Beacon Integration Note: Juniper Junos Pulse ACS

Beacon Integration Note:
Juniper Junos Pulse ACS
Revision 2014-06-18
Copyright © 2004-2014 by Great Bay Software Inc. - Portsmouth, New Hampshire 03801, USA - All Rights Reserved
This document is protected under the copyright laws of the United States and other countries as an unpublished work. This
document contains information that is proprietary and confidential to Great Bay Software or its technical alliance partners,
which shall not be disclosed outside or duplicated, used or disclosed in whole or in part for any purpose other than to evaluate
Great Bay Software Inc. solutions. Any use or disclosure in whole or in part without the express written permission of Great Bay
Software Inc. is prohibited.
All trademarks are property of respective owners.
Great Bay Software
Step #1: Verify the Required Licensing on Junos Pulse ACS
Navigate to Configuration -> Licensing.
Junos Pulse ACS performing MAC authentication with Beacon via LDAP must have at least one
available endpoint license on it. For example, the following Junos Pulse ACS is licensed to perform
authentication of 3000 simultaneous endpoints. As long as there were no more than 2999 802.1Xendpoints authenticated by this Junos Pulse ACS, it would be capable of providing MAC
authentication for non-802.1X capable endpoints.
Step #2: Verify Authentication Protocol Sets
Navigate to Authentication -> Signing In -> Authentication Protocol Sets.
Verify Authentication Protocol Set for 802.1X includes the PAP protocol. By default, the “802.1X”
and “802.1X-Phones” Authentication Protocol Sets will be defined by the system as shown in next
screen shot.
In order for Junos Pulse ACS to successfully complete MAC Authentication, the PAP Authentication
Protocol must be added to 802.1X Authentication Protocol Set.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 2 of 13
Great Bay Software
Click on the 802.1X link to display the page shown in the next screen shot. Select PAP from the
Available Protocols drop down, select the “Add ->” button, then use the arrows to move PAP to
place it first on the Selected Protocols list:
Save changes, verify that PAP is added to 802.1X Authentication Protocol Set so that MAC
authentication is enabled on Junos Pulse ACS:
Step #3: Add Required Authentication Servers for Beacon
Navigate to Authentication -> Auth. Servers.
In order to enable the integration with Beacon, need to add 2 Servers for Beacon: 1 of type LDAP
and another of type MAC Address Authentication to the Junos Pulse ACS Configuration.
Step #3.a: Add LDAP Server
Select LDAP Server from the New: drop-down, then press the “New Server” button as shown in the
next screen shot.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 3 of 13
Great Bay Software
When adding the LDAP Server for Beacon, it is essential that the settings shown in the following
screen shot are followed exactly, in particular the required credentials for binding to the Beacon
LDAP server and the filters for finding user entries and determining group membership.
Note: The Beacon LDAP server will not accept anonymous binds. By default, the LDAP bind password
on a Beacon system is (case sensitive): GBSbeacon. Instructions for changing the LDAP bind
password on a Beacon All-in-one/Server Only system can be found in the Configuration Guide.
The filter for finding user (endpoint) entries in the Beacon LDAP directory is as follows:
(&(objectClass=ieee802Device)(macAddress=<USER>))
Section: Determining Group Membership
Note: In most cases this section should be left blank – as of Beacon release 3.2.0 this is not relevant
to integration with Beacon (For Beacon-profiled endpoints, the group membership is stored as
attribute of the endpoint entry as outlined later in the document). For the related product SGA this
is also recommended that this section be left blank (the preferred methodology with SGA is as
described in "Optional" section at end of this document).
Caution: The "legacy configuration" (shown below) is sometimes put in place to allow the "Server
Catalog" to be queried for the purposes of testing communication with Beacon (i.e. the listing of
LDAP groups defined in Beacon). This use is valid, however it is important to take care that groupmembership-based role mapping rules are NOT created (use ONLY user-attribute-based rules as
directed in this document, Step #5.b.) Failing to follow this advice will result in slower MACauthentication operations and adversely affect the performance of both systems.
Legacy Configuration
The filter for determining group membership may be entered as follows:
(&(objectClass=groupOfUniqueNames)(cn=<GROUPNAME>))
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 4 of 13
Great Bay Software
Save Auth Server Configuration
See screen shot below for example of completed auth server configuration. Click "Save". The Auth
Server Configuration screen will reappear with message "Saved changes successfully."
Note: with some versions of Junos Pulse ACS this message may be preceded with the message
"Unable to connect to LDAP server hapair.lab.bspruce.com". This message may be ignored.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 5 of 13
Great Bay Software
Step #3.b: Test LDAP Connectivity
After adding the LDAP Server for Beacon as outlined in the last step, LDAP connectivity between
Junos Pulse ACS and Beacon system can be verified. Use the Server Catalog (in the Determine group
membership section) hyperlink to force Junos Pulse ACS to connect to Beacon via LDAP and browse
the Beacon directory from Junos Pulse ACS UI as shown in the following screenshots.
Select the “Search” button; when this is done Junos Pulse ACS will attempt to set up an
authenticated LDAP connection with Beacon. If authentication is successful then a blank search
screen will be returned (the search screen itself is not relevant). Click “Back”, and then “Ok”, to
dismiss the Server Catalog pop-up window.
If authentication was not successful then an error message will be displayed, similar to what is
shown in screenshot below:
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 6 of 13
Great Bay Software
Step #3.c: Add MAC Address Authentication Server for Beacon System
Now add an Authentication Server of type MAC Address Authentication to Junos Pulse ACS
configuration.
Associate the LDAP Server created in the last step with the MAC Address Authentication Server as
shown in the next screen shot.
Select Beacon LDAP server (named “BeaconMAB” in the example) from the Available LDAP Servers
list and select the “Add ->” button to associate the Beacon LDAP server with the MAC Address
Authentication Server just created.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 7 of 13
Great Bay Software
Step #4: Create a User Role for use in the MAC Address Realm
Step #4.a: Create a New Role for endpoints MAC-authenticated via Beacon – give it a name
and description
Navigate to Users -> User Roles and click “New Role...”.
Step #4.b: On Agent tab, ensure “Install Agent for this role” is deselected
Step #4.c: On Agentless tab, ensure “Enable Agentless Access for this role” is selected
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 8 of 13
Great Bay Software
Step #5: Add MAC Address Realm / Role Mapping Rule(s)
Step #5.a: Create MAC Authentication Realm
Navigate to UAC -> MAC Address Realms and click “New…”.
Provide a name and description for the New Authentication Realm as illustrated below.
Key part of this aspect of the configuration is tying the Beacon Authentication and LDAP servers
together when creating the MAC Address Realm. Note that by default the Directory/Attribute
server defaults to “same as above.” If this is not changed to reflect the LDAP Server added earlier
in the configuration, the integration will fail.
Upon saving the new Realm, the UI changes to allow the creation of role mapping rules.
Step #5.b: Add Role-Mapping Rule
Create a New Rule for Role Mapping, using the Role created in the previous step by selecting the
“New Rule…” button, which displays the form shown in the next screen shot that allows creation of
the new Role Mapping rule. The Role Mapping rule allows the endpoints in the selected Beacon
Profiles to be authenticated and assigned the appropriate role based on their memberOfGroup
attribute.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 9 of 13
Great Bay Software
Use the drop-down to select "User attribute" via the "Rule based on:" selector and click “Update”.
Give the Role Mapping Rule a name such as Beacon-profiled endpoint.
In the Attribute selector, use the drop down to select memberOfGroup as shown below and the ‘is’
logical operator (to indicate that members of selected profile(s) will be assigned the role). Multiple
values may be listed in the right-side textbox, one-per-line ("OR"-logic is implied). Each value must
be of one of these forms:
Exact match:
Begins-with match:
Ends-with match:
Arbitrary wildcard usage:
cn=profile-name,*
cn=*profile-name-ending,*
cn=profile-name-start*
cn=PATTERN,*
cn=Polycom IP Phone,*
cn=Cisco *Phone,*
cn=*Jetdirect*
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 10 of 13
Great Bay Software
Note: if memberOfGroup does not appear in the drop-down list of attributes then click
"Attributes…". The pop-up Server-Catalog window will let you define the attribute. Type
"memberOfGroup" in the "Attribute:" text box (to the right) and click "< Add Attribute". Next, click
“Ok” to dismiss the Server-Catalog pop-up. On the Role Mapping Rule screen you will now be able
to select the newly-added attribute.
Step #6: Network Access Configuration: RADIUS Location Group and
RADIUS Client
Configure Location Group, specifying use of MAC Address Authentication Realm created in previous
step.
Add RADIUS client(s) for switches that will connect endpoints authenticated via MAB. Only need
IP(s) of the switch, and the RADIUS shared secret.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 11 of 13
Great Bay Software
Verify results of MAB attempts in Junos Pulse ACS logs as Endpoints discovered/Profiled by Beacon
into LDAP enabled profiles attempt to join the network on 802.1X-enabled ports.
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 12 of 13
Great Bay Software
Optional: Enabling MAC Authentication for SGA-provisioned devices
If SGA is being used for creating device sponsorships by MAC, an additional Role Mapping rule needs
to be present in the MAC Address Realm created in Step #5.a above.
Repeat the process described in Step #5.b for adding a new Role Mapping rule to the "BeaconMAB"
MAC Address Realm, with these differences:
1. Match against attribute "l" (add this attribute via the "Attributes…" pop-up if not present)
2. Create rule with this logic: l is "GreatBay SGA"
Note: 'l' above is short for "localityName"
Junos Pulse ACS Integration with Beacon – 2014-06-18
Page 13 of 13