UAC
What is Juniper UAC?
- Unified Access Control (UAC) delivers comprehensive, granular network and application access control.
- UAC can be enabled at Layer 2 using 802.1X, at Layer 3 using an overlay deployment.
- Benefits
Role-based application-level enforcement to control time of day and bandwidth restrictions per application or per role Ensures that users adhere to application usage policies such as IM, P2P,etc Automated patch assessment checks and remediation Dynamic antispyware/antimalware protection Spyware signatures are automatically downloaded and updated Ensures unmanaged and managed Windows devices are not running spyware, keyloggers or other malware before authentication Coordinated Threat Control Captive Portal
Certificate based Authentication between SRX & UAC
Source for Certificate generation: penturalabs.wordpress.com
Here we discuss how to make a secure communication between Juniper SRX firewall & Juniper UAC using Certificates.
- Theory
- Each Device generates its own Private Key which is never shared.
- Generate a Certificate Signing Request (CSR) using this Private Key.
- Certifying Authority (CA) will generate a Certificate from this CSR.
- This Certificate along with CA (Root) Certificate are required for Authentication.
- Sometimes Intermediate Certificate is also required.
- Steps
- The process for creating a CA follows:
Create Certificate Self Sign Install new CA on servers/workstations
- Afterwards, every device that needs a new certificate:
Generate new certificate Generate Certificate Signing Request (CSR) Sign CSR with the new CA Certificate
- Details
Install OpenSSL in any server before proceeding(CentOS 6.6 used here)
1. Creating the Root CA:
- a. Create Private Key
openssl genrsa -out rootCA.key 2048
- b. Sign the Certificate
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
- c. Now install this new root CA on all of your devices.
2. Creating New Device Certificates:
- a. To create a certificate, first you’ll need a private key
openssl genrsa -out device.key 2048
- b. Generate a Certificate Signing Request (CSR)
openssl req -new -key device.key -out device.csr
The most important thing to remember is the common name or cn should match the hostname of the device/server, specifically matching the Fully Qualified Domain Name (FQDN). If it doesn’t match, even a properly signed certificate will not validate correctly.
- c. Sign the CSR with the Root CA
openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 365
- Generating CSR from SRX
request security pki generate-key-pair certificate-id test size 2048 type rsa request security pki generate-certificate-request certificate-id test digest sha-1 domain-name testuac-srx.com email testuac@test.com subject "CN=testuac-srx.com,OU=IT,O=Test,L=Bangalore,ST=KN" filename ca-cert.csr
- Importing Certificate into SRX(After signing CSR)
start shell cd /cf/var/tmp/ or cd /var/tmp/ % vi ca-cert.cer Save the certificate and exit the shell. cli edit set security pki ca-profile UAC-Root-cert ca-identity "srx-test" commit and-quit request security pki ca-certificate load ca-profile UAC-Root-cert filename cert.cer
- UAC Configuration
Generate CSR from UAC and generate a Certificate from it Browse the path to the generated certificate in "Device Certificates" page. This will import Device Certificate into UAC Now Import the CA Certificate in the "Trusted Server CAs" page Enable Imported Certificate on correct Port Goto Infranet Enforcer and Add a new device Enter IP address, Platform, Password , serial number for the SRX firewall.
- SRX Config for UAC
set services unified-access-control infranet-controller My-UAC address 10.102.82.239 set services unified-access-control infranet-controller My-UAC interface ge-0/0/1.0 set services unified-access-control infranet-controller My-UAC password "test@123" set services unified-access-control infranet-controller My-UAC ca-profile UAC-Root-cert set services unified-access-control timeout 60 set services unified-access-control interval 30 set services unified-access-control timeout-action open set services unified-access-control captive-portal my-captive-portal-policy redirect-traffic unauthenticated set security pki ca-profile UAC-Root-Cert ca-identity Root
If using Intermediate certificate also, create another ca-profile and map both to the IC config in SRX.
set services unified-access-control infranet-controller My-UAC ca-profile UAC-Inter-cert set security pki ca-profile UAC-Inter-Cert ca-identity Intermediate
Load the Root Certificate first & then the Intermediate Certificate or the SRX will give an error.
- Verification
show security pki local-certificate detail show security pki ca-certificate detail show services unified-access-control status
- Troubleshooting
set services unified-access-control traceoptions flag all monitor start uacd monitor stop uacd tail –f /var/log/uacd
- Further troubleshooting
'telnet port 11123 10.102.82.239' on SRX to check if port between SRX & UAC is open Try by removing ca-profile to rule out any Certificate related issue Try tcpdump on UAC 'set security pki ca-profile UAC-Root-Cert revocation-check crl disable' Try to disable CRL checking
- If UAC is not connecting and you are getting following error
2012-06-19 19:02:37 system notif 00535 PKI: Failed to obtain CRL for CA issuing cert with subject name CN=KANA Subordinate Root CA,DC=kana,DC=com,
Disabling the CRL checking option will resolve this issue. To do this, issue the following command:
set pki auth [ID of your CA] cert-status revocation-check none
You can identify the ID of the CA on the firewall by issuing the following command:
get pki x509 list ca-cert
- References
{{#widget:DISQUS
|id=networkm
|uniqid=UAC
|url=https://aman.awiki.org/wiki/UAC
}}