UAC

= What is Juniper UAC? =


 * Unified Access Control (UAC) delivers comprehensive, granular network and application access control.
 * UAC can be enabled at Layer 2 using 802.1X, at Layer 3 using an overlay deployment.

Role-based application-level enforcement to control time of day and bandwidth restrictions per application or per role Ensures that users adhere to application usage policies such as IM, P2P,etc Automated patch assessment checks and remediation Dynamic antispyware/antimalware protection Spyware signatures are automatically downloaded and updated Ensures unmanaged and managed Windows devices are not running spyware, keyloggers or other malware before authentication Coordinated Threat Control Captive Portal
 * Benefits:

= Certificate based Authentication between SRX & UAC =

Source for Certificate generation: penturalabs.wordpress.com

Here we discuss how to make a secure communication between Juniper SRX firewall & Juniper UAC using Certificates.


 * Theory:


 * Each Device generates its own Private Key which is never shared.
 * Generate a Certificate Signing Request (CSR) using this Private Key.
 * Certifying Authority (CA) will generate a Certificate from this CSR.
 * This Certificate along with CA (Root) Certificate are required for Authentication.
 * Sometimes Intermediate Certificate is also required.


 * Steps:

Create Certificate Self Sign Install new CA on servers/workstations
 * The process for creating a CA follows:

Generate new certificate Generate Certificate Signing Request (CSR) Sign CSR with the new CA Certificate
 * Afterwards, every device that needs a new certificate:


 * Details:

Install OpenSSL in any server before proceeding(CentOS 6.6 used here)

1. Creating the Root CA:


 * a. Create Private Key

openssl genrsa -out rootCA.key 2048


 * b. Sign the Certificate

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem


 * c. Now install this new root CA on all of your devices.

2. Creating New Device Certificates:


 * a. To create a certificate, first you’ll need a private key

openssl genrsa -out device.key 2048


 * b. Generate a Certificate Signing Request (CSR)

openssl req -new -key device.key -out device.csr

The most important thing to remember is the common name or cn should match the hostname of the device/server, specifically matching the Fully Qualified Domain Name (FQDN). If it doesn’t match, even a properly signed certificate will not validate correctly.


 * c. Sign the CSR with the Root CA

openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 365

request security pki generate-key-pair certificate-id test size 2048 type rsa request security pki generate-certificate-request certificate-id test digest sha-1 domain-name testuac-srx.com email testuac@test.com subject "CN=testuac-srx.com,OU=IT,O=Test,L=Bangalore,ST=KN" filename ca-cert.csr
 * Generating CSR from SRX:

start shell cd /cf/var/tmp/  or   cd /var/tmp/ % vi ca-cert.cer Save the certificate and exit the shell. cli edit set security pki ca-profile UAC-Root-cert ca-identity "srx-test" commit and-quit request security pki ca-certificate load ca-profile UAC-Root-cert filename cert.cer
 * Importing Certificate into SRX(After signing CSR):

Generate CSR from UAC and generate a Certificate from it Browse the path to the generated certificate in "Device Certificates" page. This will import Device Certificate into UAC Now Import the CA Certificate in the "Trusted Server CAs" page Enable Imported Certificate on correct Port Goto Infranet Enforcer and Add a new device Enter IP address, Platform, Password, serial number for the SRX firewall.
 * UAC Configuration:

set services unified-access-control infranet-controller My-UAC address 10.102.82.239 set services unified-access-control infranet-controller My-UAC interface ge-0/0/1.0 set services unified-access-control infranet-controller My-UAC password "test@123" set services unified-access-control infranet-controller My-UAC ca-profile UAC-Root-cert set services unified-access-control timeout 60 set services unified-access-control interval 30 set services unified-access-control timeout-action open set services unified-access-control captive-portal my-captive-portal-policy redirect-traffic unauthenticated set security pki ca-profile UAC-Root-Cert ca-identity Root
 * SRX Config for UAC:

If using Intermediate certificate also, create another ca-profile and map both to the IC config in SRX. set services unified-access-control infranet-controller My-UAC ca-profile UAC-Inter-cert set security pki ca-profile UAC-Inter-Cert ca-identity Intermediate Load the Root Certificate first & then the Intermediate Certificate or the SRX will give an error.

show security pki local-certificate detail show security pki ca-certificate detail show services unified-access-control status
 * Verification:

set services unified-access-control traceoptions flag all monitor start uacd monitor stop uacd tail –f /var/log/uacd
 * Troubleshooting:

'telnet port 11123 10.102.82.239' on SRX to check if port between SRX & UAC is open Try by removing ca-profile to rule out any Certificate related issue Try tcpdump on UAC 'set security pki ca-profile UAC-Root-Cert revocation-check crl disable' Try to disable CRL checking
 * Further troubleshooting

2012-06-19 19:02:37 system notif 00535 PKI: Failed to obtain CRL for CA issuing cert with subject name CN=KANA Subordinate Root CA,DC=kana,DC=com,
 * If UAC is not connecting and you are getting following error:

Disabling the CRL checking option will resolve this issue. To do this, issue the following command: set pki auth [ID of your CA] cert-status revocation-check none

You can identify the ID of the CA on the firewall by issuing the following command: get pki x509 list ca-cert


 * References