Junos Pulse Access Control Service

Transcription

1 Junos Pulse Access Control Service RADIUS Server Management Guide Release 4.4 Published: Part Number:

2 Juniper Networks, Inc rth Mathilda Avenue Sunnyvale, California USA This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright , Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton s EGP, UC Berkeley s routing daemon (routed), and DCN s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent s. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos Pulse Access Control Service RADIUS Server Management Guide Revision History February 2013 Release revision only, no new information The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents Chapter 1 Features of the RADIUS Appliance RADIUS Appliance Overview RADIUS Features Added with a RADIUS License Supported EAP Types UAC Features t Available with a RADIUS License Chapter 2 Configuring the RADIUS Server RADIUS Server Configuration Overview Configuring the RADIUS Server Chapter 3 Upgrading from the RADIUS Server to UAC Upgrading from a RADIUS-Only System Chapter 4 RADIUS License FAQ FAQ Chapter 5 Feature Comparison IC RADIUS Server and Steel-Belted RADIUS Feature Comparison Chapter 6 Index Index iii

4 Junos Pulse Access Control Service RADIUS Server Management Guide iv

5 CHAPTER 1 Features of the RADIUS Appliance RADIUS Appliance Overview RADIUS Appliance Overview on page 5 RADIUS Features Added with a RADIUS License on page 7 Supported EAP Types on page 8 UAC Features t Available with a RADIUS License on page 8 A RADIUS license allows you to use the IC Series device as a RADIUS appliance with all other unrelated UAC features disabled on the system. NOTE: The term IC Series Device replaces the term Infranet Controller. Both terms refer to the same device. To apply your initial license or to upgrade your license, select System > Configuration > Licensing in the left navigation pane. You can upgrade to a fully functional UAC at any time with the addition of an endpoint user license. As a RADIUS appliance, the IC Series device receives the endpoint connection request, authenticates the user, and then returns the configuration parameters required to provision the connection using RADIUS attributes. The IC Series device can also serve as a proxy client to external RADIUS servers to offload authentication requests. RADIUS is an industry-standard protocol for providing authentication, authorization, and accounting services. Authentication is the process of verifying a user s identity and associating additional information (attributes) to the user s login session. Authorization is the process of determining whether the user is allowed on the network and of controlling network access values based on a defined security policy. Accounting is the process of generating log files that record session statistics to be used for billing, system diagnosis, and usage planning. A RADIUS-based remote access environment typically involves the following four types of components: 5

6 Junos Pulse Access Control Service RADIUS Server Management Guide An access client is a user who initiates a network connection. An access client might be a user dialing in to a service provider network, a router at a small office or home office connecting to an enterprise network to provide network access, or a wireless client connecting to an 802.1X access point. Supported supplicant access clients include Odyssey Access Client, Junos Pulse, and non-juniper supplicants. A network access device (NAD), also called a RADIUS client, is a device that recognizes and processes connection requests from outside the network edge. A NAD can be a wireless access point, a modem pool, a network firewall, or any other device that authenticates users. When the NAD receives a user s connection request, it might perform an initial access negotiation with the user to obtain identity/password information. The NAD then passes this information to the RADIUS server as part of an authentication and authorization request. The RADIUS server (in this case, the IC Series device ) matches data from the authentication and authorization request with information in a trusted database. If a match is found and the user s credentials are correct, the RADIUS server sends an Access-Accept message to the NAD. If a match is not found or if a problem is found with the user s credentials, the server returns an Access-Reject message. The NAD then establishes or terminates the user s connection. The NAD might also forward accounting information to the RADIUS server to document the transaction, and the RADIUS server might store or forward this information as needed to support billing for the services provided. In some networks, a back-end authentication server, such as RSA or SecurID (an LDAP database) stores the information against which the authentication request is compared. In some cases, the back-end server passes information to the RADIUS server, which determines whether a match exists. In other cases, the matching is performed on the back-end server, which then passes an accept or reject result to the RADIUS server. Figure 1 on page 7 illustrates a simple RADIUS environment. 6

7 Chapter 1: Features of the RADIUS Appliance Figure 1: IC Series Device as a RADIUS Appliance RADIUS Features Added with a RADIUS License When you apply your RADIUS appliance license, the applicable IC Series Device screens become available. You access most of the RADIUS configuration pages from the Network Access menu item available from the UAC category. Table 1 on page 7 describes the features on the main RADIUS configuration pages: Table 1: Main RADIUS Configuration Pages Feature Description RADIUS Dictionary The RADIUS server uses dictionary files to store lists of RADIUS attributes, and to parse authentication and accounting requests and generate responses. RADIUS Vendor Vendor-specific dictionary files often help complete connections. The RADIUS server supports a large number of NADs that use vendor-specific dictionary files. Location Group RADIUS location groups allow you to assign a sign-in policy to a user based on the NAD through which the user is connecting. RADIUS Client A RADIUS client is a network device or software application that contacts the RADIUS server in order to authenticate a user or to record accounting information about a network connection. 7

8 Junos Pulse Access Control Service RADIUS Server Management Guide Table 1: Main RADIUS Configuration Pages (continued) Feature Description RADIUS Attributes Return Attributes: RADIUS return attributes specify the return list attributes to an 802.1X NAD. Request Attributes: RADIUS request attributes enforce the ability to process authentication requests based on information in the RADIUS packet before a connection can be authenticated. You assign RADIUS request attribute policies as a realm restriction. Attribute Logging: RADIUS attribute logging allows you to enable or disable authentication reporting for RADIUS authentication events. Some RADIUS configuration options are available only when the RADIUS license is applied and are not available in the main UAC RADIUS functionality. These configuration options are in addition to the RADIUS features that are included in the main UAC product but not documented in Junos Pulse Access Control Service. Table 2 on page 8describes these RADIUS license-only configuration options: Table 2: RADIUS License Only Features Feature Description Host Checker Custom: Statement of Health policy When you apply both a RADIUS license and an MS-NAP license, you can configure an Endpoint Security policy by way of the Host Checker policy. If you have only a RADIUS license, the Endpoint Security menu is not available. RADIUS User Count This feature allows you to create RADIUS users. To view the number of RADIUS users, select System > Status. The number of RADIUS users does not count against the concurrent user license if you have both a RADIUS license and a user license installed. Supported EAP Types RADIUS features that are not described in Table 2 on page 8 are part of the main UAC product and appear in RADIUS Server. The RADIUS appliance supports all EAP types and supplicants supported by the full-feature UAC product except EAP-JUAC. EAP-JUAC is the proprietary Juniper protocol used by Juniper clients. For a list of supported authentication protocols, see RADIUS Server. UAC Features t Available with a RADIUS License In the Junos Pulse Access Control Service, disregard sections that refer to unavailable UAC features. Instead, see Table 3 on page 9 for features that are not available if you have only a RADIUS license. 8

9 Chapter 1: Features of the RADIUS Appliance Table 3: UAC Features t Available with Only a RADIUS License Unavailable Feature Description IF-MAP Federation The Interface for the Metadata Access Point client and the server for sharing session information between connected devices are unavailable. Infranet Enforcer The part of UAC that enforces access policies is unavailable. Host Enforcer The part of UAC that specifies the types of traffic the Odyssey Access Client allows or denies on endpoints is unavailable. UAC Agent The UAC Agent download link is unavailable, along with all corresponding agent functionality. Sensors System > Configuration > Sensors is unavailable. Agent and Agentless User Roles (Users>User Roles><user role name> > General > Overview) Agent and Agentless tabs do not appear on the Overview page. Also unavailable are the following check boxes: UI options, Odyssey Settings for IC Access, Odyssey Settings for Preconfigured Installer, Enable Guest User Account Management Rights. Browser (Users>User Roles><user role name>>general>restrictions) The Browser tab does not appear on the Restrictions page. Session Options (Users>User Roles><user role name>>general>session Options) Heartbeat Interval, Heartbeat Timeout, Enable Session Extension check box, and the Roaming session section are removed from the Session Options screen. Session Migration (Users>User Realms><user realm name>>users>general) The Session Migration check box does not appear on the General tab. Browser (Users>User Realms>Users>Authentication Policy) The Browser tab does to appear on the Authentication Policy page. 9

10 Junos Pulse Access Control Service RADIUS Server Management Guide 10

11 CHAPTER 2 Configuring the RADIUS Server RADIUS Server Configuration Overview on page 11 Configuring the RADIUS Server on page 11 RADIUS Server Configuration Overview This topic describes the features that are enabled when you apply the RADIUS license. It does not provide configuration or setup instructions. Because the RADIUS license enables a subset of features that are part of the larger UAC product, RADIUS server instructions are documented in RADIUS Server. You can also refer to Task Guidance in the UAC admin console which directs you through the basic steps of configuring the device. Table 4 on page 11 outlines the general steps to configure the Infranet Controller as a RADIUS server. Refer to RADIUS Server for full configuration instructions. Table 4: Summary of Actions for Configuring the RADIUS Server Action Configure authentication servers (or use the local server) Configure sign-in pages Configure roles and realms Configure sign-in policies, add realms and authentication protocols Configure RADIUS policies Configuring the RADIUS Server To configure the RADIUS Server: 1. If you have not already done so, install the IC Series Device. For installation instructions, see Deployment Scenario. 2. If you have not already done so, apply a RADIUS license to the IC Series Devicer. 11

12 Junos Pulse Access Control Service RADIUS Server Management Guide 3. Configure user authentication and authorization on the IC Series Device by setting up roles, authentication and authorization servers, and authentication realms. a. Define user and administrator roles. Roles define user session parameters or agent options. The IC Series Device is preconfigured with one user role (Users) and two administrator roles (Administrators and Read-Only). b. Define authentication and authorization servers. Authentication and authorization servers authenticate user credentials and determine user privileges within the system. The IC Series Device is preconfigured with one local authentication server (System Local) to authenticate users and one local authentication server (Administrators) to authenticate administrators. You must add users either to the local authentication server or to external authentication servers. c. Define authentication realms. Authentication realms contain policies specifying conditions the user or administrator must meet to sign in to the IC Series Device. When configuring an authentication realm, you must create rules to map users to roles and specify which server (or servers) the IC Series Device must use to authenticate and authorize realm members. The IC Series Device is preconfigured with one realm (Users) that maps all users authenticated through the System Local server to the Users role. The IC Series Device is also preconfigured with one realm (Admin Users) that maps all users authenticated through the Administrators server to the Administrators role. NOTE: The IC Series Device modifies user names that contain spaces or characters that are not valid for UAC. For example, user names with spaces appear in auth table entries as one word, and user names with quotation marks appear without the quotes. 4. Configure policies to allow the IC Series Device RADIUS server to work with your NAD. If you have not already done so, install and configure the 802.1X NADs on your network. To determine compatible devices, see 4.2R1 Supported Platforms. 12

13 CHAPTER 3 Upgrading from the RADIUS Server to UAC Upgrading from a RADIUS-Only System on page 13 Upgrading from a RADIUS-Only System Upgrading from a RADIUS-only appliance to a full-featured UAC system requires only that you add a valid UAC user license to the system. After you add the license, all UAC features become available. After you upgrade to UAC, be sure to review your system configuration. For example, for realms and roles, you now have many more features available. Default settings are automatically assigned to those features after the upgrade, and you must ensure that those defaults are appropriate for your system. Also, authentication protocol sets can support EAP-JUAC after you add the UAC license. Therefore, consider updating your configured authentication protocols sets to include EAP-JUAC for concurrent user sessions. 13

14 Junos Pulse Access Control Service RADIUS Server Management Guide 14

15 CHAPTER 4 RADIUS License FAQ FAQ FAQ on page 15 Can OAC EE, OAC FE and OAC UE licenses all work with the RADIUS license?, with only standards-based protocols (no JUAC). Do any of the clients named in the previous question require OAC-ADD-UAC licenses?, OAC-ADD-UAC licenses only add features needed by UAC. Does the RADIUS license support all EAP types including JUAC? It supports all protocols except JUAC. Since JUAC is not supported, does the RADIUS license require a protocol change if there is an existing OAC running EAP JUAC over TTLS?, but only if JUAC is the only configured inner protocol. The server will NAK any attempt to do JUAC. 15

16 Junos Pulse Access Control Service RADIUS Server Management Guide 16

17 CHAPTER 5 Feature Comparison IC RADIUS Server and Steel-Belted RADIUS Feature Comparison on page 17 IC RADIUS Server and Steel-Belted RADIUS Feature Comparison Feature Fully Licensed Infranet Controller UAC 4.1 RADIUS Server Licensed Infranet Controller UAC 4.1 Steel-Belted Radius/EE Version 6.1 Steel-Belted Radius/GEE version 6.1 Authentication Methods RSA Authentication Manager Windows Active Directory or Domains Windows Machine Authentication AD generated Credentials Windows Machine Authentication Certificate based User certificates UNIX users: Solaris and Linux SQL LDAP LDAP Java Scripting Optional add-on Proxy RADIUS Authentication vell edirectory RADIUS authentication* Native MAC Authentication 17

18 Junos Pulse Access Control Service RADIUS Server Management Guide Authentication Protocols PAP CHAP, MS-CHAP, MS-CHAP-V2 EAP-TTLS (EAP-JUAC, PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) (PAP, CHAP, MS-CHAP, MSCHAP- V2 as inner methods) EAP-PEAP (EAP-JUAC, GTC, MS-CHAPV2 as inner methods) (MD5, GTC, MS-CHAPV2 as inner methods) (MD5, GTC, MS-CHAPV2 as inner methods) (MD5, GTC, MS-CHAPV2 as inner methods) EAP-POTP (32) EAP-FAST EAP-MD5 EAP-LEAP EAP-TLS Host Checking Layer 2 Optional via SOH Feature License Layer 3 Session Management RADIUS Disconnect Message support Session Extension Mechanism Administration Tools Administration Client Centralized Configuration Management (NSM Based) (NSM Based) LDAP Configuration Interface (LCI) Optional add-on SNMP-based management 18

19 Chapter 5: Feature Comparison Dynamic Delivery of OAC/Pulse requires user license Server Statistics Server Statistics Via the Administration GUI Server Statistics Via LCI, if LCI is purchased Reporting Reports including User and administrator access logs. L2 User logs include Configurable Reject, Accept and Accounting Log messages including User and administrator access logs. User logs include Configurable Reject, Accept and Accounting Log messages including Current Sessions, Successful/Failed Authentication Requests, Unknown Client Requests, Invalid Shared Secret Requests including Current Sessions, Successful/Failed Authentication Requests, Unknown Client Requests, Invalid Shared Secret Requests, Locked Accounts Sys Log reporting Attribute Support Multi-vendor RADIUS client support Authentication Realm Selection using RADIUS Request Attributes Address Management IP address pools IPX address pools DHCP Logging Configurable local accounting Configurable debug logging, to a local text file SQL accounting Report logs RADIUS accounting Using Proxy RADIUS Using Proxy RADIUS 19

20 Junos Pulse Access Control Service RADIUS Server Management Guide Reliability Round robin authentication and accounting across SQL and LDAP databases, and directed realms, for redundancy and load balancing Failover to backup RADIUS/NAC server with session continuity * The IC will generate a RADIUS request using PAP as an authentication protocol, using RADIUS as another authentication method. This is different to forwarding a RADIUS request to another RADIUS server, which is known as RADIUS proxy. 20

21 CHAPTER 6 Index Index on page 23 21

22 Junos Pulse Access Control Service RADIUS Server Management Guide 22

23 Index E EAP types, supported...8 F FAQ...15 Features added by the RADIUS license...7 removed by the RADIUS license...8 R RADIUS appliance configuration requirements...11 RADIUS Server summary of steps for configuring...11 U upgrading

24 Junos Pulse Access Control Service RADIUS Server Management Guide 24