All Topics » Pulse Policy Secure



UAC Policies on SRX not Funtional After Junos Software Upgrade


arslan.nawaz@iacgrp.com
Contributor (11)
Oct 18, 2014 9:45am

 

hi

 

I have an urgent query. I was using UAC 5.0 on MAG and SRX 1400 in Chassis cluster with Junos 10.4 as the L3 enforcer. 

 

The solution was deployed successfully and everthing was rorking fine until recently I upgrade my SRX 1400 junos software from version 10.4 to 12.1. After the upgrade junos software, all the UAC policies configured on SRX 1400 is not working. The device is connected to UAC properly and users are shown in auth table of SRX device...

 

Any help

 

Regards




tgatewood
Contributor (11)
Oct 18, 2014 2:25pm
I recently saw the same thing, did you go to 12.1x44d40? I removed all the config under services unified-access-control, committed, then pasted the same lines back in and did another commit.
    arslan.nawaz@iacgrp.com
    Contributor (11)
    Oct 18, 2014 11:33pm

     

    Yes I upgrade junos software to 12.1x44d40. I remove all the unified-access-control configuration on SRX then commit and then reconfigure the uac settings, but still no luck.

     

    here is uac configuration on srx

    -------------------------------------------------------------------------------------------------------------------------------------------------------

    set services unified-access-control infranet-controller MAG-UAC address 10.50.50.100
    set services unified-access-control infranet-controller MAG-UAC interface reth1.50
    set services unified-access-control infranet-controller MAG-UAC password uac@mag

     

    set security policies from-zone Wifi to-zone Internet policy test-uac match source-address Arslan-1.12
    set security policies from-zone Wifi to-zone Internet policy test-uac match destination-address any
    set security policies from-zone Wifi to-zone Internet policy test-uac match application any
    set security policies from-zone Wifi to-zone Internet policy test-uac then permit application-services uac-policy
    set security policies from-zone Wifi to-zone Internet policy test-uac then log session-init

    --------------------------------------------------------------------------------------------------------------------------------------------------------

     

    Following is the output of few show commands.

     

    > show services unified-access-control status                                                           
    node0:
    --------------------------------------------------------------------------
    Host           Address         Port   Interface     State
    MAG-UAC        10.50.50.100   11123  reth1.50     connected

     

    > show services unified-access-control roles     
    node0:
    --------------------------------------------------------------------------
    Name                                     Identifier
    Trust-User                              0000000001.000005.0  

    Remediate-User                  1396270434.123514.0
    Trust-Agentless                    1395391788.690864.0      
    GUAM                                      1395991600.414804.0      
    Guest-Users                          1395992372.36996.0       
    Corporate-Wifi                        1395994939.110403.0

     

    > show services unified-access-control policies
    node0:
    --------------------------------------------------------------------------
    Id    Resource                Action Apply        Role identifier
    1     10.100.111.111:*          allow  selected     1396270434.123514.0
    2     *:*                     allow  selected     0000000001.000005.0

     

    > show services unified-access-control counters                   
    node0:
    --------------------------------------------------------------------------

     

     

    (Counter command showing nothing...............)

     

    Should i use the source-identity in security policy?

tgatewood
Contributor (11)
Oct 19, 2014 7:50am
With 12.1 you can get rid of the the permit application services line and use source-identity with normal SRX policies. I personally don't like the resource access policies that load from the UAC to SRX.
    arslan.nawaz@iacgrp.com
    Contributor (11)
    Oct 19, 2014 10:18pm

    Since we use capitive portal in srx uac policy, If I dont use the application-services in security policies than how I can redirect the users towards UAC (captive portal)?

     

    Second I cant understand the behavior of security policy. If I use the source-identity with unauthenticated user and uac-policy with application-services the policy is bypass (not matched even user is still unautheticated), and if I did not use source-identity with application services uac-policy the policy is matched but policy did not allow the user traffic...

     

     

tgatewood
Contributor (11)
Oct 21, 2014 3:37am
You can still use the line for captive portal to force the unauthenticated users to the portal, but I wouldn't use the application services uac-policy to push resource access policies from uac.
    tgatewood
    Contributor (11)
    Oct 31, 2014 11:28am
    Are you still having this problem? It seems to be happening to our firewall again...