Network Access Control (NAC) is hot in Enterprise environments. NAC offers an excellent mechanism to (safely) allow various devices network connectivity and staying in control as a network administrator. There are numerous ways to allow iOS devices, BYOD, CYOD, Corporate laptops onto your network without compromising valuable corporate resources.
In my line of work I deal with several vendors / solutions to create these NAC protected environments. The most popular at the moment are;
- Identity Service Engine (ISE) from Cisco
- Junos Pulse Access Control (UAC) Service from Juniper
Both solutions have their pro's and cons. Juniper has an excellent client for the desktop to safely connect to the network, and an integration with their SRX firewalls to (dynamically) enforce firewall policies on a per user basis. Cisco on the other hand has a more flexible way of creating access policies, and the use of so-called downloadable Access Lists (dACL).
A dACL is a Cisco Access List which can be downloaded by a switch and be assigned to a switch port. This removes the possible need for layer 2 authentication since the (layer 3) access is controlled on the switch port itself, and has several other advantages. Also, the information and documentation on Cisco ACL's is extensive.
Juniper also has the option to apply access lists on a switch port. The call them 'firewall filters', which is a basic feature in their Junos OS. These firewall filters gives you the same (if not more) functionality as the dACL's of Cisco.... with two big differences;
- try finding some decent documentation/examples on applying these filters ni combination with Access Control. It's out there... somewhere.
- The firewall filters are local to the switch. They are not downloaded or stored on a central device. So if you change 1 filter, you have to change that filter on all your devices. So, unlike Cisco, it's not very scalable.
The rest of this blog post will be an example on how to use a Junos firewall filter on an EX switch which will be assigned to a switch port (or NAS) by the Juniper NAC solution (Junos Pulse Access Control Service - UAC).
The following example will authenticate a user based on its Active Directory credentials. Based on security group membership, the user will be assigned a 'User Role' in the UAC. The 'User Role' will determine the assigned VLAN and the assigned firewall filter. The dot1x authentication configured n the UAC is EAP-TTLS (JUAC).
Creating a firewall filter
I created a very basic firewall filter. It does one thing and that is block access to the Google DNS server with the IP address of 8.8.8.8. All other traffic is allowed in this filter.
Since my switch interfaces are configured as 'family ethernet-switching' I have to use the 'family ethernet-switching' as well in the firewall filter.
root@ex2200> show configuration firewall
family ethernet-switching {
filter block-google-dns {
term 1 {
from {
destination-address {
8.8.8.8/32;
}
}
then
discard;
syslog;
}
term 2 {
from {
source-address {
0.0.0.0/0;
}
}
then accept;
}
}
}That's all that's needed. There's no need to assign it to an interface, since this will be done automatically by the 'RADIUS Return Attributes' of the UAC.
The syslog statement in the deny branch makes sure that the 'violation' is logged to syslog. Just make sure that you log the firewall messages (of the switch) to syslog.
The actual syslog messages have the following layout:
Dec 20 14:49:06 192.168.1.51 Dec 20 14:49:02 ex2200 fpc0 PFE_FW_SYSLOG_IP: FW: ge-0/0/4.0 D icmp 192.168.1.106 8.8.8.8 8 0 (1 packets) Dec 20 14:48:57 192.168.1.51 Dec 20 14:48:57 ex2200 fpc0 PFE_FW_SYSLOG_IP: FW: ge-0/0/4.0 D icmp 192.168.1.106 8.8.8.8 8 0 (1 packets)
Switch Port Configuration
The switchport used is ge-0/0/0 on my Juniper EX2200-C switch. The configuration of that port (and the dot1x settings are listed below):
root@ex2200> show configuration interfaces ge-0/0/0
unit 0 {
family ethernet-switching;
}
root@ex2200> show configuration protocols dot1x
authenticator {
authentication-profile-name UAC;
no-mac-table-binding;
interface {
ge-0/0/0.0 {
supplicant multiple;
retries 6;
transmit-period 20;
reauthentication 180;
supplicant-timeout 20;
server-timeout 15;
maximum-requests 6;
guest-vlan vlan-quarantine;
server-reject-vlan vlan-quarantine eapol-block;
server-fail use-cache;
}
}
}
UAC Configuration
The 'RADIUS Return Attributes' are set in the UAC.
So if a user logs in, and gets on of the roles assign that are attached to the Production VLAN RADIUS Return Attributes, he/she will be placed in VLAN 100 and won't be able to access the IP address 8.8.8.8.
The Result
The following screenshot and logging output demonstrate the behaviour of the filter. First the logging of the UAC itself.
EAM24805 2013-12-20 12:25:27 - ic - [127.0.0.1] administrator(TESTDOMAIN PULSE)[] - RADIUS authentication accepted for administrator (realm 'TESTDOMAIN PULSE') from location-group 'Default' and attributes are: NAS-IP-Address = 192.168.1.51,NAS-Port = 70,NAS-Port-Type = 15
EAM24638 2013-12-20 12:25:27 - ic - [127.0.0.1] TESTDOMAIN\administrator(TESTDOMAIN PULSE)[PULSE Domain User, PULSE Quarantine] - User assigned RADIUS attribute(s) (Filter-Id='block-google-dns')
EAM24459 2013-12-20 12:25:27 - ic - [127.0.0.1] TESTDOMAIN\administrator(TESTDOMAIN PULSE)[PULSE Domain User, PULSE Quarantine] - User assigned to vlan (VLAN='100')
AUT24414 2013-12-20 12:25:27 - ic - [127.0.0.1] TESTDOMAIN\administrator(TESTDOMAIN PULSE)[PULSE Domain User, PULSE Quarantine] - Agent login succeeded for TESTDOMAIN\administrator/TESTDOMAIN PULSE from 00-11-6b-66-3d-22.
AUT24803 2013-12-20 12:25:27 - ic - [127.0.0.1] administrator(TESTDOMAIN PULSE)[] - Host Checker policy 'Corp Policy' passed on host '' address '00-11-6b-66-3d-22' for user 'administrator'.
AUT24326 2013-12-20 12:25:27 - ic - [127.0.0.1] TESTDOMAIN\administrator(TESTDOMAIN PULSE)[] - Primary authentication successful for TESTDOMAIN\administrator/testdomain from 00-11-6b-66-3d-22
And to verify this on the switch itself:
root@ex2200> show ethernet-switching interfaces ge-0/0/0
Interface State VLAN members Tag Tagging Blocking
ge-0/0/0.0 up __pvlan_vlan-production_ge-0/0/0.0__ untagged unblocked
default 1 untagged unblocked
vlan-production 100 untagged unblocked
root@ex2200> show dot1x interface detail
ge-0/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 6
Quiet period: 60 seconds
Transmit period: 20 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 180 seconds
Supplicant timeout: 20 seconds
Server timeout: 15 seconds
Maximum EAPOL requests: 6
Guest VLAN member: vlan-quarantine
Number of connected supplicants: 1
Supplicant: anonymous, 00:11:6B:66:3D:22
Operational state: Authenticated
Backend Authentication state: Idle
Authentcation method: Radius
Authenticated VLAN: vlan-production
Dynamic Filter: block-google-dns
Session Reauth interval: 43279 seconds
Reauthentication due in 40194 seconds
Removing the Filter-ID in the RADIUS Return Attributes on the UAC results in an immediate removal of the firewall filter on the switch port. No need to flip the switch port, or to re-authenticate.
Final Thoughts
The main problem with the Juniper version is that the filters are local to the switch. Typos can cause strange behaviour on one switch, while the rest functions just fine. I do know that Juniper want to use the SRX Firewall as an L3 enforcer in the network, but that could mean an expensive redesign of a network. ACL's/Firewall filters can be a nice transition scenario to that, but not if it means being more vulnerable to configuration mistakes.
When I have my Juniper wireless network up-and-running, I'll add that one as well, because it works a bit differently on a wireless environment.