Junos Pulse Access Control Service

Transcription

1 Junos Pulse Access Control Service Odyssey Access Client Feature Guide Release 5.0 Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos Pulse Access Control Service Odyssey Access Client Feature Guide Release 5.0 All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation vii Documentation and Release Notes vii Supported Platforms vii Documentation Conventions vii Documentation Feedback ix Requesting Technical Support ix Self-Help Online Tools and Resources x Opening a Case with JTAC x Part 1 Overview Chapter 1 Using Odyssey Access Client Specifying the Client that Endpoints Use for Access Chapter 2 Licenses Using OAC Licenses with the IC Series Chapter 3 Windows Endpoints Understanding OAC Configuration Settings for Windows Endpoints Using the Preconfigured Installer for OAC on Windows Endpoints Chapter 4 Host Enforcer Using Host Enforcer Policies Part 2 Configuration Chapter 5 Initial Creating an Initial Configuration of OAC for Windows Endpoints Defining the Initial Configuration for OAC for Windows Preconfiguring OAC Using the Custom Installer Manually Configuring OAC for 802.1X (Windows or Macintosh) Chapter 6 Host Enforcer Use Case: Using a Host Checker Policy with the Host Enforcer Part 3 Administration Chapter 7 Access Control Service Deploying the Access Control Service Solution to Users Validating the IC Series Certificate Chapter 8 Macintosh Endpoints Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints iii

4 Odyssey Access Client Feature Guide Chapter 9 Manual Installation Manually Installing OAC iv

5 List of Tables About the Documentation vii Table 1: Notice Icons viii Table 2: Text and Syntax Conventions viii Part 1 Overview Chapter 3 Windows Endpoints Table 3: Initial OAC Configuration Settings Chapter 4 Host Enforcer Table 4: Before you Configure a Host Enforcer Policy Table 5: Examples of Specifying Resources in a Host Enforcer Policy v

6 Odyssey Access Client Feature Guide vi

7 About the Documentation Documentation and Release Notes Documentation and Release Notes on page vii Supported Platforms on page vii Documentation Conventions on page vii Documentation Feedback on page ix Requesting Technical Support on page ix Supported Platforms To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at For the features described in this document, the following platforms are supported: IC4500 IC6500 FIPS IC6500 MAG Series Documentation Conventions Table 1 on page viii defines notice icons used in this guide. vii

8 Odyssey Access Client Feature Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page viii defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; viii

9 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at If you are using , be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, ix

10 Odyssey Access Client Feature Guide or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see x

11 PART 1 Overview Using Odyssey Access Client on page 3 Licenses on page 5 Windows Endpoints on page 7 Host Enforcer on page 11 1

12 Odyssey Access Client Feature Guide 2

13 CHAPTER 1 Using Odyssey Access Client Specifying the Client that Endpoints Use for Access on page 3 Specifying the Client that Endpoints Use for Access For each role you create, you specify which client users must employ when they access that role. You can specify the following clients for each role on the Agent > General tab: OAC (for Windows or Macintosh endpoints) Pulse (for Windows or Macintosh endpoints) Agentless Host Checker client (for all platforms) Java agent (for Linux and Solaris endpoints) To provision OAC, select the Odyssey Settings for IC Access and/or Odyssey Settings for Preconfigured Installer check box to allow you to access Odyssey configuration options after you create a role. After you save the role, select Users > User Roles > Select Role > Agent, and then select the Install Agent for this role check box. Then select the Install Odyssey check box. To configure OAC access options select Users > User Roles > Select Role > Agent > Odyssey Settings. To provision Pulse, agentless access, or the Java agent, do not select the Odyssey check boxes when you create the role. To use the agentless access option, you create a role, then you select Users > User Roles > Select Role > Agentless, and select the Enable Agentless Access for this role check box. Then, configure agentless appearance options from the Users > User Roles > Select Role > General > UI Options tab. To specify the Java agent for a role, you create a role, then you select Users > User Roles > Select Role > Agent, and select the Install Java Agent for this role check box. To install Pulse on endpoints, you create a role, then you select Users > User Roles > Select Role > Agent, and select the Install Agent for this role check box. Then, select the Install Pulse check box. 3

14 Odyssey Access Client Feature Guide Then, you configure Odyssey access options from the Users > User Roles > Select Role > Agent > Pulse Settings tab. Related Documentation Creating an Initial Configuration of OAC for Windows Endpoints on page 19 Understanding Deployments with Junos Pulse Clients Configuring Agentless Access to Protected Resources Using the Java Agent Understanding User Roles 4

15 CHAPTER 2 Licenses Using OAC Licenses with the IC Series Using OAC Licenses with the IC Series on page 5 You can configure the Windows version OAC to download by default from the IC Series device. The downloaded edition contains all of the functionality in the Enterprise Edition, including an 802.1X wired and wireless supplicant. The currently installed IC Series device Endpoint License determines the maximum number of concurrent endpoints that can access OAC with the IC Series device. The FIPS Edition of the Windows version OAC can also be used with the IC Series device. All editions support the full OAC feature set and OAC Administrator. The licenses for the FIPS edition and Enterprise Edition must be purchased in addition to the IC Series device Endpoint License. To prevent user sessions generated by these two editions from increasing the concurrent user count against the IC Series device Endpoint License, you can install the OAC-Add-UAC license on the IC Series device. NOTE: You can use the FIPS edition of OAC with the non-fips edition of the IC Series device. In this case, data between OAC and an 802.1X switch is protected by FIPS-validated encryption. If you add a FIPS license to 64-bit OAC, the agent is an Enterprise Edition with no FIPS capability. The only advantage in using a FIPS licensed 64-bit OAC is that the agent can use xsec. FIPS is not supported on the Macintosh version of OAC. The FIPS license is accepted on the Macintosh version, but functionally the agent is equivalent to the Enterprise Edition. Related Documentation Using the Preconfigured Installer for OAC on Windows Endpoints on page 8 5

16 Odyssey Access Client Feature Guide 6

17 CHAPTER 3 Windows Endpoints Understanding OAC Configuration Settings for Windows Endpoints on page 7 Using the Preconfigured Installer for OAC on Windows Endpoints on page 8 Understanding OAC Configuration Settings for Windows Endpoints Table 3 on page 7 lists how initial settings are configured for OAC. Table 3: Initial OAC Configuration Settings The server adds these items to OAC: You use the server to preconfigure these settings: The server automatically configures these settings: Profile Name of profile instance in OAC. Login name. Options for using the user s Windows credentials or prompting user for login name and/or password. Outer authentication protocol Tunneled TLS (TTLS) or Protected EAP (PEAP). Personal certificate usage. Enables OAC to validate the server certificate Access Control Service Name of the Access Control Service in OAC. Server URL is sign-in URL. New profile is associated with the connection Trusted server Server name is common name specified in the server certificate. Trusted root CA certificate is added to OAC certificate properties for new trusted server. 7

18 Odyssey Access Client Feature Guide Table 3: Initial OAC Configuration Settings (continued) The server adds these items to OAC: You use the server to preconfigure these settings: The server automatically configures these settings: Adapter Configure the adapter that is actively being used to access the Access Control Service (wired or wireless adapter connected to an 802.1X-enabled network). Configure a second adapter of the other type. For example, if a wired adapter is used to access the Access Control Service, then automatically configure a wireless adapter. Do not add any adapters. Network If you add a wireless adapter, the network name (SSID), association mode, and encryption method. If you select WEP encryption, keys are generated automatically. Related Documentation Creating an Initial Configuration of OAC for Windows Endpoints on page 19 Defining the Initial Configuration for OAC for Windows on page 20 Specifying the Client that Endpoints Use for Access on page 3 Using the Preconfigured Installer for OAC on Windows Endpoints You can create a preconfigured installer for OAC that is downloaded to Windows endpoints using the Custom Installer in the Odyssey Client Administrator (OCA). The OCA is a utility that allows you to fully configure all of the OAC settings. A preconfigured installer contains the settings you configured using the OCA as well as certificates. The installer might also contain a license key and a flag indicating whether or not GINA is installed on the client. You must include the license key for OAC upgrades if you are upgrading to UAC from an earlier version. After you configure all of the settings with the OCA, you export the preconfigured installer as a.zip file to a directory that is accessible to the Access Control Service. You upload the preconfigured installer file from the Access Control Service admin console interface. The settings available in the OCA allow you to comprehensively control security and accessibility features for users who access the Access Control Service. For example, you can hide or disable the configuration icons on the sidebar of OAC, you can control whether or not endpoints can modify adapter settings, and you can configure settings to prevent endpoints from disabling OAC. The preconfigured installer downloads are role based. When you create new user roles, you can specify a preconfigured installer that you have created specifically for the role. You can configure a different OAC feature set for each role that you create. For example, you can create a client configuration with few restrictions for employee roles and a more 8

19 Chapter 3: Windows Endpoints restrictive configuration for visitor roles. Alternately, you can select the same configuration for different roles. When OAC is installed or upgraded on an endpoint, the preconfigured installer file is downloaded from the Access Control Service. The file that is downloaded depends on the authenticated user s role. If a user is assigned to more than one role, and the roles have different OAC preconfigured installer files, the settings from the first role assigned are retained. Related Documentation Preconfiguring OAC Using the Custom Installer on page 24 Defining the Initial Configuration for OAC for Windows on page 20 9

20 Odyssey Access Client Feature Guide 10

21 CHAPTER 4 Host Enforcer Using Host Enforcer Policies Using Host Enforcer Policies on page 11 Host Enforcer is a stateful packet filter that is built into OAC. You can configure Access Control Service Host Enforcer policies for OAC endpoints. Host Enforcer is not supported on Pulse. Host Enforcer is useful in situations where an Infranet Enforcer is not deployed in front of resources that you want to protect. Host Enforcer is not a replacement for a firewall. To use the Host Enforcer feature, you enable the Host Enforcer option on a role. OAC protects endpoints and resources by allowing only the incoming and outgoing traffic on the endpoints that you specify in the Host Enforcer policies for that role, in addition to the traffic allowed by default. You can configure Host Enforcer policies that allow users access only to the resources you specify. Host Enforcer provides these security functions: Protects endpoints from attacks coming from other endpoints and systems by allowing only the incoming and outgoing traffic you specify in the Host Enforcer policies for a role. Allows access to the resources you specify in the Host Enforcer policies for a role. This feature is useful for protecting resources that are not already protected by the Infranet Enforcer. If you enable the Host Enforcer option on a role and you do not specify any Host Enforcer policies for the role, OAC denies all traffic except for traffic that is explicitly allowed both by default and by rules in the Default Global Policy. The following types of traffic are allowed by default Host Enforcer internal rules. You cannot override these rules. TCP traffic on port 443 to and from the Access Control Service. UDP (IKE) traffic on port 500 to each Infranet Enforcer configured by the Access Control Service. 11

22 Odyssey Access Client Feature Guide UDP traffic on port 4500 to each configured Infranet Enforcer. This traffic is used for NAT traversal. WINS, DNS, and DHCP traffic. ICMP Echo Request (Send) and ICMP Echo Reply (Receive) You can send ping requests from endpoints to other hosts, and you can receive ping replies from other hosts back to endpoints for troubleshooting. Incoming echo requests and outgoing echo replies are blocked on the endpoint. Other hosts cannot ping the endpoint. ICMP Destination Unreachable (Receive only), ICMP Source Quench (Receive only), ICMP Time Exceeded (Receive only), ICMP Traceroute (Send only), ICMP Mobile IP Reg. Request (Send only), and ICMP Mobile IP Reg. Reply (Receive only). NetBios on ports 137/138 If the NetBios name service is used instead of or in addition to DNS, and NetBios datagram and session service for domain logins and file shares, NetBios is allowed by default. The following entries in the Default Global Rules policy can be modified. All ICMP and ESP traffic Outgoing TCP traffic on all ports Outgoing UDP traffic on ports 137 and 138 Since limited traffic is allowed by default, be sure to specify additional traffic you want to allow for a particular role or for all roles. For example, be sure to configure Host Enforcer policies to specify the incoming TCP traffic that you want to allow. You can specify traffic by changing the Default Global Rules policy or creating new Host Enforcer policies for particular roles. If you create a new policy, the system positions it at the top of the policy list in the Host Enforcer Policies page to allow your Host Enforcer policy settings to override the Default Global Rules policy or other policies below it. Use the arrow buttons on the Host Enforcer Policies page to rearrange the Host Enforcer policies in the order of enforcement priority. You can also specify the traffic you want to deny on an endpoint. For example, you can specify a policy that denies outgoing TCP traffic for a particular role, and then use the Default Global Rules policy placed below that policy to allow outgoing TCP traffic on all other roles. All of the Host Enforcer policies that apply to the current user s role(s) are enforced on the endpoint. Table 4: Before you Configure a Host Enforcer Policy Topic Detail Supported Client OAC is required for Host Enforcer. Host Enforcer is not supported on Pulse, Java agent, agentless endpoints, or non-juniper supplicants Default Global Rules If you delete the Default Global Rules policy and do not create any additional policies, Host Enforcer allows the types of traffic specified by the internal rules. 12

23 Chapter 4: Host Enforcer Table 4: Before you Configure a Host Enforcer Policy (continued) Topic Detail Access issues To avoid access problems on the endpoints, we recommend that you configure Host Enforcer policies to allow the specific traffic on endpoints before you enable the Host Enforcer option on a role Host Enforcer policies and resource access policies. Avoid creating Host Enforcer policies and Infranet Enforcer resource access policies that conflict with one another. For example, do not create a Host Enforcer policy that denies access to resources and an Infranet Enforcer policy that allows access. Multiple roles and Host Enforcer policies If a user is assigned multiple roles and each role has different Host Enforcer policies, the system pushes all of the Host Enforcer policies that apply to the user to the endpoint. However, the policies are evaluated in the order specified in the list in the Host Enforcer Policies page, and the allow or deny action is enforced for the first policy in the list that matches the resource and user s role. Updating Host Enforcer policies The Access Control Service downloads the Host Enforcer policies to the endpoint after the user signs in and is authenticated for the first time. If you change the Host Enforcer policies for the role while the user is signed in, the Access Control Service pushes the updated Host Enforcer policies to the endpoint. Updates to the Host Enforcer policies only occur while the user is signed in. Host Enforcer and the Infranet Enforcer Avoid creating rules that block traffic to protected resources behind the Infranet Enforcer. OAC disconnect If the endpoint becomes disconnected from the Access Control Service and OAC is still running, the Host Enforcer policies are no longer enforced on the endpoint. Multiple Access Control Service servers in a network You can enable the Require connection to this option in the Odyssey Configuration page to require an endpoint running OAC to connect to a particular server. This allows you to require enforcement of the Host Enforcer policies. ICMP traffic You can either allow all incoming and outgoing ICMP traffic to all hosts, or use the default ICMP internal rules. That is, the only allowed ICMP configuration is: icmp://*:* and you cannot specify icmp://ip-addr/net-mask:port as you can for the other protocols. UDP traffic If you allow udp_out traffic, Host Enforcer keeps the current state by automatically allowing the corresponding UDP return traffic, even if there is no udp_in rule in the policy. Order of evaluation The resources are evaluated in the order specified in the Resources list box. To configure a Host Enforcer policy: 1. Select UAC > Host Enforcer. 2. Click New Policy. 13

24 Odyssey Access Client Feature Guide 3. On the New Policy page: For Name, enter a name to label this Host Enforcer policy. For Description, optionally enter a description. 4. For Resources, specify the traffic to allow or deny on the endpoints where this Host Enforcer policy applies to roles, one rule per line using the following syntax: [<protocol>://']<host>['/'<net mask>]':'<destinationports>[':'<sourceports>] where: protocol is either <ProtocolNumber> or <ProtocolText> ['_'<Direction>] where: ProtocolNumber is the IP protocol number. For example, the protocol number for UDP is 17. ProtocolText can be any of the following protocols specified as a text string: TCP, ICMP, UDP, or ESP If you do not specify a protocol, the rule applies to all of the allowed protocols. Direction is the direction of the traffic and specified as one of these two text strings: in or out. You can specify the traffic direction for TCP or UDP only. For example: tcp_out. If you do not specify a direction, for example, tcp, the rule applies to both inbound and outbound traffic. host is the IP address of the remote host. If you do not specify an IP address, the rule applies to all IP addresses. You cannot specify a host name in a Host Enforcer policy. You can only specify an IP address. netmask is the net-mask number or address of the remote host. If you do not specify a net-mask, the rule applies to a single IP address. DestinationPorts is a range or comma-delimited list of the destination ports for the outgoing traffic. SourcePorts is a range or comma-delimited list of the source ports of the incoming traffic. If you do not specify the source ports, the rule applies to all ports. Table 5: Examples of Specifying Resources in a Host Enforcer Policy Specify this protocol To allow tcp_out://*:21,80,443 Outgoing TCP traffic on ports 21, 80, and 443 only tcp_in:// / :*:20 Incoming FTP traffic from / on FTP server port 20 to all ports on the endpoint udp_in://*:* Incoming UDP traffic from all IP addresses to all ports on the endpoint icmp://*:* Incoming and outgoing ICMP traffic from all IP addresses to all ports on the endpoint 14

25 Chapter 4: Host Enforcer 5. In the Roles section, specify: Policy applies to ALL roles To apply this Host Enforcer policy to all users. Policy applies to SELECTED roles To apply this Host Enforcer policy only to users who are mapped to roles in the Selected roles list. Be sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below To apply this Host Enforcer policy to all users except for those who map to the roles in the Selected roles list. Be sure to add roles to this list from the Available roles list. 6. Under Action, specify whether to allow or deny the traffic you specified for Resources. For example, you can create a policy that denies outgoing TCP traffic for a particular role. 7. Click Save Changes. If you have not already done so, enable the Host Enforcer option on a role. To copy a Host Enforcer policy as a starting point for a new policy that you want to create, select the policy in the Host Enforcer Policies page, and then click Duplicate. Related Documentation Specifying Role Access Options 15

26 Odyssey Access Client Feature Guide 16

27 PART 2 Configuration Initial on page 19 Host Enforcer on page 29 17

28 Odyssey Access Client Feature Guide 18

29 CHAPTER 5 Initial Creating an Initial Configuration of OAC for Windows Endpoints on page 19 Defining the Initial Configuration for OAC for Windows on page 20 Preconfiguring OAC Using the Custom Installer on page 24 Manually Configuring OAC for 802.1X (Windows or Macintosh) on page 25 Creating an Initial Configuration of OAC for Windows Endpoints For Windows endpoints, you can preconfigure OAC with the settings required to connect to the Access Control Service. You can configure all of the settings for the client on a per-role basis. When the user first accesses the Access Control Service using a browser, the system automatically installs OAC on the user s computer. Each time the user accesses a protected resource, the OAC configuration settings you specify are used. NOTE: If OAC is already installed when the user signs in, configuration settings you specify except for the login name in the profile, all of the other configuration settings you specify on server overwrite any existing settings on the endpoint. You can create a unique set of configuration settings for each role. For example, you can create a role for users that use wired adapters, and another role for users that use wireless adapters. You determine whether or not OAC is installed at the role level. In the admin console there are two tabs under Odyssey Settings. The IC Access tab allows you to configure authentication and connection settings for OAC. The Preconfigured Installer tab provides an interface that allows you to upload a preconfigured version of OAC that you can deploy to users when they access a role. 19

30 Odyssey Access Client Feature Guide NOTE: OAC is automatically configured to use the authentication protocol settings in the default 802.1x authentication protocol set, which includes Juniper Networks JUAC protocol. If you want to use different protocols for authentication, you must configure a new protocol set, and you must configure matching settings on OAC. If you alter the protocol settings on OAC, the client functions only as a 802.1x supplicant for basic connectivity, and does not have any of the features of OAC such as Host Checker, role and realm restriction enforcement and connection with an Infranet Enforcer. Related Documentation Specifying the Client that Endpoints Use for Access on page 3 Provisioning Detailed Configuration Profiles for Macintosh OAC Endpoints on page 37 Using the Preconfigured Installer for OAC on Windows Endpoints on page 8 Understanding Access Control Service Authentication Protocols Defining the Initial Configuration for OAC for Windows To define the initial configuration of OAC: 1. In the admin console select Users > User Roles > New User Role from the left navigation bar. 2. Enter a name for this role in the Name box. 3. Select the Odyssey Settings for IC Access and Odyssey Settings for Preconfigured Installer check boxes to preconfigure OAC. 4. Click Save Changes. The roles configuration page opens with the name you entered for this role at the top of the page. 5. Click the Agent tab. The Install Agent for this role check box is selected by default. NOTE: You can continue configuring this role, or you can complete the configuration of OAC. 6. Select the Odyssey Settings tab. The IC Access configuration page is displayed. 7. Select an option for naming the profile and Access Control Service host in OAC: Use IC Series device's host name Specifies the name of the profile and the Access Control Service host in OAC. If the Access Control Service does not have a hostname configured, the URL for the Access Control Service or the redirect URL from a captive portal is used instead. Use this name Specifies the name of the profile and the Access Control Service host in OAC. 8. Under IC Series device, select Require connection to this IC Series device to require the enforcement of Host Enforcer policies on the endpoint that apply to the user s role. 20

31 Chapter 5: Initial This option requires OAC to always attempt to connect to this Access Control Service server and prevents the user from disconnecting from this server. The user also cannot delete the properties for this server from the OAC configuration. In effect, this option forces the enforcement of any applicable Host Enforcer policies whenever the endpoint is on the network. If the endpoint is not on the network or is unable to connect to the required Access Control Service server, the Host Enforcer policies are not enforced. 9. Under Profile, specify the settings to configure in the OAC profile: a. Under Login name, specify how you want to configure the Login name setting in the profile: Use qualified Windows login name (domain\user) configures the login name with the user s Windows domain name and username in the format domain name\username. Use this option if you are using an Active Directory authentication server that requires a domain name in addition to a username for authentication. Use unqualified Windows login name configures the login name with the user s Windows username only. Use this option for authentication servers that require a username only for authentication. Prompt for login name using the following prompt displays a dialog box for the user to enter a name during the initial OAC installation only. The login name is then configured and the user is not prompted again. You can also configure the text string used for the prompt in the dialog box. b. Select Permit login using password to enable password authentication, and then select an option for how OAC obtains user credentials to sign in: Use Windows password enables OAC to automatically authenticate the user by using the user s Windows password. During the initial OAC installation, the user must enter a password once. OAC automatically uses the Windows password after that. Prompt for password enables OAC to prompt the user to enter a password when the user is authenticated the first time after startup. OAC reuses the user s credentials for the duration of the Windows session. If you choose this option and if you have configured SSO, OAC does not prompt the user for the password. c. Specify whether to use Tunneled TLS (TTLS) or Protected EAP (PEAP) as the outer authentication protocol for traffic between OAC and the Access Control Service by selecting either Use EAP-TTLS as outer authentication protocol or Use EAP-PEAP as outer authentication protocol. If you select Use EAP-TTLS as outer authentication protocol and you want to use a client certificate as part of the EAP-TTLS authentication, select Use the user s certificate and perform inner authentication. This option uses EAP-TTLS certificate-based authentication and tunnels password credentials with inner authentication. Note that the most typical use of EAP-TTLS authentication is without a client certificate. 21

32 Odyssey Access Client Feature Guide If you select Use EAP-PEAP as outer authentication protocol and you want to use a client certificate as part of the EAP-PEAP authentication, select Inner authentication is required. NOTE: Enter a name in the Anonymous name box to enable users to appear to log in anonymously while passing the user s login name (called the inner identity) through an encrypted tunnel. As a result, the user s credentials are secure from eavesdropping and the user s inner identity is protected. If you enable the personal client certificate option, the Access Control Service automatically selects Permit login using my Certificate and Use automatic certificate selection in the OAC profile. d. Enter a name in the Anonymous name box to enable users to appear to log in anonymously while passing the user s login name (called the inner identity) through an encrypted tunnel. As a result, the user s credentials are secure from eavesdropping and the user s inner identity is protected. As a general rule, enter anonymous in the this box, which is the default value. In some cases, you may need to add additional text. For example, if the outer identity is used to route the user s authentication to the proper server, you might be required to use a format such as anonymous@acme.com. If you leave the Anonymous name box blank, OAC passes the user s login name (inner identity) as the outer identity. 10. (Only if you are using 802.1X enforcement) Under Adapters, specify the type of adapter you want to configure in OAC: Configure wired adapter(s) OAC configures the wired adapter on the user s computer that is actively being used to access the Access Control Service on an 802.1X-enabled network. If the user is accessing the Access Control Service through a wireless adapter during OAC installation, then OAC automatically configures a wired adapter for wired access to the Access Control Service at a later time. Configure wireless adapter(s) OAC configures the wireless adapter on the user s computer that is actively used to access the Access Control Service on an 802.1X-enabled network. If the user is accessing the Access Control Service through a wired adapter during OAC installation, then OAC automatically configures a wireless adapter to use for wireless access to the Access Control Service at a later time. Select this option only if the endpoint is connecting to the Access Control Service by using 802.1X. If you select this option, you must also configure the network name (SSID) under Network. You might also need to configure other Network properties, depending on your environment. 22

33 Chapter 5: Initial NOTE: On Windows systems, if you select Configure wireless adapter(s), Windows Wireless Zero Configuration (WZC) is disabled for the wireless adapter that OAC configures. If the user removes a wireless adapter from the local OAC configuration, the user must enable the adapter again by selecting Control Panel > Network Connections> adapter name > Properties > Wireless Networks and selecting the Use Windows to configure my network settings option. 11. (Only if you selected Configure wireless adapter) Under Network, specify the network settings you want to configure in OAC for wireless adapters: Network name (SSID) Specify the network name or service set identifier (SSID) of the wireless network to which you want OAC to connect. A network name can contain up to 32 alphanumeric characters and is case sensitive. You must enter the name correctly to connect successfully. For example: <MyCorpNet>. Association mode Specify the association mode you want OAC to use when associating to the access point hardware on the network: Open Connects to a network through an access point or switch that implements 802.1X authentication. Select this mode if users are not required to use shared mode or Wi-Fi Protected Access (WPA). WPA Connects to a network through an access point that implements WPA. WPA2 Connects to a network through an access point that implements WPA2, the second generation of WPA that satisfies i. Encryption method Specify the encryption method for OAC to use. The available choices depend on the association mode you select: None Uses 802.1X authentication without WEP keys. This option is available only if you configure access point association in open mode. This is a typical setting to use for wireless hotspots. WEP Uses WEP keys for data encryption. You can select this option if you selected open mode association. Select WEP encryption if the access points in the network require WEP encryption. OAC automatically generates the WEP keys. TKIP Uses the Temporal Key Integrity Protocol. Select TKIP if the access points in the network require WPA or WPA2 association and are configured for TKIP data encryption. AES Uses the advanced encryption standard protocol. Select AES if the access points in the network require WPA or WPA2 association and are configured for AES data encryption. NOTE: If you select WEP encryption, the Access Control Service automatically selects the Keys will be generated automatically for data privacy option in the OAC Network properties for the wireless adapter on OAC. 23

34 Odyssey Access Client Feature Guide 12. Click Save Changes. 13. In the admin console select Roles > user > General > Overview. Then select the Odyssey Settings for IC Access check box. Note that if the Odyssey Settings for Preconfigured Installer check box is selected, the options on the Odyssey Settings for IC Access page overwrite the options from the preconfigured installer. NOTE: Because the configuration settings you specify on the Access Control Service overwrite existing settings on the endpoint (except for login name), you can use the Odyssey Configuration page in the admin console to change settings for users. For example, to remove the requirement to connect to a particular Access Control Service host, clear the Require connection to this IC Series device check box in the sign-in policy. Then instruct users to access the server again using a browser to download OAC with the new setting. The settings you specify on the Odyssey Configuration page do not configure the settings for the OAC installer (called OdysseyAccessClient.msi) that you can manually download from the Installers page. However, after installation, you can instruct users to access the Access Control Service using a Web browser to automatically configure OAC using the configuration settings you specified on the Odyssey Configuration page. For more information see Related Documentation Configuring General Role Options Using Kerberos SSO Downloading Client Installer Files Preconfiguring OAC Using the Custom Installer To preconfigure OAC: 1. Open OAC Manager and select Tools > OAC Administrator from the OAC toolbar. The OCA console opens. 2. Configure all of the OAC settings that you want to apply for a preconfigured installer, including certificates and license. For more information see the Odyssey Access Client Administration Guide. 3. Double-click Custom Installer. 4. Select the Preconfiguration file option button. 5. Enter a name for the destination file. 24

35 Chapter 5: Initial 6. (Optional) Select Export license key and enter any valid license key (Enterprise or FIPS Edition) for the copies of OAC to distribute for a given role. 7. Click Browse to download the file to a selected location. NOTE: The download consists of a.zip file containing a properties.xml file with licenses and GINA settings, a preconfig.xml file, and certificates. 8. Click OK. 9. Select an existing role from the Users > User Roles page, or create a new role. 10. Select the Odyssey Settings for Preconfigured Installer check box. Note that if you also click the Odyssey Settings for IC Access check box, the options on that page will overwrite the options from the preconfigured installer. 11. Click the Edit link. 12. Click the Browse button and locate the file from the selected location. The preconfigured installer downloads the customized OAC version to all users who access the specified role. NOTE: If you do not create and upload an OAC configuration for a role, users who access that role get the factory default OAC version. Related Documentation Using the Preconfigured Installer for OAC on Windows Endpoints on page 8 Manually Configuring OAC for 802.1X (Windows or Macintosh) To manually configure OAC for 802.1X: 1. Double-click the OAC tray icon to display OAC Manager on the Windows version. Select the icon on the Macintosh version. 2. Configure a user profile in OAC: a. In the side pane of the OAC Manager, select Configuration > Profiles > Add. The Add Profile dialog box is displayed. b. Enter a name in the Profile box. c. Enter a name in the Login name box. 25

36 Odyssey Access Client Feature Guide d. Click the Password tab and select a password option. e. Click OK. 3. Configure OAC for 802.1X: a. From the side pane of the OAC Manager, click Configuration > Adapters > Add. The Add Adapter dialog box is displayed. b. Click either the Wireless or Wired 802.1X tab to choose an adapter. c. Select the adapter to use for 802.1X. d. Click OK. NOTE: If you do not see your wireless adapter in the list, select All Adapters. Make sure that the adapters that you select on the Wireless tab is wireless. You cannot configure OAC for wireless connections unless you have a wireless adapter installed. 4. Connect to a 802.1X wireless network: a. In the side pane of the OAC Manager, select Configuration > Networks > Add. The Networks dialog box is displayed. b. Specify the following settings for your wireless 802.1X network: Select the appropriate setting for Association mode. Select the appropriate setting for Encryption method. Select Authenticate using profile, and then select the profile you created earlier from the list box. Select Keys will be generated automatically for data privacy. 5. Connect to the network: a. In the side pane of the OAC Manager, select Configuration > Adapters and select the adapter you just added. b. If you are using a wired network, select the profile you just created from the Profile list on the right. If you are using a wireless network, select the wireless network you just added from the Network list on the right. c. Click Connect to the network. d. When you are prompted for a login name, sign in using the username you configured, and click OK. e. When you are prompted for a password, enter the password you configured, and click OK. 26

37 Chapter 5: Initial Related Documentation Manually Installing OAC on page 39 27

38 Odyssey Access Client Feature Guide 28

39 CHAPTER 6 Host Enforcer Use Case: Using a Host Checker Policy with the Host Enforcer on page 29 Use Case: Using a Host Checker Policy with the Host Enforcer This use case illustrates how to use a Host Checker policy to verify whether a particular third-party firewall is running on the endpoint. If the third-party firewall is not running, you can map the user to a role that enables Host Enforcer on the endpoint. If the third-party firewall is running, you can map the user to a role that does not enable Host Enforcer. To use a Host Checker policy with Host Enforcer: 1. Select Authentication > Endpoint Security > Host Checker. Then create a Host Checker policy that uses a Process Name rule to verify that a particular third-party firewall process is running on the endpoint. Select the Deny option for this policy. 2. Create a role that enables the Host Enforcer for users who do not have the third-party firewall running: a. Select Users > User Roles to create a new role (such as Role-1 ). b. Select Users > User Roles > RoleName > General > Restrictions > Host Checker, and add the Host Checker policy under Selected Policies, and select Allow users whose workstations meet the requirements specified by these Host Checker policies. c. Select Users > User Roles > RoleName > Agent, and select Enable Host Enforcer. 3. Select Users > User Roles, and create a second role (such as Role-2 ) that does not enable the Host Enforcer for users who do have the third-party firewall running. (For this role, do not select the Host Checker policy and do not select Enable Host Enforcer.) 4. Select Users > User Realms > RealmName > Role Mapping > Role Mapping Rule, and add both roles under Selected Policies. If the third-party firewall process is not running, the Host Checker policy is successful. The user is mapped to Role-1, which enables Host Enforcer. In this case, the endpoint is using Host Enforcer. If the third-party firewall process is running, the Host Checker policy fails because it is set to Deny. The user is not qualified for Role-1 because of the Host Checker restriction. 29