All Topics » Pulse Policy Secure



UAC Users Role and Source IP


arslan.nawaz@iacgrp.com
Contributor (11)
Apr 8, 2014 12:04am

Hi

 

I have a query about UAC. I have two roles. One is the "Users-Trust" and Second is the "Users-Wireless". Users-Trust role is for users who connected via network cable using Junos Pulse. User-Wireless role is for users who connected via wifi devices and the role is configured as Agentless.

 

The users with Users-Trust role have resource access policy with allow everything and I control thier accesses on SRX firewall on the basis of thier source ip addresses. However I configure the resource access policies for Wifi users as deny all the corporate network access and allow only direct internet access with cap portal.

 

Now the issue is as user connect on Cable he get the role "Users-Trust" and start using network resources. Later on user disconnect the cable and connect to wifi and as his session remains on UAC he starting using his same session with the new ip address (wifi dhcp ip). and start using the resources allow only to specific wifi users. I also configure role mapping policies for User-Wireless role allow this role only for specific users and not allow everyone.

 

As I understand when user switched to wifi his source ip is changed but his session was remain exist on device. UAC will not check user credientials/roles and start using the same session with new ip address.

 

I want to not allow user to use same session on UAC when his ip address is change.

 

Can any one help me......

 

Regards

 

Arslan Nawaz

 

 




kalagesan
Contributor (11)
Apr 8, 2014 12:39am

Hi  Arslan,

 

I understand your issue.

 

I hope you are using one Authentication realm with one rolemapping rule for each role.

 

Can you have the Dynamic policy evaluation enabled with lesser value like 5- 10 minutes under Realms in IC admin GUI

Also have Refresh roles & Refresh resource policies enabled on the Realm.

 

Enabling this will ensure the policies are checked

 

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,
Kannan

    apaul
    Contributor (11)
    Apr 8, 2014 12:54am

    Listing below few other quick things to check

    • Under Role  -->  Session Option  --> Disbale Roaming Session
    • If you are using dot1.x Enable Accounting on the switches.

     

    Thanks

    Ashish Paul

    arslan.nawaz@iacgrp.com
    Contributor (11)
    Apr 8, 2014 2:06am

    Thanks Kanann/Ashish Paul

     

    @Kanan

    No... I am using the two different realms for both roles. Reason is because I want to ensure that all the users with role "Users-Wireless" will get agent less connection with no client installation. and the all the users with "Users-Trust" role will have option to install the pulse client via web. I configure two different realms and sign in policies for both roles.

     

    If i configure the same realm and segregate users on the basis of role mapping, then users with role "Users-Wireless" will also start junos pulse client installation whereas we want to get them connected to UAC directly (means no pulse client installation - only the agent less connection).

     

    With dynamic policy evaluation the minimum time I can set for role evaluation is 5 minute. Or I need to manually refresh the role. It means users still can use his active session with the same role but with new IP address. And as the end user IP is change the user remain connected to UAC (using his previious UAC session with new IP address) and with same role. It means however his role is not change on UAC but as his IP is change and he is already authenticated on UAC he start using unauthorized accesses on the basis of his sourece IP address.

     

    @Ashish

    I disable the Roaming Session option on all the roles. I am using L3 enforcement no 802.1x.