Use Cisco ISE for RADIUS Authentication with Juniper Junos Devices

While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

Posted on January 22, 2014 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Cisco ISE RADIUS Splunk.

Using EX Firewall Filters With UAC

Network Access Control (NAC) is hot in Enterprise environments. NAC offers an excellent mechanism to (safely) allow various devices network connectivity and staying in control as a network administrator. There are numerous ways to allow iOS devices, BYOD, CYOD, Corporate laptops onto your network without compromising valuable corporate resources.

In my line of work I deal with several vendors / solutions to create these NAC protected environments. The most popular at the moment are;

Identity Service Engine (ISE) from Cisco
Junos Pulse Access Control (UAC) Service from Juniper

Both solutions have their pro's and cons. Juniper has an excellent client for the desktop to safely connect to the network, and an integration with their SRX firewalls to (dynamically) enforce firewall policies on a per user basis. Cisco on the other hand has a more flexible way of creating access policies, and the use of so-called downloadable Access Lists (dACL).

Posted on December 20, 2013 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Junos firewall filter Juniper dot1x RADIUS Pulse UAC NAC Network Access Control.

Weird 802.1x EAP-TLS Behavior with Windows XP SP3

I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.

In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.

During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.

Posted on January 29, 2011 by Willem and filed under Annoying, Operating Systems, Security and tagged 802.1x ACS Cisco Microsoft RADIUS XP dot1x service pack 3.

802.1x: Machine Access Restriction 'Vulnerability'

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Posted on January 20, 2011 by Willem and filed under Security, Software, Tips'n Tricks and tagged 802.1x ACS Cisco EAP-TLS MAR PEAP PKI RADIUS.