From Network Security Wiki

What is Juniper UAC?

  • Unified Access Control (UAC) delivers comprehensive, granular network and application access control.
  • UAC can be enabled at Layer 2 using 802.1X, at Layer 3 using an overlay deployment.
Role-based application-level enforcement to control time of day and bandwidth restrictions per application or per role
Ensures that users adhere to application usage policies such as IM, P2P,etc
Automated patch assessment checks and remediation
Dynamic antispyware/antimalware protection
Spyware signatures are automatically downloaded and updated
Ensures unmanaged and managed Windows devices are not running spyware, keyloggers or other malware before authentication
Coordinated Threat Control
Captive Portal

Certificate based Authentication between SRX & UAC

Source for Certificate generation:

Here we discuss how to make a secure communication between Juniper SRX firewall & Juniper UAC using Certificates.

  • Each Device generates its own Private Key which is never shared.
  • Generate a Certificate Signing Request (CSR) using this Private Key.
  • Certifying Authority (CA) will generate a Certificate from this CSR.
  • This Certificate along with CA (Root) Certificate are required for Authentication.
  • Sometimes Intermediate Certificate is also required.

  • The process for creating a CA follows:
Create Certificate
Self Sign
Install new  CA on servers/workstations
  • Afterwards, every device that needs a new certificate:
Generate new certificate
Generate Certificate Signing Request (CSR)
Sign CSR with the new CA Certificate

Install OpenSSL in any server before proceeding(CentOS 6.6 used here)

1. Creating the Root CA:

a. Create Private Key
openssl genrsa -out rootCA.key 2048
b. Sign the Certificate
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
c. Now install this new root CA on all of your devices.

2. Creating New Device Certificates:

a. To create a certificate, first you’ll need a private key
openssl genrsa -out device.key 2048
b. Generate a Certificate Signing Request (CSR)
openssl req -new -key device.key -out device.csr
The most important thing to remember is the common name or cn should match the hostname of the device/server,
specifically matching the Fully Qualified Domain Name (FQDN).
If it doesn’t match, even a properly signed certificate will not validate correctly.
c. Sign the CSR with the Root CA
openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 365

Generating CSR from SRX
request security pki generate-key-pair certificate-id test size 2048 type rsa
request security pki generate-certificate-request certificate-id test digest sha-1 domain-name email subject ",OU=IT,O=Test,L=Bangalore,ST=KN" filename ca-cert.csr
Importing Certificate into SRX(After signing CSR)
start shell
cd /cf/var/tmp/   or   cd /var/tmp/
% vi ca-cert.cer
Save the certificate and exit the shell.
set security pki ca-profile UAC-Root-cert ca-identity "srx-test"
commit and-quit
request security pki ca-certificate load ca-profile UAC-Root-cert filename cert.cer

UAC Configuration
Generate CSR from UAC and generate a Certificate from it
Browse the path to the generated certificate in "Device Certificates" page.
This will import Device Certificate into UAC 
Now Import the CA Certificate in the "Trusted Server CAs" page
Enable Imported Certificate on correct Port
Goto Infranet Enforcer and Add a new device 
Enter IP address, Platform, Password , serial number for the SRX firewall.
SRX Config for UAC
set services unified-access-control infranet-controller My-UAC address
set services unified-access-control infranet-controller My-UAC interface ge-0/0/1.0
set services unified-access-control infranet-controller My-UAC password "test@123"
set services unified-access-control infranet-controller My-UAC ca-profile UAC-Root-cert
set services unified-access-control timeout 60
set services unified-access-control interval 30
set services unified-access-control timeout-action open
set services unified-access-control captive-portal my-captive-portal-policy redirect-traffic unauthenticated
set security pki ca-profile UAC-Root-Cert ca-identity Root

If using Intermediate certificate also, create another ca-profile and map both to the IC config in SRX.

set services unified-access-control infranet-controller My-UAC ca-profile UAC-Inter-cert
set security pki ca-profile UAC-Inter-Cert ca-identity Intermediate

Load the Root Certificate first & then the Intermediate Certificate or the SRX will give an error.

show security pki local-certificate detail
show security pki ca-certificate detail 
show services unified-access-control status 
set services unified-access-control traceoptions flag all
monitor start uacd
monitor stop uacd
tail –f /var/log/uacd

Further troubleshooting
'telnet port 11123' on SRX to check if port between SRX & UAC is open
Try by removing ca-profile to rule out any Certificate related issue
Try tcpdump on UAC
'set security pki ca-profile UAC-Root-Cert revocation-check crl disable' Try to disable CRL checking
If UAC is not connecting and you are getting following error
2012-06-19 19:02:37 system notif 00535 PKI: Failed to obtain CRL for CA
issuing cert with subject name CN=KANA Subordinate Root CA,DC=kana,DC=com,

Disabling the CRL checking option will resolve this issue. To do this, issue the following command:

set pki auth [ID of your CA] cert-status revocation-check none

You can identify the ID of the CA on the firewall by issuing the following command:

get pki x509 list ca-cert


{{#widget:DISQUS |id=networkm |uniqid=UAC |url= }}