Machine Authentication Using Certificates

Similar documents
Identity-Based Application and Network Profiling

Identity-Based Traffic Logging and Reporting

Limitation of Riverbed s Quality of Service (QoS)

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

JUNOScope IP Service Manager

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Wavecrest Certificate

Configuring and Implementing A10

Sophos Anti-Virus for NetApp Storage Systems startup guide

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Check Point FDE integration with Digipass Key devices

After you have created your text file, see Adding a Log Source.

NovaBACKUP xsp Version 12.2 Upgrade Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

WXOS 5.5 SSL Optimization Implementation Guide for Configuration and Basic Troubleshooting

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Install the Production Treasury Root Certificate (Vista / Win 7)

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Juniper Networks Solution Portfolio for Public Sector Network Security

Team Foundation Server 2013 Installation Guide

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Budget Developer Install Manual 2.5

Aspera Connect User Guide

MODEM AND DIAL-UP. Installation/Configuration (Windows 95/98/Me/NT/2000/XP)

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

How To Take Advantage Of Active Directory Support In Groupwise 2014

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

etoken Enterprise For: SSL SSL with etoken

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Configuring the Watchguard Edge for RADIUS authentication

Configuring Windows 7 to Use Encrypted (WPA-E) Wireless Services a...

Password Manager Windows Desktop Client

QUANTIFY INSTALLATION GUIDE

Setting up Hyper-V for 2X VirtualDesktopServer Manual

YubiKey PIV Deployment Guide

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

Non-ThinManager Components

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Sage 200 Web Time & Expenses Guide

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Preparing Your Server for an MDsuite Installation

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

Sharpdesk V3.5. Push Installation Guide for system administrator Version

Junos Pulse. Windows In-Box Junos Pulse Client Quick Start Guide. Published: Copyright 2013, Juniper Networks, Inc.

RSA Security Analytics

NetWrix Password Manager. Quick Start Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

NSM Plug-In Users Guide

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

SSL VPN Setup for Windows

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

WatchGuard Mobile User VPN Guide

MTA Course: Windows Operating System Fundamentals Topic: Understand backup and recovery methods File name: 10753_WindowsOS_SA_6.

How to Configure a Secure Connection to Microsoft SQL Server

NETWRIX FILE SERVER CHANGE REPORTER

Integrating LANGuardian with Active Directory

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

NSi Mobile Installation Guide. Version 6.2

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Juniper Networks Management Pack Documentation

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

COORDINATED THREAT CONTROL

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Microsoft Windows Server 2003 Integration Guide

Global VPN Client Getting Started Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Backup & Disaster Recovery Appliance User Guide

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Migrating MSDE to Microsoft SQL 2008 R2 Express

DriveLock Quick Start Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide

ProSystem fx Document

Setting up Hyper-V for 2X VirtualDesktopServer Manual

PRODUCT CATEGORY BROCHURE

Cloud Services ADM. Agent Deployment Guide

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Outpost Office Firewall

WhatsUp Gold v16.3 Installation and Configuration Guide

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Installation Guide v3.0

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Management Utilities Configuration for UAC Environments

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Transcription:

Application Note Machine Authentication Using Certificates A Step-by-Step Guide to Machine Authentication with Digital Certificates Using Juniper Networks Unified Access Control (UAC) in Conjunction with Odyssey Access Client Enterprise Edition Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net Part Number: 350115-001 Nov 2007

Table of Contents Introduction... 3 Scope.... 3 Design Considerations... 3 Microsoft Windows CA Configuration.............................................. 4 Infranet Controller Configuration................................................. 8 Request and Install Workstation Authentication Certificate............................. 11 Odyssey Access Client Configuration.... 13 Confirm Proper Operation..................................................... 18 Simultaneous Machine Authentication and User Authentication......................... 19 Summary..................................................................... 21 About Juniper Networks... 21 2 Copyright 2007, Juniper Networks, Inc.

Introduction What happens in an 802.1X environment when there is no user around to sign into a PC and authenticate it onto the network? What happens if routine system maintenance such as automated backups, software updates and patches need to be performed at night when everyone has gone home and logged out of their machines? The answer is absolutely nothing. With 802.1X, unless proper authentication can be performed, the machine won t be able to get onto the network. This is where machine authentication comes in. It permits an unattended machine to authenticate onto the network through the normal 802.1X authentication mechanisms. There are a couple of different forms of machine authentication, one involving machine credentials similar to a username and password, and another using machine certificates. This application note focuses specifically on machine certificates: how to generate them, how to configure the Juniper Networks Infranet Controller to accept them, and how to configure Juniper Networks Odyssey Access Client to use them. Scope This application note will describe how to configure the Windows Certification Authority, Infranet Controller and the Odyssey Access Client to provide machine authentication using digital certificates. Design Considerations Hardware Requirements Infranet Controller models IC4000 or IC6000 Windows (2000/XP/Vista) PC Network switch configured for 802.1X authentication Software Requirements Infranet Controller version 2.1R1 or greater Odyssey Access Client v4.7 or greater Windows 2003 Enterprise Certification Authority Description and Deployment Scenario In order to use machine certificates to perform machine authentication, you need to complete several configuration steps, starting with the generation of the proper machine certificate on the Microsoft Windows 2003 Enterprise Certification Authority (CA). After this step is completed, you need to configure the Infranet Controller (IC) for layer 2 access control and certificate authentication. In a final step, you will configure the Odyssey Access Client Enterprise Edition (OAC-EE) for machine authentication using certificates. Copyright 2007, Juniper Networks, Inc. 3

Microsoft Windows CA Configuration In order to have the Windows CA issue proper machine certificates, you will first have to make a modification to the Workstation Authentication template or, alternatively, you can use a workaround in the Infranet Controller configuration. This template change or the IC workaround is necessitated by the fact that the default Workstation Authentication certificate template used on the Windows CA does not contain a Subject field. This missing Subject field causes authentication to fail on the IC without some changes. The following procedure describes how to modify the default Workstation Authentication certificate template on the Windows CA. The workaround on the IC configuration is described later in this note. On the Windows CA, sign in as a Domain Administrator and launch the Microsoft Management Console by clicking Start > Run, enter mmc in the Run box and click OK. Figure 1: Start > Run Dialog Within the MMC, select Add/Remove Snap-in from the File menu. Figure 2: Launch Add/Remove Snap-in 4 Copyright 2007, Juniper Networks, Inc.

Click the Add button. Select the Certificates Templates snap-in and click Add. Then select the Certification Authority snap-in and click Add. After adding both snap-ins, click Close to close the Add Standalone Snap-in window and then click OK to finish. Figure 3: Add Snap-ins In the Certificate Templates snap-in, right-click on the Workstation Authentication template and select Duplicate Template from the contextual menu. Figure 4: Create Duplicate Certificate Template Copyright 2007, Juniper Networks, Inc. 5

When the Properties of New Template dialog appears, enter a new name for the Template Display Name on the General Tab. Figure 5: Modify Template Name On the Subject Name tab, select either Common Name or Fully distinguished name from the Subject name format pull-down menu. Click OK when done. Figure 6: Define Subject Name Format 6 Copyright 2007, Juniper Networks, Inc.

The new certificate template should now appear in the list of templates. Figure 7: New Certificate Templates List In order to make this new template available to users, you must issue the template within the certificate authority. Click on the plus sign next to the Certification Authority snap-in, then on the plus sign next to your certificate authority. Finally, right-click on the Certificate Templates folder and select New > Certificate Template to Issue from the contextual menu. Figure 8: Issue New Certificate Template Copyright 2007, Juniper Networks, Inc. 7

Select the Workstation Authentication template that you just created and click OK. Figure 9: Select Certificate Template to Issue That completes the modifications to the Windows CA. Your workstations can now request a machine certificate that includes a Subject Name and will function properly with the Infranet Controller. Figure 10: Available Certificate Templates Infranet Controller Configuration The first step on the IC configuration is to create a Certificate Authentication server. Go to Authentication > Auth Servers, select Certificate Server from the pull-down menu and click New Server Supply a Name for the server instance. If you have made the modifications to the Windows CA as described above, leave the User Name Template at its default value. If you chose not to make those modifications, you will need to modify the User Name Template in the auth server configuration. Instead of <certdn.cn> use <certattr.altname.dns>. The User Name Template is used by the IC to extract from the certificate the data that will be used to form the username. Using the default User Name Template in conjunction with the default Certificate Template on the Windows CA will result in a non-existent username (since the Subject field in the certificate is blank). 8 Copyright 2007, Juniper Networks, Inc.

Figure 11: Certificate Authentication Server Create a new role for the authenticated machine. Go to Users > User Roles and click on New Role You can, of course, use any existing role including those used for users. For this role you should require the Agent, but don t permit Agentless. You also shouldn t require any Host Checking for this role. Figure 12: Machine Authentication Role Create a new realm to handle machine certificate authentication. Go to Users > User Realms and click on New Realm Select the server you created above for the Authentication Server and create a role mapping rule that maps all users to the role you just created. Figure 13: Machine Authentication Realm Copyright 2007, Juniper Networks, Inc. 9

Go to Authentication > Signing In > Sign-in Policies and click New URL to define a new sign-in policy. Alternatively you can use the default sign-in policy */. In the example below, the sign-in policy is */machinecert. Assign the realm created above to the sign-in policy. Figure 14: Machine Authentication Sign-in Policy Create a Location Group (or use an existing one) and assign the Sign-in Policy you just created to the Location Group. Figure 15: Location Group Using Machine Authentication Sign-in Policy Define a RADIUS Client and assign the Location Group that you created above. The configuration is in UAC > Network Access > RADIUS Client. Figure 16: RADIUS Client Configuration 10 Copyright 2007, Juniper Networks, Inc.

This completes the chain of configuration within the IC from switch or access point to role assignment. For example: (1) a RADIUS request is received from a RADIUS Client; (2) the RADIUS Client determines the Location Group; (3) the Location Group determines the Sign-in Policy (URL); (4) the Sign-in Policy determines the Realm; (5) the Realm determines the Authentication Server and, if authenticated, the Roles. As an option, you can define a RADIUS Attributes policy to perform VLAN assignment for those machines that successfully authenticate. For instance, machines that authenticate could be placed into a System Update VLAN so that software upgrades and patches could be pushed to the machine even when no user is logged in. Go to UAC > Network Access > RADIUS Attributes. Request and Install Workstation Authentication Certificate In order to make any of this work, you need a machine certificate of the proper type installed on the PC that needs access. In order to get the certificate, you need to open the Certificates MMC snap-in on the PC (not on the Windows CA like you did earlier). Go to Start > Run and enter mmc in the Run dialog box. Within the MMC, select Add/Remove Snap-in from the File menu. Click the Add button. Select the Certificates snap-in and click Add. Figure 17: Add Certificates Snap-in Select Computer Account for the certificate type to manage and then click Next>. Choose Local Computer for the computer you want to manage and click Finish. After adding the snap-in, click Close to close the Add Standalone Snap-in window and then click OK to finish. Figure 18: Complete Adding Certificate Snap-in Copyright 2007, Juniper Networks, Inc. 11

You now need to request the machine certificate. In the Certificates MMC, go to Personal > Certificates, right-click and select All Tasks > Request New Certificate. Figure 19: Request New Certificate NOTE: Should you receive the following error, it typically means that you are not logged into the Windows domain where the CA lives. In order to get the machine certificate, you must have logged onto the Windows domain and been authenticated by a domain controller. You cannot have used cached credentials to log into Windows. This usually means that the PC must be able to reach the domain controller on the network when you log into Windows. You cannot do this operation remotely or in an 802.1 X environment without some special provisions. Figure 20: Certificate Request Error Complete the Certificate Request Wizard. Click Next>, enter a Friendly Name for your certificate and click Next>, then click Finish. When the certificate request process completes, click OK in the final dialog box. Figure 21: Completing the Certificate Request 12 Copyright 2007, Juniper Networks, Inc.

After completion of the wizard, you should have a new machine certificate shown in the Certificates MMC. You can tell this is a machine certificate in a couple of different ways. First, it s in your personal certificate store for the Local Computer, not the Current User (which is where user certificates would be stored). Second, it s Issued To your machine name, not your username. Finally, its Intended Purpose is only Client Authentication (user certificates will have other purposes such as Secure Email). Figure 22: Installed Machine Certificate Odyssey Access Client Configuration Now it s time to turn to the configuration of Odyssey Access Client. Before you begin, make sure that your version of Odyssey has been licensed as an Enterprise Edition. In the Odyssey Access Client Manager, go to Help > About and look for the words Enterprise Edition. If instead you see the words UAC Edition, you will need to obtain an Enterprise Edition license key. Figure 23: Verify OAC Version Copyright 2007, Juniper Networks, Inc. 13

Open the Odyssey Access Client Administrator by selecting Odyssey Access Client Administrator from the Tools menu. Figure 24: Opening OAC Administrator Within the Odyssey Access Client Administrator, double-click on the Connection Settings icon. Figure 25: Connection Settings Go to the Machine Account tab and check the box to enable connections using machine account. Click OK. Figure 26: Enable Machine Account 14 Copyright 2007, Juniper Networks, Inc.

Next you need to configure the machine account settings. Double-click on the Machine Account icon. Figure 27: Machine Account Settings Open the Configuration section and click Profiles. Click Add to create a new machine account profile. Figure 28: Add Machine Account Profile First, supply a Profile Name. Next check the Use machine credentials box and uncheck the Permit login using password box. Figure 29: User Info/Password Tab Copyright 2007, Juniper Networks, Inc. 15

On the Certificate tab, check the Use machine credentials box. Check the Permit login using my certificate checkbox and select the Use the following certificate radio button. Click the Browse button and select the machine certificate that you added in the previous section. Figure 30: User Info/Certificate Tab On the Authentication tab, make sure that EAP-TTLS is the only Authentication Protocol. You can uncheck the Validate server certificate if you re using a private CA and this is a testing environment, however in a production environment you should leave the Validate server certificate box checked. In that case, you must add the CA root certificate into one of the Local Computer s Trusted CA stores, and add the CA to the list of Trusted Servers within the Odyssey Access Client. Figure 31: Authentication Tab 16 Copyright 2007, Juniper Networks, Inc.

On the TTLS tab, remove EAP-MS-CHAP-V2 from the Inner Protocol list. Click the Use my certificate and perform inner authentication radio button under Personal certificate usage. This last setting is easy to miss and will render all of your other work useless if you forget it. Click OK when you re finished. Figure 32: TTLS Tab You now need to add an adapter to the configuration. This adapter will be used by the machine to connect to the network. Under Configuration > Adapters click Add and then select either a Wireless or, more typically, a Wired adapter that will be used for 802.1X authentication. Figure 33: Add Adapter Copyright 2007, Juniper Networks, Inc. 17

Finally, in the Adapters > [ADAPTER] section, select the Profile that you created earlier and check the Connect to the network checkbox. You can now close the Machine Account window and the Odyssey Access Client Administrator window. This will save your client configuration. Figure 34: Completing the OAC Configuration Confirm Proper Operation Reboot your PC and wait for the Windows logon dialog box to appear. At this point your PC should have been authenticated onto the network using the machine certificate. On the Infranet Controller, go to System > Status > Active Users and observe the list of users. You should see an entry for your PC in the list (note the entry for RFILER-LAP2 below). Figure 35: Active Users 18 Copyright 2007, Juniper Networks, Inc.

You can also take a look at the user access log. On the IC go to System > Log/Monitoring > User Access > Log. You should see log entries similar to those shown in the following figure. Figure 36: User Log Simultaneous Machine Authentication and User Authentication The entire configuration up to this point has been geared to permit an unattended machine to authenticate into an 802.1X network. If you want to also permit a user to authenticate from the same machine, there are a couple of simple configuration changes that must be made, both to the Infranet Controller and the Odyssey Access Client. On the IC, it s assumed that you have a working user authentication setup. The details of setting that up are not included here. To permit a user to authenticate as well as the machine, add the User Authentication Realm to the existing Sign-in policy you used for machine authentication. In the example below, the realm Agent is used for User Authentication. Simply add it to the list of realms used for authentication for the given Sign-in Policy. Figure 37: Multiple Realms In addition to the change to the IC, you need to make two changes to the Odyssey Access Client configuration. The first change is to the machine authentication profile. Open the Odyssey Access Client Manager and select Odyssey Access Client Administrator from the Tools menu. Double-click on Machine Account, then go to Configuration > Profiles. Select the machine account profile you created earlier and click Properties Go to the JUAC tab and enter the Realm name that you used on the IC for machine authentication. In this example, the realm name is MachineCert. Click OK, then close both the OAC Administrator windows. Figure 38: Machine Authentication Profile Copyright 2007, Juniper Networks, Inc. 19

In addition to modifying the machine authentication profile, you need to modify the user authentication profile as well. On the JUAC tab, enter the Realm name that is used for user authentication. This should be the same Realm name that you added to the Sign-in Policy above. Figure 39: User Authentication Profile Following these changes, you should be able to use both machine authentication and user authentication with the same Odyssey Access Client on the same 802.1X port, authenticating with the same Infranet Controller. Using the configuration described in this application note, when the PC boots it will attempt to authenticate with the IC using a machine certificate. Once the user presses CTRL-ALT-DEL and logs into Windows, the machine connection is dropped and the user authentication is attempted. Your active user list should no longer show the machine as authenticated but should now show the user as authenticated. Figure 40: Active Users 20 Copyright 2007, Juniper Networks, Inc.

Summary Using the Infranet Controller in conjunction with Odyssey Access Client Enterprise Edition enables the use of machine certificates for machine authentication in an 802.1X environment. This permits unattended machine access to an 802.1X-secured network. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Copyright 2007, Juniper Networks, Inc. 21

CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501 EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800 ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. To purchase Juniper Networks solutions, please contact your Juniper Networks sales representative at 1-866-298-6428 or authorized reseller. 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information