beacon integration note: juniper junos pulse acs · 2014-06-18 · junos pulse acs integration...

Beacon Integration Note: Juniper Junos Pulse ACS Revision 2014-06-18

Copyright © 2004-2014 by Great Bay Software Inc. - Portsmouth, New Hampshire 03801, USA - All Rights Reserved This document is protected under the copyright laws of the United States and other countries as an unpublished work. This document contains information that is proprietary and confidential to Great Bay Software or its technical alliance partners, which shall not be disclosed outside or duplicated, used or disclosed in whole or in part for any purpose other than to evaluate Great Bay Software Inc. solutions. Any use or disclosure in whole or in part without the express written permission of Great Bay Software Inc. is prohibited. All trademarks are property of respective owners.

Great Bay Software

Junos Pulse ACS Integration with Beacon – 2014-06-18 of 13

Step #1: Verify the Required Licensing on Junos Pulse ACS Navigate to Configuration -> Licensing.

Junos Pulse ACS performing MAC authentication with Beacon via LDAP must have at least one available endpoint license on it. For example, the following Junos Pulse ACS is licensed to perform authentication of 3000 simultaneous endpoints. As long as there were no more than 2999 802.1X-endpoints authenticated by this Junos Pulse ACS, it would be capable of providing MAC authentication for non-802.1X capable endpoints.

Step #2: Verify Authentication Protocol Sets Navigate to Authentication -> Signing In -> Authentication Protocol Sets.

Verify Authentication Protocol Set for 802.1X includes the PAP protocol. By default, the “802.1X” and “802.1X-Phones” Authentication Protocol Sets will be defined by the system as shown in next screen shot.

In order for Junos Pulse ACS to successfully complete MAC Authentication, the PAP Authentication Protocol must be added to 802.1X Authentication Protocol Set.

Great Bay Software


Click on the 802.1X link to display the page shown in the next screen shot. Select PAP from the Available Protocols drop down, select the “Add ->” button, then use the arrows to move PAP to place it first on the Selected Protocols list:

Save changes, verify that PAP is added to 802.1X Authentication Protocol Set so that MAC authentication is enabled on Junos Pulse ACS:

Step #3: Add Required Authentication Servers for Beacon Navigate to Authentication -> Auth. Servers.

In order to enable the integration with Beacon, need to add 2 Servers for Beacon: 1 of type LDAP and another of type MAC Address Authentication to the Junos Pulse ACS Configuration.

Step #3.a: Add LDAP Server Select LDAP Server from the New: drop-down, then press the “New Server” button as shown in the next screen shot.

Great Bay Software


When adding the LDAP Server for Beacon, it is essential that the settings shown in the following screen shot are followed exactly, in particular the required credentials for binding to the Beacon LDAP server and the filters for finding user entries and determining group membership.

Note: The Beacon LDAP server will not accept anonymous binds. By default, the LDAP bind password on a Beacon system is (case sensitive): GBSbeacon. Instructions for changing the LDAP bind password on a Beacon All-in-one/Server Only system can be found in the Configuration Guide.

The filter for finding user (endpoint) entries in the Beacon LDAP directory is as follows:

(&(objectClass=ieee802Device)(macAddress=<USER>))

Section: Determining Group Membership Note: In most cases this section should be left blank – as of Beacon release 3.2.0 this is not relevant to integration with Beacon (For Beacon-profiled endpoints, the group membership is stored as attribute of the endpoint entry as outlined later in the document). For the related product SGA this is also recommended that this section be left blank (the preferred methodology with SGA is as described in "Optional" section at end of this document).

Caution: The "legacy configuration" (shown below) is sometimes put in place to allow the "Server Catalog" to be queried for the purposes of testing communication with Beacon (i.e. the listing of LDAP groups defined in Beacon). This use is valid, however it is important to take care that group-membership-based role mapping rules are NOT created (use ONLY user-attribute-based rules as directed in this document, Step #5.b.) Failing to follow this advice will result in slower MAC-authentication operations and adversely affect the performance of both systems.

Legacy Configuration The filter for determining group membership may be entered as follows: (&(objectClass=groupOfUniqueNames)(cn=<GROUPNAME>))

Great Bay Software


Save Auth Server Configuration See screen shot below for example of completed auth server configuration. Click "Save". The Auth Server Configuration screen will reappear with message "Saved changes successfully."

Note: with some versions of Junos Pulse ACS this message may be preceded with the message "Unable to connect to LDAP server hapair.lab.bspruce.com". This message may be ignored.

Great Bay Software


Step #3.b: Test LDAP Connectivity After adding the LDAP Server for Beacon as outlined in the last step, LDAP connectivity between Junos Pulse ACS and Beacon system can be verified. Use the Server Catalog (in the Determine group membership section) hyperlink to force Junos Pulse ACS to connect to Beacon via LDAP and browse the Beacon directory from Junos Pulse ACS UI as shown in the following screenshots.

Select the “Search” button; when this is done Junos Pulse ACS will attempt to set up an authenticated LDAP connection with Beacon. If authentication is successful then a blank search screen will be returned (the search screen itself is not relevant). Click “Back”, and then “Ok”, to dismiss the Server Catalog pop-up window.

If authentication was not successful then an error message will be displayed, similar to what is shown in screenshot below:

Great Bay Software


Step #3.c: Add MAC Address Authentication Server for Beacon System Now add an Authentication Server of type MAC Address Authentication to Junos Pulse ACS configuration.

Associate the LDAP Server created in the last step with the MAC Address Authentication Server as shown in the next screen shot.

Select Beacon LDAP server (named “BeaconMAB” in the example) from the Available LDAP Servers list and select the “Add ->” button to associate the Beacon LDAP server with the MAC Address Authentication Server just created.

Great Bay Software


Step #4: Create a User Role for use in the MAC Address Realm

Step #4.a: Create a New Role for endpoints MAC-authenticated via Beacon – give it a name and description Navigate to Users -> User Roles and click “New Role...”.

Step #4.b: On Agent tab, ensure “Install Agent for this role” is deselected

Step #4.c: On Agentless tab, ensure “Enable Agentless Access for this role” is selected

Great Bay Software


Step #5: Add MAC Address Realm / Role Mapping Rule(s)

Step #5.a: Create MAC Authentication Realm Navigate to UAC -> MAC Address Realms and click “New…”.

Provide a name and description for the New Authentication Realm as illustrated below.

Key part of this aspect of the configuration is tying the Beacon Authentication and LDAP servers together when creating the MAC Address Realm. Note that by default the Directory/Attribute server defaults to “same as above.” If this is not changed to reflect the LDAP Server added earlier in the configuration, the integration will fail.

Upon saving the new Realm, the UI changes to allow the creation of role mapping rules.

Step #5.b: Add Role-Mapping Rule Create a New Rule for Role Mapping, using the Role created in the previous step by selecting the “New Rule…” button, which displays the form shown in the next screen shot that allows creation of the new Role Mapping rule. The Role Mapping rule allows the endpoints in the selected Beacon Profiles to be authenticated and assigned the appropriate role based on their memberOfGroup attribute.

Great Bay Software


Use the drop-down to select "User attribute" via the "Rule based on:" selector and click “Update”. Give the Role Mapping Rule a name such as Beacon-profiled endpoint.

In the Attribute selector, use the drop down to select memberOfGroup as shown below and the ‘is’ logical operator (to indicate that members of selected profile(s) will be assigned the role). Multiple values may be listed in the right-side textbox, one-per-line ("OR"-logic is implied). Each value must be of one of these forms:

Exact match: cn=profile-name,* Begins-with match: cn=*profile-name-ending,* Ends-with match: cn=profile-name-start* Arbitrary wildcard usage: cn=PATTERN,*

cn=Polycom IP Phone,* cn=Cisco *Phone,* cn=*Jetdirect*

Great Bay Software


Note: if memberOfGroup does not appear in the drop-down list of attributes then click "Attributes…". The pop-up Server-Catalog window will let you define the attribute. Type "memberOfGroup" in the "Attribute:" text box (to the right) and click "< Add Attribute". Next, click “Ok” to dismiss the Server-Catalog pop-up. On the Role Mapping Rule screen you will now be able to select the newly-added attribute.

Step #6: Network Access Configuration: RADIUS Location Group and RADIUS Client Configure Location Group, specifying use of MAC Address Authentication Realm created in previous step.

Add RADIUS client(s) for switches that will connect endpoints authenticated via MAB. Only need IP(s) of the switch, and the RADIUS shared secret.

Great Bay Software


Verify results of MAB attempts in Junos Pulse ACS logs as Endpoints discovered/Profiled by Beacon into LDAP enabled profiles attempt to join the network on 802.1X-enabled ports.

Great Bay Software


Optional: Enabling MAC Authentication for SGA-provisioned devices If SGA is being used for creating device sponsorships by MAC, an additional Role Mapping rule needs to be present in the MAC Address Realm created in Step #5.a above.

Repeat the process described in Step #5.b for adding a new Role Mapping rule to the "BeaconMAB" MAC Address Realm, with these differences:

1. Match against attribute "l" (add this attribute via the "Attributes…" pop-up if not present) 2. Create rule with this logic: l is "GreatBay SGA"

Note: 'l' above is short for "localityName"

beacon integration note: juniper junos pulse acs · 2014-06-18 · junos pulse acs integration...

Documents