In previous post Juniper UAC Appliance IC4500 Step by Step Configuration (Part 1), it describes the steps how to do basic set up to get user authenticated by UAC and how to configure UAC device interacting with SRX enforcer.
Here iss part 2. It will show how to set up the authentication with certifications rather than local UAC users, and get to know the steps how to let SRX and UAC work together to allow the resources to be accessed by users. More related posts list in the following links in this blog:
- Juniper UAC Appliance IC4500 Step by Step Configuration (Part 2) – Certificates based Authentication
- Pulse Secure (formerly Juniper Pulse) – UAC Configuration Summary
1. Change Authentication mode from System Local to Cert Auth
2. Add users Role Mapping with their Certs
3. Create New Resource Access Policies:
Note: Those policies will match SRX firewall’s firewall policy rules.
4. Configure UAC Service on Juniper SRX
services {
unified-access-control {
infranet-controller ic4500 {
address 10.9.2.14;
interface reth4.204;
password “$9$f5F/CA0hSeO1eWx7sYn/9A1R”; ## SECRET-DATA
}
inactive: test-only-mode;
traceoptions {
file uac-trace size 2m world-readable;
flag all;
}
}
}
Note:
- UAC device IP address is 10.9.2.14.
- test-only-mode can be enabled for testing purpose
5. Configure SRX Firewall Policy Rule to Use UAC Service
from-zone UNTrusted to-zone Trusted {
policy 41 {
match {
source-address n-10.0.0.0;
destination-address h_10.4.2.18_FE_TS;
application [ RDP junos-icmp-ping ];
}
then {
permit {
application-services {
uac-policy;
}
}
}
}
6. Verify
root@fw-uac1> show services unified-access-control status
————————————————————————–
Host Address Port Interface State
ic4500 10.9.2.14 11123 reth4.204 connected