All Topics » Pulse Policy Secure

UAC Policies on SRX not Funtional After Junos Software Upgrade
Contributor (11)
Oct 18, 2014 9:45am




I have an urgent query. I was using UAC 5.0 on MAG and SRX 1400 in Chassis cluster with Junos 10.4 as the L3 enforcer. 


The solution was deployed successfully and everthing was rorking fine until recently I upgrade my SRX 1400 junos software from version 10.4 to 12.1. After the upgrade junos software, all the UAC policies configured on SRX 1400 is not working. The device is connected to UAC properly and users are shown in auth table of SRX device...


Any help



Contributor (11)
Oct 18, 2014 2:25pm
I recently saw the same thing, did you go to 12.1x44d40? I removed all the config under services unified-access-control, committed, then pasted the same lines back in and did another commit.
    Contributor (11)
    Oct 18, 2014 11:33pm


    Yes I upgrade junos software to 12.1x44d40. I remove all the unified-access-control configuration on SRX then commit and then reconfigure the uac settings, but still no luck.


    here is uac configuration on srx


    set services unified-access-control infranet-controller MAG-UAC address
    set services unified-access-control infranet-controller MAG-UAC interface reth1.50
    set services unified-access-control infranet-controller MAG-UAC password uac@mag


    set security policies from-zone Wifi to-zone Internet policy test-uac match source-address Arslan-1.12
    set security policies from-zone Wifi to-zone Internet policy test-uac match destination-address any
    set security policies from-zone Wifi to-zone Internet policy test-uac match application any
    set security policies from-zone Wifi to-zone Internet policy test-uac then permit application-services uac-policy
    set security policies from-zone Wifi to-zone Internet policy test-uac then log session-init



    Following is the output of few show commands.


    > show services unified-access-control status                                                           
    Host           Address         Port   Interface     State
    MAG-UAC   11123  reth1.50     connected


    > show services unified-access-control roles     
    Name                                     Identifier
    Trust-User                              0000000001.000005.0  

    Remediate-User                  1396270434.123514.0
    Trust-Agentless                    1395391788.690864.0      
    GUAM                                      1395991600.414804.0      
    Guest-Users                          1395992372.36996.0       
    Corporate-Wifi                        1395994939.110403.0


    > show services unified-access-control policies
    Id    Resource                Action Apply        Role identifier
    1*          allow  selected     1396270434.123514.0
    2     *:*                     allow  selected     0000000001.000005.0


    > show services unified-access-control counters                   



    (Counter command showing nothing...............)


    Should i use the source-identity in security policy?

Contributor (11)
Oct 19, 2014 7:50am
With 12.1 you can get rid of the the permit application services line and use source-identity with normal SRX policies. I personally don't like the resource access policies that load from the UAC to SRX.
    Contributor (11)
    Oct 19, 2014 10:18pm

    Since we use capitive portal in srx uac policy, If I dont use the application-services in security policies than how I can redirect the users towards UAC (captive portal)?


    Second I cant understand the behavior of security policy. If I use the source-identity with unauthenticated user and uac-policy with application-services the policy is bypass (not matched even user is still unautheticated), and if I did not use source-identity with application services uac-policy the policy is matched but policy did not allow the user traffic...



Contributor (11)
Oct 21, 2014 3:37am
You can still use the line for captive portal to force the unauthenticated users to the portal, but I wouldn't use the application services uac-policy to push resource access policies from uac.
    Contributor (11)
    Oct 31, 2014 11:28am
    Are you still having this problem? It seems to be happening to our firewall again...