automatic Certificate selection" -on Authentication Tab, choose EAP-TTLS - on TTLS Tab, remove EAP-MS-CHAP-V2 and select : "Use my certificate and perform inner authentication" Validate Machine Certificate is installed on the PC: - open MMC - Add / Remove Snap-in Certificate / Computer Account. - The Certificate must be in personal folder if the Certificate is not installed, reboot the PC to apply Domain Security Policies and install Certificate (connected to the Network without 802.1x) regards, Stanislas Message Edited by StanislasP on 10-29-2008 07:24 PM ... View more

to configure Certificate Authentication, you need to : - add CA certificate (and all CA Chain Certificate) in Configuration / Certificates / Trusted Client Certificates. - Create Certificate Authentication server to authenticate users - Create LDAP Authentication server for Attribute Mapping if you want to attribute roles based on windows Groups. - Create a Realm with the two defined servers for Authentication and Directory. - Create roles Mapping on this Realm based on LDAP or Certificate fields. If you use LDAP for Role Mapping, LDAP server unavailability will cause Authentication Failure. That's why we used Certificates fields such as OU or Title to attribute differents roles for a customer with Certificate Authentication. so we did not use LDAP for Directory search. Regards, Stanislas ... View more

How did you configure authentication Server? AD/NT or LDAP. If you want to authenticate Machine and not User, prefer to use Machine Certificate Authentication. If you authenticate Machine with AD,Renewal of Machine Password (every 3 month) may cause sometimes error in authentication if the password used by Oddyssey is expired by AD. To configure Machine Certificate authentifcation in AD, install Microsoft CA on a server of the domain (Can be AD Server) and configure domaine security Policies to install certificates on each domain machine. This configuration is as simple as AD Authentication. Stanislas ... View more

Patch validation take a long time. (more than 30 second for only Windows Critical and important Patches). try to disable different host checks to identify witch component slow your authentication. ... View more