Monday, October 1, 2007

Bolting the Back Door with NAC Part 4: Deploying the Juniper Networks UAC 2.0

In this series, we have examined the business needs driving NAC (part 1 and part 2) and compared today's NAC architectures (part 3). Here in part 4, we show NAC in action by taking one TNC standards-based solution for a test drive: Juniper Network's Unified Access Control 2.0.

We implemented our planned scenarios with only minor adjustments, proving that UAC can be successfully deployed in a heterogeneous network without major upgrades. But, as our test progressed, we learned that Juniper is still working to expand client-side options. Customers who want to combine Juniper's IC 4000 with third-party Linux, Mac, or Vista TNC Clients must wait just a bit longer.

Assembling the pieces
Juniper's UAC solution is based on the multi-vendor TNC architecture described in part 3. Thus, our first task was to identify the TNC components already present in our lab network and decide how to combine them with Juniper's UAC products.

We chose Juniper's Infranet Controller (IC) as our TNC Policy Decision Point (PDP). The IC4000 is designed for medium enterprises and remote/branch offices with thousands of users. Big-brother IC6000 delivers additional capacity and high-availability. We tested the IC4000 ($10,000) with a 100-user license ($5,000). That price tag includes an integrated Steel-Belted Radius server and UAC Agent software.

To exercise multi-vendor interoperability, we used a mixture of 802.1X-capable switches (HP, D-Link) and APs (Colubris, Cisco) as TNC Policy Enforcement Points (PEPs). After discussion with Juniper, we mixed in their SSG5 firewall for more granular policy enforcement. Using a Juniper firewall, VPN, or IDP to enforce layer three policies was not strictly required to meet our goals, but let us tap more of UAC's potential.

Our TNC Network Access Requestors (NARs) fell into three categories:

* Staff with Windows XP/2000 laptops and installed UAC Agents
* Guests with agentless devices (including Vista, Linux, Mac, and WinMobile)
* Customers using any device, with or without an agent

Agentless endpoints that were redirected to the IC's login portal could optionally execute Juniper's Host Checker, an endpoint integrity scanner invoked via ActiveX or Java. We required our managed Windows endpoints to auto-install Juniper's UAC Agent, a persistent program that bundles an 802.1X Supplicant and TNC Client with proprietary extras: a personal firewall, IPsec VPN client, and Windows single-sign-on support.

We had hoped to authenticate managed non-Windows endpoints using third-party 802.1X Supplicants/TNC Clients, but found this is not currently possible. In UAC 2.0, the IC4000 expects the 802.1X Supplicant to send EAP-JUAC, Juniper's pre-standard take on EAP-TNC. We therefore had to admit our own Linux and PDA endpoints as agentless devices. According to Juniper, this limitation will be lifted when UAC 2.1 (3Q07) supports additional inner EAP types to be spoken by third-party TNC Clients.


http://www.isp-planet.com/technology/2007/nac_4.html