IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

Transcription

1 IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL An illustrated Guide to Configuring a Simple IF-MAP Federated Network Juniper Networks, Inc. 1

2 Table of Contents Introduction...3 Scope...3 Design Considerations...3 Protocol Operation...3 Summary...10 About Juniper Networks...10 Table of Figures Figure 1: Basic setup...3 Figure 2: Connectivity...4 Figure 3: Collaboration Figure 4: Collaboration Figure 5: User roles...5 Figure 6: Role mapping rule on IC Series Figure 7: Assigning resources...6 Figure 8: Creating resource access policies...6 Figure 9: Resource access policy on IC Series Figure 10: Matching requirements with resources...7 Figure 11: Session-Export policy on IC Series Figure 12: Session-Import policy on IC Series Figure 13: User successfully accesses resources...9 Figure 14: IF-MAP Federation information in the Unified Access Control Administration Guide Copyright 2009, Juniper Networks, Inc.

3 Introduction Scope This document is intended to provide a visual overview for configuring a simple IF-MAP Federated network. The example procedure in this document is the next step after configuring the most basic IF-MAP Federated network as outlined in the Unified Access Control Administration Guide. Using this example will give you a better understanding of the way IF-MAP Federation on the Juniper Networks IC Series Unified Access Control Appliances (or Juniper Networks SA Series SSL VPN Appliances) works. In this example, a user (Bthomas) authenticates to an IC Series UAC Appliance in one division of the company and is permitted to access resources on a different IC Series without authenticating to the second IC Series appliance. This example demonstrates how to set up simple Session-Import and Session-Export policies. You can use this example to extrapolate configuration details for more complex IF-MAP Federation scenarios. Design Considerations Protocol Operation With IF-MAP Federation, you can extend your network and provide the optimal user experience by allowing users to authenticate once for access to resources that reside behind multiple IC Series appliances. For further details of the IF-MAP protocol, refer to TNC IF-MAP Binding for SOAP at computinggroup.com. IC Series 1 IF-MAP Federation Client IC Series 3 IF-MAP Federation Client IC Series 2 IF-MAP Federation Server Figure 1: Basic setup In this example, protected resources reside behind IC Series 3, and users authenticate through IC Series 1. IC Series 2 is a dedicated IF-MAP Federation server. Copyright 2009, Juniper Networks, Inc. 3

4 IC Series 1 IF-MAP Federation Client IC Series 3 IF-MAP Federation Client IC Series 2 IF-MAP Federation Server Figure 2: Connectivity Before beginning with this sample deployment, ensure that the IF-MAP Federation server can communicate with the IF-MAP Federation clients. See the Unified Access Control Administrator Guide for details on setting up the client and server to communicate. IC Series 1 Administrator IC Series 3 Administrator Figure 3: Collaboration 1 Administrators for IC Series 1 and IC Series 3 collaborate to determine what resources on IC Series 3 should be accessible. 4 Copyright 2009, Juniper Networks, Inc.

5 IC Series 1 Administrator IC Series 3 Administrator Figure 4: Collaboration 2 Administrators for IC Series 1 and IC Series 3 determine which users on IC Series 1 should be allowed to access what resources on IC Series 3. This planning is critical for configuring Session-Export and Session-Import polices on the devices. User roles, resource access policies, and Session-Export/Import policies must be coordinated between the administrators and then configured on the respective devices. Engineer Role Finance Role ith, Pstewart,... HR Role kn, Phoward,... Bthomas, Lwilson, Gmadison,... Figure 5: User roles We recommend that you devise a worksheet to properly allocate resources and the users who can access them. In this example, administrators group users on IC Series 1 into appropriate roles through role mapping rules. Copyright 2009, Juniper Networks, Inc. 5

6 Figure 6: Role mapping rule on IC Series 1 In this example, users (including Bthomas) are assigned the HR role through a role mapping rule. Human Resources Server Finance Server Engineering Server Mapping Role Coder Role Employee Role Figure 7: Assigning resources The administrators assign specific resources to separate network addresses on IC Series 3. Next, the administrators create roles that can be used in resource access policies that can be provisioned with permission to access these resources. 6 Copyright 2009, Juniper Networks, Inc.

7 Human Resources server IP Address IC Series 3 Figure 8: Creating resource access policies On IC Series 3, administrators create the resource access polices. For this example, administrators create a resource access policy named Personnel with IP address (the Human Resources server) specified as the resource, and the policy is applied to the Employee role. The policy is shown on the following page. Figure 9: Resource access policy on IC Series 3 In this resource access policy, the Human Resource server ( ) is added as a resource, and the Employee role is permitted access. Copyright 2009, Juniper Networks, Inc. 7

8 Members of the HR role on IC Series 1... Session-Export Policy IF-MAP Federation Server... need to access the Human Resources server that is protected by an Enforcer connected to IC Series 3 Session-Import Policy Figure 10: Matching requirements with resources Administrators configure an IF-MAP Session-Export policy on IC Series 1. The policy is called Employee-Business. The policy is applied to the HR role, with the page defaults preserved for the other values on the page. Then, administrators configure a Session-Import policy on IC Series 3. The policy is called Employment. The Match IF-MAP Capabilities check box is selected, and HR is entered. The Use these roles check box is selected, and the Employee role is selected. In this scenario, all of the sessions for users who are authenticated that belong to the HR role on IC Series 1 are published to the IF-MAP Federation server as capabilities (similar to roles). User Bthomas belongs to the HR role, therefore when Bthomas logs in to IC Series 1; his session information is published to the IF-MAP Federation Server. The session information is linked with the capability HR. User Bthomas attempts to access the HR server on IC Series 3. The Session-Export policy for IC Series 1 and the Session-Import policy for IC Series 2 are shown in Figure 11 and Figure Copyright 2009, Juniper Networks, Inc.

9 Figure 11: Session-Export policy on IC Series 1 In this Session-Export policy on IC Series 1, the administrator sets IF-MAP capabilities to copy the HR role as a capability on the IF-MAP server. Copyright 2009, Juniper Networks, Inc. 9

10 Figure 12: Session-Import policy on IC Series 3 In this Session-Import policy, the administrator configures a policy that allows sessions associated with the HR capability on the IF-MAP server to be assigned to the Employee role on IC Series Copyright 2009, Juniper Networks, Inc.

11 Figure 13: User successfully accesses resources 1. User Bthomas authenticates through IC Series IC Series 1 sends Bthomas session information to the IF-MAP Federation Server database. 3. Bthomas attempts to access the Human Resources server that is behind the firewall. IC Series 3 queries the IF-MAP Federation Server to see if there is session information for Bthomas. 4. Bthomas is a member of the HR role on IC Series 1. The Session-Import policy uses this information to assign the Employee role to Bthomas. The Employee role on IC Series 3 can access the Human Resources server. To more fully understand IF-MAP Federation.. Read the IF-MAP Federation documentation in the Unified Access Control Administration Guide Figure 14: IF-MAP Federation information in the Unified Access Control Administration Guide Summary This is a basic guide to configuring IF-MAP Federation with the Unified Access Control solution. Further reading is recommended to fully understand the protocol and the implementation with UAC. An understanding of concepts and configuration of basic UAC networking is assumed. Copyright 2009, Juniper Networks, Inc. 11

12 About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: Fax: Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Apr 2009 Printed on recycled paper. 12