Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01 User Manual

Download

Page 1

Network and Security Manager

Configuring Infranet Controllers Guide

Release

2010.4

Published: 2010-11-17

Revision 01

Page 2

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This product includes the EnvoySNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Infranet Controller Configuration Guide

Revision History 18 November 2010—01

The information in this document is current as of the date listed in the revision history.

Page 3

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’sprincipal office is locatedoutside the Americas)(such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats,registeredendpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’or key-restricted feature,function, service, application, operation,or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Page 4

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associateddocumentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompanies the Software(the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligationto support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE,OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

Page 5

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Page 6

Page 7

Table of Contents

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

List of Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Part 1 Getting Started

Chapter 1 Understanding an Infranet Controller Configuration . . . . . . . . . . . . . . . . . . . . 3

NSM and Device Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Communication Between an Infranet Controller and NSM Overview . . . . . . . . . . . 3

Infranet Controller Services and Device Configurations Supported in NSM . . . . . . 5

Chapter 2 Infranet Controller and NSM Installation Overview . . . . . . . . . . . . . . . . . . . . . 7

UAC Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

NSM Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Part 2 Integrating Infranet Controllers

Chapter 3 Adding Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Importing an Infranet Controller Device Through Not Reachable Workflow . . . . . . 11

Installing and Configuring the Infranet Controller Device . . . . . . . . . . . . . . . . . 12

Adding the Infranet Controller Device Through NSM . . . . . . . . . . . . . . . . . . . . 12

Configuring and Enabling the DMI Agent on the Infranet Controller

Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Confirming Connectivity and Importing the Infranet Controller Device

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Requirementsfor Importing an Infranet Controllerinto NSM Througha Reachable

Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Importing an Infranet Controller Through Reachable Workflow . . . . . . . . . . . . . . . 15

Importing Multiple Infranet Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating the CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Validating the CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Adding and Importing Multiple Infranet Controllers . . . . . . . . . . . . . . . . . . . . . 18

Verifying Imported Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using Device Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Using Job Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Page 8

NSM Infranet Controller Configuration Guide

Chapter 4 Adding Infranet Controller Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Infranet Controllers Clusters in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Adding an Infranet Controller Cluster with Imported Cluster Members . . . . . . . . . 24

Chapter 5 Using Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating and Applying an Infranet Controller Template . . . . . . . . . . . . . . . . . . . . . 29

Promoting an Infranet Controller Configuration to a Template . . . . . . . . . . . . . . . . 31

Reverting an Infranet Controller Configuration to Default Values of a

Using Configuration Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Installing and Configuring the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding the Cluster in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Adding the Cluster Members in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring and Enabling the DMI Agent on the Cluster . . . . . . . . . . . . . . . . . 27

Importing Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Applying the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Part 3 Configuring an Infranet Controller

Chapter 6 Configuring User Roles and Administrator Roles . . . . . . . . . . . . . . . . . . . . . . 35

Configuring Infranet Controller User Roles (NSM Procedure) . . . . . . . . . . . . . . . . 35

Configuring Access Options on an Infranet Controller User Role (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring OAC Settings for a User Role (NSM Procedure) . . . . . . . . . . . . . . . . . 42

Creating and Configuring Infranet Controller Administrator Roles (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 7 Configuring Security Requirements for Administrators and Users . . . . . . . . 61

Configuring Infranet Controller Source IP Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Infranet Controller Browser Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring Infranet Controller Certificate Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring Infranet Controller Password Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configuring Infranet Controller Host Checker Access Restrictions (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring Infranet Controller RADIUS Request Attribute Restrictions for User

Realms (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Page 9

Table of Contents

Chapter 8 Configuring the Infranet Controller RADIUS Server and Layer 2 Access . . . 73

Configuring the Infranet Controller as a RADIUS Server (NSM Procedure) . . . . . . 73

Configuring Authentication Protocol Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using RADIUS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Using the Infranet Controller for 802.1X Network Access (NSM Procedure) . . . . . 75

Configuring Location Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring RADIUS Clients (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Uploading a New RADIUS Client Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Creating a RADIUS Dictionary Based on an Existing Model . . . . . . . . . . . . . . 78

Configuring a New RADIUS Vendor (NSM Procedure) . . . . . . . . . . . . . . . . . . 78

Creating a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring RADIUS Return Attributes Policies (NSM Procedure) . . . . . . . . . . . . 80

Configuring RADIUS Request Attributes Policies (NSM Procedure) . . . . . . . . . . . 83

Configuring an Infranet Enforcer as a RADIUS Client of the Infranet Controller

(NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Non-Juniper 802.1X Supplicant Configuration Overview . . . . . . . . . . . . . . . . . . . . 85

Chapter 9 Configuring Authentication Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Creating an Authentication Realm (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Role Mapping Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring Infranet Controller Authentication Policies (NSM Procedure) . . . . . . 92

Chapter 10 Configuring Infranet Enforcer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring Infranet Enforcer Resource Access Policies (NSM Procedure) . . . . . . 93

Configuring Infranet Controller IPsec Routing Policies (NSM Procedure) . . . . . . . 95

Configuring Infranet Controller IP Address Pool Policies (NSM Procedure) . . . . . 98

Configuring Infranet Controller Source Interface Policies (NSM Procedure) . . . . 99

Configuring an Infranet Controller to Connect to a ScreenOS Enforcer (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring an Infranet Controller to Connect to a JUNOS Enforcer (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 11 Configuring Host Enforcer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring Infranet Controller Host Enforcer Policies (NSM Procedure) . . . . . . 105

Chapter 12 Configuring IF-MAP Federation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring IF-MAP Server Settings on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring IF-MAP Client Settings on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring IF-MAP Session Export Policy on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring IF-MAP Session Import Policy on the Infranet Controller (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring IF-MAP Server Replicas (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 114

Chapter 13 Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring an Infranet Controller Anonymous Server Instance (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Creating a Custom Expression for an Authentication Server (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Page 10

NSM Infranet Controller Configuration Guide

Configuring an Infranet Controller RSA ACE/Server Instance (NSM

Configuring an Infranet ControllerActiveDirectory or NT Domain Server Instance

Configuring an Infranet Controller Certificate Server Instance (NSM

Configuring an Infranet Controller LDAP Server Instance (NSM Procedure) . . . . 125

Configuring an Infranet Controller Local Authentication Server Instance (NSM

Configuring an Infranet Controller NIS Server Instance (NSM Procedure) . . . . . . 133

Configuring an Infranet Controller RADIUS Server Instance (NSM Procedure) . . 134 Configuring an Infranet Controller eTrust SiteMinder Server Instance (NSM

Configuring an Infranet Controller MAC Address Authentication Server for

Chapter 14 Configuring Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Infranet Controller Sign-in Policies (NSM Procedure) . . . . . . . . . . . 149

Configuring Infranet Controller Standard Sign-in Pages (NSM Procedure) . . . . . 153

Chapter 15 Configuring Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Creating Infranet Controller Global Host Checker Policies Overview . . . . . . . . . . 155

Configuring Advanced Endpoint Defense Policy (NSM Procedure) . . . . . . . . . . . 157

Configuring New Client-Side Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 157

Configuring Virus Signature Version Monitoring and Patch Assessment (NSM

Specifying Customized Requirements Using Custom Rules (NSM Procedure) . . 161

Configuring a Patch Assessment Custom Rule (NSM Procedure) . . . . . . . . . . . . 165

Configuring the Remote IMV Server (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 167

Enabling Customized Server-Side Policies (NSM Procedure) . . . . . . . . . . . . . . . 168

Executing Host Checker Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Implementing Infranet Controller Host Checker Policies (NSM Procedure) . . . . . 172

Remediating Infranet Controller Host Checker Policies . . . . . . . . . . . . . . . . . . . . 174

Configuring Infranet Controller General Host Checker Options (NSM

Configuring Host Checker Automatic Installation (NSM Procedure) . . . . . . . . . . 176

Configuring Infranet Controller Host Checker Logs (NSM Procedure) . . . . . . . . . 177

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

(NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Unmanageable Devices (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Configuring Administrator Sign-In Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring User Sign-in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Restricting Infranet Controller and Resource Access Through Host

Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Configuring Host Checker Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Page 11

Table of Contents

Part 4 Managing an Infranet Controller

Chapter 16 Unified Access Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

UAC Manager in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Associating Enforcement Points with an Infranet Controller Using the UAC

Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Disassociatingthe Configuration Betweenan EnforcementPoint and an Infranet

Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Enabling Dot1x Ports on the Enforcement Points Using the UAC Manager . . . . . 184

Disabling the Dot1x Ports on an Enforcement Point Using the UAC Manager . . . 185

Chapter 17 Using System Management Features in an Infranet Controller . . . . . . . . . 187

Managing Large Binary Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Configuring Infranet Controller System Options (NSM Procedure) . . . . . . . . . . . 188

Removing an Infranet Controller from NSM Management (NSM Procedure) . . . 190

Deactivating a DMI Agent in an Infranet Controller (NSM Procedure) . . . . . . . . . 190

Chapter 18 Configuring the Infranet Controller to Interoperate with IDP . . . . . . . . . . . 193

Configuring ISG-IDP as a Sensor on the Infranet Controller (NSM Procedure) . . 193 Configuring Infranet Controller Sensor Settings for Connecting to a Standalone

IDP Device (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Creating an IDP Device Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Enabling or Disabling the Connection to an Existing IDP Device . . . . . . . . . . 195

Configuring Sensor Event Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 196

Creating a Custom Expression for Sensor Settings (NSM Procedure) . . . . . . . . . 198

Chapter 19 Troubleshooting an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Troubleshooting the IF-MAP Federation Network (NSM Procedure) . . . . . . . . . . 201

Part 5 Monitoring and Configuring Logs in an Infranet Controller

Chapter 20 Monitoring an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Realtime Monitor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing Device Monitor Alarm Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Chapter 21 Configuring Logs in an Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring RADIUS Attribute Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Event Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Configuring User Access Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring Administrator Access Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . 214

Configuring Client-Side Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Configuring the Infranet Controller as an SNMP Agent (NSM Procedure) . . . . . . 216

Configuring Custom Log Filters (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 218

Part 6 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Page 12

NSM Infranet Controller Configuration Guide

Page 13

About this Guide

•

Objectives on page xiii

•

Audience on page xiii

•

Conventions on page xiii

•

List of Technical Publications on page xv

•

Requesting Technical Support on page xvi

Objectives

Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices.

Unified Access Control (UAC) solution is an IP-based enterprise infrastructure that coordinates network, application, and endpoint security compliance and provides the control required to support network applications, manage network use, and reduce threats.

This guide provides the information you need to understand, configure, and maintain an Infranet Controller device using NSM. This guide explains how to use basic and advanced NSM functionality, including adding new devices, deploying new device configurations, updating device firmware, viewing log information, and monitoring the status of your Infranet Controller device.

Audience

This guide is intended for the systemadministratorresponsible for configuring the Infranet Controller device.

Conventions

Table 1 on page xiv defines notice icons used in this guide.

Page 14

NSM Infranet Controller Configuration Guide

Table 1: Notice Icons

Table 2 on page xiv defines text conventions used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linked with a plus (+) sign

Italics

The angle bracket (>)

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xv defines syntax conventions used in this guide.

Page 15

Table 3: Syntax Conventions

About this Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

variable to the left or right of this symbol. The keywordor variable can be optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in | out } { clusterId | ipAddress }

List of Technical Publications

Table 4: Network and Security Manager and Unified Access Control Solutions Publications

Network and Security Manager Installation Guide

Network and Security Manager Administration Guide

Details the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installationand/orupgrade of NSM.

Describes how to use and configure key management features in the NSM. It provides conceptual information, suggested workflows, and examples where applicable. This guide is best used in conjunction with the NSM Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

Network and Security Manager Configuring Firewall/VPN Devices Guide

Network and Security Manager Online Help

Unified Access Control Administration Guide

Unified Access Control Quick Start Guide

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features that relate to device configuration and management. It also explains how to configure basic and advanced NSM functionality, including deploying new device configurations, managing Security Policies and VPNs, and general device administration.

Provides task-oriented procedures describing how to perform basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides comprehensive information about configuring the Unified Access Control solution and the Infranet Controller 4500 and 6500 appliances.

Provides an example of configuring the Unified Access Control solution for a front-end server deployment scenario.

Page 16

NSM Infranet Controller Configuration Guide

Table 4: Network and Security Manager and Unified Access Control Solutions Publications (continued)

Unified Access Control Installation Guide

Details the steps to install the Infranet Controller and Infranet Enforcer Appliances. This guide is intended for IT administrators responsible for the installation and/or upgrade of Infranet Controller.

Requesting Technical Support

Technicalproduct support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Page 17

About this Guide

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

Page 18

NSM Infranet Controller Configuration Guide

Page 19

PART 1

Getting Started

•

Understanding an Infranet Controller Configuration on page 3

•

Infranet Controller and NSM Installation Overview on page 7

Page 20

NSM Infranet Controller Configuration Guide

Page 21

CHAPTER 1

Understanding an Infranet Controller Configuration

•

NSM and Device Management Overview on page 3

•

Communication Between an Infranet Controller and NSM Overview on page 3

•

Infranet Controller Services and Device Configurations Supported in NSM on page 5

NSM and Device Management Overview

NSM is the Juniper Networks network management tool that allows distributed administration of network appliances. You can use the NSM application to centralize status monitoring, logging, and reporting, and to administer Infranet Controller configurations.

With NSM you can manage the Infranet Enforcer and Intrusion Detection and Prevention (IDP) devices,and you can administer the completeUnified AccessControl (UAC) solution from a single management interface.

In addition, NSM lets you manage most of the parameters that you can configure through the Infranet Controller admin console. The configuration screens rendered through NSM are similar to the screens in the Infranet Controller admin console.

NSM incorporates a broad configuration management framework that allows co-management using other methods. To manage the Infranet Controller configuration, you can also use the XML files import and export feature, or you can manage from the Infranet Controller admin console.

Documentation

Communication Between an Infranet Controller and NSM Overview on page 3•

• Infranet Controller Services and Device Configurations Supported in NSM on page 5

Communication Between an Infranet Controller and NSM Overview

The Infranet Controller and the NSM application communicate through the Device Management Interface (DMI). DMI is a collection of schema-driven protocols that run on a common transport (that is, TCP). DMI is designed to work with Juniper Networks platforms to make device management consistent across all administrative realms.

Page 22

NSM Infranet Controller Configuration Guide

Supported DMI protocols include:

•

NetConf (for inventory management, XML-based configuration, text-based configuration, alarm monitoring, and device specific commands)

•

Structured syslog

•

Threat flow for network profiling

DMI supports third-party network management systems that incorporate the DMI standard; however, only one DMI-based agent per device is supported.

The Infranet Controller’s configuration is represented as a hierarchical tree of configuration items. This structure is expressed in XML and can be manipulated with NetConf. NetConf is a network management protocol that uses XML. DMI uses NetConf’s generic configuration management capability to allow remote configuration of the device.

To allow NSM to manage the Infranet Controller using the DMI protocol, NSM must import the schema and metadatafiles from the Juniper NetworksSchema Repository, a publicly accessible resource that is updated with each device release. In addition to downloading the Infranet Controller’s current schema, NSM may also download upgraded software.

The Schema Repository enables access to XSD and XML files defined for each device, model, and software version.

Before attempting to communicate with NSM, you must first complete the initial configuration of the Infranet Controller. Initial configuration includes network interface settings, DNS settings, licensing, and password administration.

If you have severalInfranet Controllers that will be configured in a clustering environment, the cluster abstraction must first be created in the NSM Cluster Manager. Then you can add individual nodes.

After you have completed the initial network configuration, you can configure the Infranet Controller to communicate with NSM using the appropriate network information. Once the Infranet Controller has been configured to communicate with NSM, the Infranet Controllercontacts NSM and establishes a DMI session through an initial TCP handshake.

All communications between the Infranet Controller and NSM occur over SSH to ensure data integrity.

After the Infranet Controller initially contacts NSM and a TCP session is established, interaction between the Infranet Controller and NSM is driven from NSM, which issues commands to get hardware, software, and license details of the Infranet Controller. NSM connectsto the Schema Repository to download the configuration schema that is specific to the Infranet Controller.

NSM then issues a command to retrieve configuration information from the Infranet Controller. If NSM is contacted by more than one Infranet Controller as a member of a cluster, information from only one of the cluster devices is gathered. NSM attempts to validate the configuration received from the Infranet Controller against the schema from Juniper Networks.

Page 23

Chapter 1: Understanding an Infranet Controller Configuration

Once the Infranet Controller and NSM are communicating,the InfranetController delivers syslog and event information to NSM.

After NSM and the Infranet Controller are connected, you can make any configuration changes directly on the Infranet Controller, bypassing NSM. NSM automatically detects these changes and imports the new configuration data. Changes to Infranet Controller cluster members will similarly be detected by NSM.

When you make changes to the Infranet Controller configuration through NSM you must push the changes to the device by performing an Update Device operation.

When you double-click the Infranet Controller device icon in the Device Manager and select the Configuration tab, the configuration tree appears in the main display area in the same orientation as items appear on the Infranet Controller admin console.

Documentation

NSM and Device Management Overview on page 3•

• Infranet Controller Services and Device Configurations Supported in NSM on page 5

Infranet Controller Services and Device Configurations Supported in NSM

The Infranet Controller supports the following services in NSM:

•

Inventory management service—Enables management of the Infranet Controllers software, hardware, and licensing details. Adding or deleting licenses and upgrading or downgrading software are not supported.

•

Status monitoring service—Allows the Infranet Controller’s status to be obtained, including name, domain, OS version, synchronization status, connection details, and current alarms.

•

Logging service—Allowsthe Infranet Controller’s logs to be obtained in a time-generated order. Logging configuration details that are set on the Infranet Controller will apply to NSM.

•

XML-based configuration management service—Enables NSM to manage the configurationof the Infranet Controller. NSM uses the same XML schema as the Infranet Controller, so you can troubleshoot NSM using XML files downloaded from the Infranet Controller.

The following device configurations are not supported:

•

Editing licensing information, although licenses can be viewed

•

Packaging log files or debug files for remote analysis

Documentation

• NSM and Device Management Overview on page 3

• Communication Between an Infranet Controller and NSM Overview on page 3

Page 24

NSM Infranet Controller Configuration Guide

Page 25

CHAPTER 2

Infranet Controller and NSM Installation Overview

•

UAC Installation Overview on page 7

•

NSM Installation Overview on page 8

UAC Installation Overview

NOTE: For important safety information, read Juniper Networks Security Products Safety Guide.

The UAC components to be installed are the following:

1. Install Infranet Enforcer and/or 802.1X hardware and perform the basic setup. See

the documentation that shipped with the system or visit the Juniper Networks Web site at http://www.juniper.net/techpubs/ to download the appropriate documentation.

Documentation

2. Install Infranet Controller hardware and perform the basic setup using the serial

console. See the Juniper Networks Unified Access Control Installation Guide.

3. License the Infranet Controller and verify user accessibility. Follow the initial

configurationTask Guide instructions embedded in the Infranet ControllerWebconsole.

4. Configure an SSL connection between the Infranet Controller appliance and your

Infranet Enforcer appliances and/or 802.1X switches. See the Juniper Networks Unified

Access Control Quick Start Guide or Part 1, “Getting Started,” of the Juniper Networks Unified Access Control Administration Guide.

NSM Installation Overview on page 8•

• NSM and Device Management Overview on page 3

• Communication Between an Infranet Controller and NSM Overview on page 3

Page 26

NSM Infranet Controller Configuration Guide

NSM Installation Overview

NSM is a software application that enables you to integrate and centralize management of your Juniper Networks environment. Youneed to install two main software components to run NSM: the NSM management system and the NSM user interface (UI).

See the Network Security Manager Installation Guide for the steps to install the NSM management system on a single server or on separateservers. It also includes information on how to install and run the NSM user interface. The Network Security Manager Installation Guide is intended for IT administrators responsible for installing or upgrading NSM.

Documentation

• UAC Installation Overview on page 7

• NSM and Device Management Overview on page 3

Page 27

PART 2

Integrating Infranet Controllers

•

Adding Infranet Controllers on page 11

•

Adding Infranet Controller Clusters on page 23

•

Using Templates on page 29

Page 28

NSM Infranet Controller Configuration Guide

Page 29

CHAPTER 3

Adding Infranet Controllers

•

Importing an Infranet Controller Device Through Not Reachable Workflow on page 11

•

Requirements for Importing an Infranet Controller into NSM Through a Reachable Workflow on page 15

•

Importing an Infranet Controller Through Reachable Workflow on page 15

•

Importing Multiple Infranet Controllers on page 16

•

Verifying Imported Device Configurations on page 19

Importing an Infranet Controller Device Through Not Reachable Workflow

You can add an Infranet Controller to your existing network using NSM and import its configurations. Using the Add Device Wizard, you can configure a connection between the management system and the physical device, and then import all device parameters, policies, objects, VPNs, and so on.

Import an Infranet Controller through Not Reachable workflow into NSM by following these procedures:

Installing and Configuring the Infranet Controller Device on page 12

Adding the Infranet Controller Device Through NSM on page 12

Configuring and Enabling the DMI Agent on the Infranet Controller Device on page 13

Confirming Connectivity and Importing the Infranet Controller Device Configuration on page 14

Page 30

NSM Infranet Controller Configuration Guide

Installing and Configuring the Infranet Controller Device

Before you can add the Infranet Controller to NSM, you must install and configure the Infranet Controller device to have logon credentials for an NSM administrator.

To install and configure the Infranet Controller:

1. Select System > Network > Overview on the device’s admin console and ensure that

basic connection information such as the following are configured on the Infranet Controller.

•

Network interface settings

•

DNS settings

•

Password

2. Select Authentication > Auth Servers and enter the username and password of the

NSM administrator in the applicable authentication server.

NOTE: Only password-based authentication servers can be used. One-time

password authentication is not supported.

3. Select Administrators > Admin Roles and create a DMI agent role.

4. Select Administrators > Admin Realms and create a DMI agent administrator realm

for the DMI agent on the device and use role mapping to associate the DMI agent role and realm.

NOTE: Ensure that the Host Checker, browser, and certificate restrictions

are not applied for the DMI agent role or realms.

For complete details on installing and configuring Infranet Controller devices, see the Juniper Networks Unified Access Control Administration Guide.

Adding the Infranet Controller Device Through NSM

To add the Infranet Controller device through the NSM UI:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, click the New button, and select Device. The New-Device

dialog box appears.

4. Select Device is Not Reachable and click Next.

5. Enter the device name, and select the required color, OS name (IC), platform, and

managed OS version from the drop-down lists.

Page 31

Chapter 3: Adding Infranet Controllers

6. From the Choose Device Server Connections Parameter area, select:

•

Use Default Device Server IP Address and Port—Connects the device to the NSM device server IP address and port.

•

Use Device ServerThrough MIP—Connects the NSM device server through a mapped IP address and port.

7. Click Next, and a unique external ID gets generated automatically. This ID represents

the device within the management system.

8. Enter an admin username for the device admin.

9. Set the Admin User Password and the First Connection One-Time Password:

a. Select Set Password and enter a new password.

b. Confirm your new password and click OK.

NOTE:

•

Make a note of the unique external ID. The device administrator will need it to configure connectivity with NSM. The wizard automatically enters this value for the device. This ID number represents the device within the management system.

•

Specify the administrator username and password for the SSH connection. This name and password must match the name and password already configured on the device.

•

Specify the First Connection One Time Password (OTP) that authenticates the device. Make a note of this password. The device administrator will need it to configure the connectivity with NSM.

10. Click Finish to add the device to the NSM UI. The Infranet Controller appears in the

Devices workspace.

Configuring and Enabling the DMI Agent on the Infranet Controller Device

You must configure and activate the DMI agent on the Infranet Controller device. It helps to establish SSH communications with the NSM application and to control the Infranet Controller from the NSM application.

To configure and enable the DMI agent:

1. Select System> Configuration> DMI Agent to add the NSM management application.

2. Under DMI settings for outbound connections, enter the device server's IP address in

the Primary Server box..

3. Enter 7804 in the Primary Port box.

4. Fill in the Backup Server and Backup Port boxes, if a device server is configured for

high availability.

Page 32

NSM Infranet Controller Configuration Guide

5. Enter the unique external ID provided by the NSM administrator in the Device ID box.

6. Enter the first connection one-time password provided by the NSM administrator in

the HMAC Key box.

7. Click Enable to activate the DMI agent.

8. Click Save Changes, and the device attempts to establish a session with the NSM

application.

The device software initiates the TCP connection to NSM and identifies itself using the specified device ID and HMAC. Both sides then engage in SSH TransportLayer interactions to set up an encrypted tunnel. The NSM application authenticates itself to the Infranet Controller based on the username and password.

Confirming Connectivity and Importing the Infranet Controller Device Configuration

In NSM, validate connectivity with the device, and then import the device configuration:

1. From the Devices workspace, select the Device List tab.

2. Check the newly added device in the Connection Status column. The connection

status must change from Never Connected to Up.

Documentation

If the connection status appears as Device Platform Mismatch or Device Firmware Mismatch, delete the device from the application and add it back using the correct device platform and managed OS, respectively.

To import the device configuration:

1. From the Devices workspace, select the Device List tab.

2. Right-click the newly added Infranet Controller device and select Import Device. The

Save Changes dialog box appears.

3. If you are prompted to savepolicy or VPN changes, click Yes. The DeviceImport Option

dialog box appears.

4. Select Run Summarize Delta Config, and click OK and Yes. The Job Information dialog

box displays the progress of the delta config summary. You can also monitor the progress in Job Manager.

The next step is to verify the imported configuration using either the Device Monitor or the Device Manager in NSM. See “Verifying Imported Device Configurations (NSM Procedure)” for details.

Importing an Infranet Controller Through Reachable Workflow on page 15•

• Creating and Applying an Infranet Controller Template on page 29

• Verifying Imported Device Configurations on page 19

Page 33

Chapter 3: Adding Infranet Controllers

Requirements for Importing an Infranet Controller into NSM Through a Reachable Workflow

Adhere to the requirements to import an Infranet Controllerinto NSM through a reachable workflow:

•

The inbound DMI connection must be enabled in the Infranet Controller.

•

The SSH port must be configured in the Infranet Controller. The default SSH port is

22.

•

The DMI agent admin realms must be configured and an admin user must be mapped to a role with full admin privileges.

Documentation

Importing an Infranet Controller Through Reachable Workflow on page 15•

• Importing an Infranet Controller Device Through Not Reachable Workflow on page 11

• Verifying Imported Device Configurations on page 19

Importing an Infranet Controller Through Reachable Workflow

To import an Infranet Controller through a reachable workflow into NSM:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, click the New button, and select Device. The New Device

dialog box appears.

4. Select Device is Reachable and click Next.

5. Enter the following connection information:

•

Enter the IP address of the device.

•

Enter the username of the device administrator.

•

Enter the password for the device administrator.

•

Select SSH V2 as the connection method.

•

Ensure that the TCP port number is 22 .

6. Click Next. The Verify Device Authenticity dialog box appears. The Add Device wizard

displays the RSA Key FingerPrint information. To prevent man-in-the-middle attacks, you should verify the fingerprint using an out-of-band method.

7. Click Next to accept the fingerprint. The Detecting Device dialog box opens.

8. After the wizard displays the autodetected device information, verify that the device

type, OS version, and the device serial number are correct. The wizard also detects

Page 34

NSM Infranet Controller Configuration Guide

the hostname configured on the device. You can either use the hostname as the NSM device name or you can enter a new name in the text box provided.

9. Click Next after verifying the auto detected device information.

10. Click Finish to add the device to the NSM UI. The Infranet Controller appears in the

Devices workspace.

Documentation

Importing an Infranet Controller Device Through Not Reachable Workflow on page 11•

• Requirements for Importing an Infranet Controller into NSM Through a Reachable

Workflow on page 15

• Verifying Imported Device Configurations on page 19

Importing Multiple Infranet Controllers

If your network includes a large number of devices, you can save time by adding multiple devices in a single workflow.Youcan add up to 4000 devices at a time to a single domain (but you cannot add multiple devices to different domains at one time).

Add multiple Infranet Controllers by following these procedures:

Creating the CSV File on page 16

Validating the CSV File on page 18

Adding and Importing Multiple Infranet Controllers on page 18

Creating the CSV File

The CSV file defines all the required and optional values for each Infranet Controller device. Within a .csv file, you define the Infranet Controller configuration values that you want to add. The required and optional values depend not only on how the Infranet Controllers are deployed on your network but also on the device family.

Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the program files for the UI client. For example:

C:\Program Files\Network and Security Manager\utils

For each CSV file, each row defines a single Infranet Controller’s values for each parameter. For text files, columns are separated by commas.

Creating Infranet Controller Parameters in CSV File

For an Infranet Controller, Table 5 on page 16 lists the parameters to be set in the CSV file.

Table 5: CSV File Information for Infranet Controllers

Acceptable ValuesRequiredTypeField

ic-6500, ic-4500yesStringName

Page 35

Chapter 3: Adding Infranet Controllers

Table 5: CSV File Information for Infranet Controllers (continued)

Acceptable ValuesRequiredTypeField

yesStringColor

yesStringDevice Admin Password

blue, red, green, yellow, cyan, magenta, orange, pink.

ICyesStringOS Name

IC-4500, IC-6500yesStringPlatform

Set to “none”yesStringDevice Subtype

2.2yesStringManaged OS Version

<administrator>yesStringDevice Admin Name

Must be a minimum of nine characters.

Using an Excel File to Add Multiple Infranet Controllers

To edit the Excel file to add multiple Infranet Controllers:

1. Copy and open either the bulkadd_nonreachable-sample.csv file or the

bulkadd_nonreachable-DMI-sample.csv file located in C:/Program Files/Network and Security Manager/utils.

2. Using one row for each Infranet Controller you want to add, enter the required values

for each parameter that you wish to set for them. You can also provide optional values, if desired.

3. Save the file to a location on your local drive.

Using a Text File to Add Multiple Infranet Controllers

To add multiple Infranet Controllers using a text file, create a text file with the following text:

1. Open a text file and add the Infranet Controllers and its parameters as follows:

Ic-6000, blue, ic, IC-6000, none, root, 2.2, netscreen

Ic-6500, pink, ic, IC-6500, none, root, 2.2, netscreen

Ic-4000, cyan, ic, IC-4000, none, root, 2.2, netscreen

Ic-4500, pink, ic, IC-4500, none, root, 2.2, netscreen

2. Save the file as a .csv file.

Page 36

NSM Infranet Controller Configuration Guide

Validating the CSV File

When you add the Infranet Controllers, NSM validates the configuration information in the .csv file and creates a validation report. The report lists any incorrect or duplicate configurations, and indicates the exact line that contains invalid data.

Select Cancel to quit adding multiple Infranet Controllers, or select Add Valid Devices to begin adding the Infranet Controllers for which you have provided valid device configurations.

If the validation report listed incorrect configurations, you can still select Add Valid Devices; however, only the devices with correct configurations are added. If the .csv file contains duplicate configurations, NSM ignores the duplicates.

NOTE: The validation report displays only the first error in the line. If the line

contains additional errors, those errors do not appear in the validation report.

After you have added multiple Infranet Controllers, you cannot roll back or undo your changes. To edit or delete Infranet Controllers, select the Infranet Controller in the NSM UI and make the necessary changes.

Adding and Importing Multiple Infranet Controllers

To add and import multiple Infranet Controllers in the NSM UI:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, click the New button, and select Many Devices. The

New-Device dialog box appears.

4. In the New-Device dialog box:

•

Select Device is Not Reachable.

•

Specify the location of the CSV file.

•

Specify the output directory for the .cli file. For each valid device configuration that uses a dynamic IP address, NSM creates a .cli output file. By default, the .cli file is saved to the following GUI server directory:

/usr/netscreen/GuiSvr/var/ManyDevicesOutput/<inputFile_YYYYMMDDHHMM>/

Before the Infranet Controllers can be managed by NSM, you must enter the CLI commands in the .cli file on the physical security device.

5. Click Next. The Add Device wizard validates the CSV file and provides a validation

report.

•

Select Cancel to quit the Add Many Devices process.

Page 37

Chapter 3: Adding Infranet Controllers

•

Select Add Valid Devices to begin adding the devices for which you have provided valid device configurations.

6. From the Choose Device Server Connections Parameter area select:

•

Use Default Device Server IP Address and Port—Connects the device to the NSM device server IP address and port.

•

Use Device ServerThrough MIP—Connects the NSM device server through a mapped IP address and port.

7. Click Finish to add the Infranet Controllers.

The time it takes for NSM to activate and import the Infranet Controllers depends on the number of Infranet Controllers and the management system configuration.

Documentation

Importing an Infranet Controller Device Through Not Reachable Workflow on page 11•

• Adding an Infranet Controller Cluster with Imported Cluster Members on page 24

• Creating and Applying an Infranet Controller Template on page 29

• Verifying Imported Device Configurations on page 19

Verifying Imported Device Configurations

After importing an Infranet Controller, you should verify whether all device information has been imported.

The imported device configurations can be verified in any of the following ways:

•

Using Device Monitor on page 19

•

Using Device Manager on page 20

•

Using Job Manager on page 20

•

Using Configuration Summaries on page 20

Using Device Monitor

The Device Monitor in NSM tracks the status of individual devices, systems, and their processes. To check the status of the imported device in the Device Monitor, from the left pane click Investigate, expand Realtime Monitor, and select Device Monitor. From the Device Monitor workspace, check the following parameters for your imported device:

•

The Configured Status column says “Managed In Sync”.

•

The Connection Status column says “Up”.

Page 38

NSM Infranet Controller Configuration Guide

Using Device Manager

Using the Device Manager in NSM, you can verify the configuration settings of the imported device. To verify the configuration settings, click Configure, expand Device Manager, select Devices and click the Device List tab.

Ensure that the following parameters are indicated:

•

Imported device serial number matches the serial number on the physical device

•

Imported device IP address matches the IP address for the physical device

Using Job Manager

Job Manager tracks the status of major administrativetasks, such as importing or updating a device. After you import a device, view the report for the import task to ensure that the management system imported the device configuration as you expected. To track the status of the imported Infranet Controllers in NSM, from the left pane click Administer and select Job Manager.

Job Manager also tracks the status of configuration summaries, described in “Using Configuration Summaries.”

Using Configuration Summaries

NSM provides three configuration summaries to help you manage device configurations and preventaccidental misconfigurations. Use configuration summaries afteryou import a device to ensure that the management system imported the physical device configuration as you expected.

Configurationsummaries help with ongoing device maintenance, particularly for devices on which a local device administrator has been troubleshooting using CLI commands or the Web UI. Because the device object configuration in the NSM UI can overwrite the physical device configuration, you should always confirm the commands that are sent to the device.

The three configuration summaries that help you to manage device configurations are:

•

Configuration Summary

•

Delta Configuration Summary

•

Running Configuration Summary

Configuration Summary

A configuration summary shows you the exact CLI commands that will be sent to the managed device during the next device update. To get a configuration summary in NSM, from the Devices menu, click Configuration and select Summarize Config. The Summarize Config dialog box appears. You see a list of security devices to which you have access. Select the device you just imported and click OK. NSM analyzes the UI device object configuration and generates a summary report that lists the CLI commands or XML messages to send to the physical device during the next device update.

Page 39

Chapter 3: Adding Infranet Controllers

For a just-imported device, the configuration summary report displays the device configuration that matches the configuration currently running on the physical device.

Delta Configuration Summary

A delta configuration summary shows you the differences between the configuration you see in the NSM UI and the configuration on the physical device. To get a delta configuration summary in NSM, from the Devices menu click Configuration and select Get Summarize Delta Config. The Get Delta Config Summary dialog box appears with a list of devices to which you have access. Select the device you just imported and click OK. NSM queries the physical device to obtain a list of all CLI commands or XML messages used in the device configuration, compares that list with the UI device configuration, and generates a summary report of all differences, or deltas, discovered.

Get Running Configuration

A running configuration summary shows you the exact CLI commands or XML messages that were used to create the current device configuration on the physical device. To get the running config summary in the NSM application, from the Devices menu click Configurationand selectGet Running Config. The Get Running Config dialog box appears. You see a list of devices to which you have access. Select the device you just imported and click OK.

Documentation

NSM queries the physical device to obtain a list of all CLI commands used in the device configuration and generates a summary report that lists those commands. For a just-imported device, the get running config summary report displays the device configuration currently running on the physical device.

• Importing an Infranet Controller Device Through Not Reachable Workflow on page 11

• Importing an Infranet Controller Through Reachable Workflow on page 15

Page 40

NSM Infranet Controller Configuration Guide

Page 41

CHAPTER 4

Adding Infranet Controller Clusters

•

Infranet Controllers Clusters in NSM Overview on page 23

•

Adding an Infranet Controller Cluster with Imported Cluster Members on page 24

Infranet Controllers Clusters in NSM Overview

When you add an Infranet Controller cluster in NSM, you first add the cluster object and then add each member. Adding a member is similar to adding a standalone device.

Infranet Controller clusters can be configured by the device administrator to operate in active/passive mode or in active/active mode. Clusters in active/passive mode are made up of a primary member and a secondary member. All authentication requests are handled by the primary member. If a primary member fails, then the secondary member takes over.

In active/active mode, authentication requests are load-balanced across all cluster members. If one member fails, then load balancing takes place among the surviving members.

The number of members permitted in a cluster depends on the Infranet Controllerplatform and whether the cluster is configured in active/active mode or in active/passive mode. You can have no more than two cluster members in active/passive mode. In active/active mode you can have up to four members.

Beforeyou can add a cluster member in NSM, the device administrator must have already created the cluster and added, configured, and enabled the physical cluster member. See the Juniper Networks Unified Access Control AdministrationGuide for details on creating and configuring clusters.

Infranet Controller devices configuredin a cluster must have a cluster object and member objects defined in the NSM before the Infranet Controller Cluster nodes can be recognized by NSM. Nodes from this cluster that subsequently contact NSM will be represented by fully functional member icons in the Cluster Manager.Cluster members whose DMI agents do not contact NSM will be displayedin the NSM Device Monitor as unconnected devices.

InfranetController devices use member IDs to identify each clustermember object. When importing cluster members, the member ID is imported as part of the cluster, so the Add Cluster Member wizard does not prompt for the member ID.

Page 42

NSM Infranet Controller Configuration Guide

To add an Infranet Controller cluster to NSM, first add the cluster object, and then add its members. You add cluster members one at a time, in a similar manner to adding standalone devices.

Once an Infranet Controller cluster is managed by NSM, subsequent changes applied to the cluster by NSM will be synchronized by the cluster across all cluster members. Similarly, changes to an Infranet Controller cluster membership that occur through administrator action on the native device UI will be reflected back to NSM, and NSM will display the modified cluster after the cluster configuration is imported to NSM.

You can add an Infranet Controller cluster from your existing network into NSM and import their configurations. Using the Add Device Wizard, you configure a connection between the management system and the physical device, and then import all device parameters.

Documentation

Infranet Controller Services and Device Configurations Supported in NSM on page 5•

• Adding an Infranet Controller Cluster with Imported Cluster Members on page 24

Adding an Infranet Controller Cluster with Imported Cluster Members

To add an Infranet Controller cluster to NSM, first add the cluster object, and then add its members. You add cluster members one at a time, in a similar manner to adding standalone devices.

Add and import an Infranet Controller cluster in NSM by following these procedures:

Installing and Configuring the Cluster on page 24

Adding the Cluster in NSM on page 24

Adding the Cluster Members in NSM on page 25

Configuring and Enabling the DMI Agent on the Cluster on page 27

Importing Cluster Configuration on page 27

Installing and Configuring the Cluster

You must install and configure the cluster to have logon credentials for an NSM administrator before you can add the cluster to NSM.

Adding the Cluster in NSM

Before you can add an Infranet Controller cluster to NSM, you must first add the cluster object, and then add its members.

To add a new cluster to NSM:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, click the New button, and select Cluster. The New - Cluster

dialog box appears.

Page 43

4. Enter the cluster name and select the required color, OS name (IC), platform, and

managed OS version from the drop-down lists.

5. Click OK. The new cluster appears in the Device Manager.

Adding the Cluster Members in NSM

You add cluster members one at a time in a similar manner to adding standalone devices.

Adding Cluster Members through Not Reachable Workflow

To add a cluster member through the non-reachable workflow:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, and select the cluster to which you want to add the members.

4. Click the New button and select Cluster Member. The New–Cluster Member dialog

box appears.

Chapter 4: Adding Infranet Controller Clusters

5. Enter the cluster member name, select Device Is Not Reachable and click Next.

6. From the Choose Device Server Connections Parameter area, select:

•

Use Default Device Server IP Address and Port—Connects the device to the NSM device server IP address and port.

•

Use Device ServerThrough MIP—Connects the NSM device server through a mapped IP address and port.

7. Click Next, and a unique external ID gets generated automatically. This ID represents

the device within the management system.

8. Enter a admin user name for the device admin.

9. Set the admin user password and the first connection one-time password:

a. Select the corresponding Set Password box and enter a new password.

b. Confirm the new password and click OK.

Page 44

NSM Infranet Controller Configuration Guide

10. Click Finish to add the cluster member to the NSM GUI. The cluster member as a child

of the Infranet Controller cluster in the Devices workspace.

Adding Cluster Members through Reachable Workflow

NOTE:

•

Specify the administrator username and password for the SSH connection. This name and password must match the name and password already configured on the device.

•

Specify the first connection one time password(OTP)that authenticates the device. Make a note of this password. The device administrator will need it to configure the connectivity with NSM.

To add a cluster member:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab, and select the cluster to which you want to add the members.

4. Click the New button and select Cluster Member. The New–Cluster Member dialog

box appears.

5. Enter the cluster member name, select Device Is Reachable and click Next.

6. Specify the device connection settings:

•

IP Address—IP address of the Infranet Controller.

•

Admin User Name—Administrator user name created for the Infranet Controller.

•

Password—Administrator password created for the Infranet Controller.

NOTE: The ssh port number for cluster member is 22 by default and the

port number cannot be modified.

7. Click Next, The Infranet Controllerdevice is detected and the Infranet Controller details

are displayed.

Page 45

8. Enter a new name for the Infranet Controller device in Device Name to change the

host name of the Infranet Controller device. An error message is displayedif the device name is not unique.

9. Click Finish to add the cluster member to the NSM GUI. The cluster member as a child

of the Infranet Controller cluster in the Devices workspace.

Configuring and Enabling the DMI Agent on the Cluster

On each cluster member device, configure and activate the DMI agent and establish an SSH session with NSM.

Importing Cluster Configuration

After adding the cluster members, you must import the cluster configurations. You do this only once and for the entire cluster because the configurationis identical for all cluster members.

To import the cluster configuration:

1. From the left pane of the NSM UI, click Configure.

Chapter 4: Adding Infranet Controller Clusters

Documentation

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Click the Device Tree tab. Right-click the cluster to which you want to import the

configurations, and select Import Device.

NSM starts to import the configuration and a job window reports the progress of the job. When the job finishes, the configuration status for each cluster member in the Device List tab changes from Import Needed to Managed.

After importing, the configuration appears at the cluster level in NSM. To edit the configuration, open the cluster icon, not the individual cluster members.

• Importing an Infranet Controller Device Through Not Reachable Workflow on page 11

• Importing an Infranet Controller Through Reachable Workflow on page 15

• Creating and Applying an Infranet Controller Template on page 29

• Verifying Imported Device Configurations on page 19

• Infranet Controllers Clusters in NSM Overview on page 23

Page 46

NSM Infranet Controller Configuration Guide

Page 47

CHAPTER 5

Using Templates

•

Creating and Applying an Infranet Controller Template on page 29

•

Promoting an Infranet Controller Configuration to a Template on page 31

•

Reverting an Infranet Controller Configuration to Default Values of a Template on page 31

Creating and Applying an Infranet Controller Template

You can create and apply configuration templates for setting up new Infranet Controller devices through NSM.

Create and apply templates by following these procedures:

Creating the Template on page 29

Applying the Template on page 30

Creating the Template

To create an Infranet Controller template:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Device Templates. The Device Templates

workspace appears on the right side of the screen.

3. Click the Device Template Tree tab, click the New button, and select IC Template.

The New Device Template dialog box appears.

4. Name the Infranet Controller template, and select a color for the template.

5. Enter the following basic information:

•

Device description

•

IP address

•

Admin user name

•

Admin user password

6. Click OK to save the template. The newly created templates will appear under the

Device Template Tree.

Page 48

NSM Infranet Controller Configuration Guide

7. Double-click the newly created template, to enter the configuration information. The

Device Template screen appears.

8. Click the Configuration tab; select the required parameters on the left pane and

specify the appropriate values.

9. Click OK to create an Infranet Controller template.

You can now use this template when configuring Infranet Controllers.

NOTE: In the new template, default values for the configuration parameters

are displayed based on the default values from the schema. Default values are not displayed for configuration parameters that are based on match conditions such as device platform or release version.

NOTE: You can create a custom expression in a device template, but you cannot validate the custom expression. The Validate button is not enabled in the Custom Expressions editor for device templates.

Applying the Template

Documentation

To apply a template to an Infranet Controller:

1. From the left pane of the NSM UI, click Configure.

2. Expand Device Manager and select Devices. The Devices workspace appears on the

right side of the screen.

3. Double-click the Infranet Controller to open the device editor.

4. From the Device Info tab, select Templates. The templates configuration screen

appears.

5. Click the Edit icon. The Edit Templates dialog box appears.

6. Select the required template from the list, and click OK in the Edit Templates dialog

box.

7. In the templates configuration screen, select Retain template values on removal to

retain template values if a template is removed from the device.

8. Click Apply to save your changes to the device configuration.

To apply the settings to the device itself, run the Update Device directive to push the configuration to the device.

Promoting an Infranet Controller Configuration to a Template on page 31•

• Verifying Imported Device Configurations on page 19

Page 49

Promoting an Infranet Controller Configuration to a Template

NSM allows you to import an Infranet Controller configuration and then convert, or promote,it to a template. You can then use that template to make identical configurations on other Infranet Controllers.

To promote an Infranet Controller configuration to a template:

1. From the Devices workspace in NSM, double-click the Infranet Controller whose

configuration settings you want to promote to a template. The Infranet Controller Device dialog box appears.

2. Select the Configuration tab. The Device configuration tree appears.

3. From the Device configuration tree, select the configuration node that you want to

promote to a template, and select Promote Template. The Select templates dialog box appears.

4. Select the template to which you want to apply the configuration settings and click

OK. The Infranet Controller configuration is promoted to the selected template.

Chapter 5: Using Templates

Documentation

Creating and Applying an Infranet Controller Template on page 29•

• Adding an Infranet Controller Cluster with Imported Cluster Members on page 24

Reverting an Infranet Controller Configuration to Default Values of a Template

NSM allows you to revert the device configuration values to that of the template default values. The default value is inherited from the template based on the order of priority in which the templates are applied to the device.

To revert an Infranet Controller configuration to the default values in a template:

1. From the Devices workspace in NSM, double-click the Infranet Controller whose

configuration settings you want to revert. The Infranet Controller Device dialog box appears.

2. Select the Configuration tab. The Device configuration tree appears.

3. From the Device configuration tree, right-click the configuration node that you want

to revert and select Revert to template/default value.

4. Click OK. The Infranet Controller configuration reverts to the template default values.

Documentation

• Creating and Applying an Infranet Controller Template on page 29

• Promoting an Infranet Controller Configuration to a Template on page 31

Page 50

NSM Infranet Controller Configuration Guide

Page 51

PART 3

Configuring an Infranet Controller

•

Configuring User Roles and Administrator Roles on page 35

•

Configuring Security Requirements for Administrators and Users on page 61

•

Configuring the Infranet Controller RADIUS Server and Layer 2 Access on page 73

•

Configuring Authentication Realms on page 87

•

Configuring Infranet Enforcer Policies on page 93

•

Configuring Host Enforcer Policies on page 105

•

Configuring IF-MAP Federation Settings on page 107

•

Configuring Authentication Servers on page 117

•

Configuring Sign-In Policies on page 149

•

Configuring Host Checker Policies on page 155

Page 52

NSM Infranet Controller Configuration Guide

Page 53

CHAPTER 6

Configuring User Roles and Administrator Roles

•

Configuring Infranet Controller User Roles (NSM Procedure) on page 35

•

Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on page 40

•

Configuring OAC Settings for a User Role (NSM Procedure) on page 42

•

Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on page 48

•

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM Procedure) on page 55

Configuring Infranet Controller User Roles (NSM Procedure)

A user role defines user session parameters and personalization settings. You can customizea user role by specifying access restrictions, enabling Host Enforcer (Windows) or agentless or Java agent access, and configuring session settings. You can create and configure user roles through the User Roles page from the Infranet Controller device configuration tree.

To configure a user role:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure the user roles.

3. Click the Configuration tab. In the configuration tree, select Users > User Roles. The

corresponding workspace appears.

4. Click the New button, the New dialog box appears.

5. Add or modify settings on the General tab as specified in Table 6 on page 36.

6. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Page 54

NSM Infranet Controller Configuration Guide

Table 6: User Role Configuration Details

General > Overview tab

Name

Your ActionFunctionOption

Enter a name.Specifies a unique name for the user

role.

Describes the user role.Description

Session Options

UI Options

Odyssey Settings for IC Access

Odyssey Settings for Preconfigured Installer

Specifies the maximum session length, roaming capabilities, and session persistence.

Specifies customized settings for the Infranet Controller welcome page for Odyssey Access Client users mapped to this role.

Specifies the Odyssey Access Client settings for InfranetController access.

Specifies the Odyssey Access Client settings for the preconfigured installer.

General > Restrictions tab

Specifies source IP restrictions.Source IP

Restrictions

Enter a brief description for the user role.

Select General > Session Options to apply the settings to the role.

Select General > UI Options to apply the settings to the role.

Select this option to apply the Odyssey Access Client initial configuration settings.

Select this option to apply the Odyssey Access Client settings for the preconfigured installer.

See "Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure)."

Specifies browser restrictions.Browser

Restrictions

Specifies certificate restrictions.Certificate

Restrictions

Specifies Host Checker restrictions.Host Checker

Restrictions

General > Session Options tab

See "Configuring Infranet Controller Browser Access Restrictions (NSM Procedure)."

See "Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure)."

See "Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure)."

Page 55

Chapter 6: Configuring User Roles and Administrator Roles

Table 6: User Role Configuration Details (continued)

Your ActionFunctionOption

Max. Session Length (minutes)

Heartbeat Interval (seconds)

Heartbeat Timeout (seconds)

Specifies the number of minutes an active nonadministrative user session may remain open before ending. During an end-user session, prior to the expiration of the maximum session length, the Infranet Controller prompts the user to reenter authentication credentials, which avoids the problem of terminating the user session without warning.

Specifies the frequency at which the endpoint should send out a heartbeat to the Infranet Controller to keep the session alive. For agentless access, the browser refreshes the page with every heartbeat.

Specifies the amount of time that the Infranet Controller should “wait” beforeterminating a session when the endpoint does not send a heartbeat response.

Enter the session length in minutes. The default is five minutes, and the minimum is six minutes.

Enter the heartbeat interval in seconds.

Users should not navigateaway from the browser, as this interrupts the heartbeat and ends the session. The Odyssey Access Client and the Java agent respectively provide the heartbeat.Youshould ensure that the heartbeat interval of the agent is greater than the Host Checker interval,otherwise performancecould be affected.

Enter the heartbeat timeout in seconds.

Page 56

NSM Infranet Controller Configuration Guide

Table 6: User Role Configuration Details (continued)

Your ActionFunctionOption

Roaming session

•

Enabled—Enables roaming user sessions for users mapped to this role. A roaming user session works across source IP addresses, which allows mobile users (laptop users) with dynamic IP addresses to sign in to the Infranet Controller from one location and continue working from another. Disable this feature to prevent users from accessing a previouslyestablished session from a new source IP address. This helps protect against an attack spoofing a user’s session, providedthe hacker was able to obtain a valid user's session cookie.

•

Limit to subnet—Limits the roaming session to the local subnet specified in the Netmask field. Users may sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.

•

Disabled—Disables roaming user sessions for users mapped to this role. Users who sign in from one IP address may not continue an active Infranet Controller session from another IP address; user sessions are tied to the initial source IP address.

Select this option to enable, limit, or disable the roaming session.

Roaming netmask

Enable Session Extension

Displays the netmask for the local subnet.

Allows users with a Layer 2 or Layer 3 connection to continue a session beyond the maximum session length.

General > UI Options tab

Headers > Logo image

Headers > Background color

Controller welcome page.

Displays the background color for the header area of the Infranet Controller welcome page.

Select this option to view the netmask for the local subnet.

Select this option to allow users with Odyssey Access Client and agentless access to reauthenticate and extend their current session without interruption.

Browse to your custom image file.Displays the logo in the Infranet

Typethe hexadecimal number for the background color, or click the Color Palette icon and pick the desired color.

Page 57

Chapter 6: Configuring User Roles and Administrator Roles

Table 6: User Role Configuration Details (continued)

Your ActionFunctionOption

Show notification message

Greeting > Notification Message

Enables the notification text box.Greeting >

Displays the notification message at the top of the Infranet Controller welcome page.

Select the Show notification message check box (optional).

Enter the message that you want to display.

You may format text and add links using the following HTML tags: <i>, <b>, <br>, <font>, and <a href>. However, the Infranet Controller does not rewrite links on the sign-in page (because the user has not yet authenticated), so you should only point to external sites. Links to sites behind a firewall will fail. You may also use Infranet Controller system variables and attributes in this field.

NOTE:

•

The length of the personalized greeting cannot exceed 12K or 12288 characters.

•

If you use unsupported HTML tags in your custom message, the Infranet Controller may displaythe end user’s Infranet Controller home page incorrectly.

Documentation

Other > Show copyright notice and

Displaysthe copyright notice and label in the footer.

Select the Show copyright notice

and ’Secured by Juniper Networks’ label in footers check box (optional).

’Secured by Juniper Networks’label in footer

This setting applies only to those users whose license permits disabling the copyright notice. For more information about this feature, call Juniper Networks Support.

Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on

•

page 40

• Configuring OAC Settings for a User Role (NSM Procedure) on page 42

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

• Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

Procedure) on page 55

• Verifying Imported Device Configurations on page 19

Page 58

NSM Infranet Controller Configuration Guide

Configuring Access Options on an Infranet Controller User Role (NSM Procedure)

To provide users access to protected resources, you can configure agent and agentless access for a user role.

To configure access options on a user role:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure the user- role access option.

3. Click the Configuration tab. In the configuration tree, select Users > User Roles. The

corresponding workspace appears.

4. Add or open a user role.Click either the Agent or Agentless tab. Add or modify settings

as specified in Table 7 on page 40.

5. Click one:

•

OK — Saves the changes.

•

Cancel — Cancels the modifications.

Table 7: User Role Access Configuration Details

Your ActionFunctionOption

Agent tab

Install Agent for this role

Install Java Agent for this role

install the agent for this role.

download and install the lightweight Java agent for Macintosh or Linux platforms.

Select this option to install the agent for this role.Allows the user to

Select this option to install Java agent for this role.Allows the user to

Page 59

Chapter 6: Configuring User Roles and Administrator Roles

Table 7: User Role Access Configuration Details (continued)

Your ActionFunctionOption

Enable Host Enforcer

Session start script / Session stop script

Enables Host Enforcer on the endpoint and sends Host Enforcer policies to Odyssey Access Client for this role (Windows only).

Executes the script after the start or stop of the OAC session.

Select this option to enable the Host Enforcer for this role.

NOTE:

•

By default, after you enable the Host Enforcer option on a role, Odyssey Access Client denies all traffic on the endpoint except for the following allowed types: traffic to and from the Infranet Controller and Infranet Enforcer, WINS, DNS, IPsec, DHCP, ESP, IKE, outgoing TCP traffic, and some ICMP messages (for example, PING from the endpoint to other devices is allowed). Therefore, it’s important that you configure Host Enforcer policies to specify the additional types of traffic you want to allow on each endpoint. For example, you must configure Host Enforcer policies to allow any incoming TCP traffic. See “Configuring Infranet Enforcer Resource Access Policies (NSM Procedure)”.

•

To avoid blocking all traffic on endpoints and preventing users from accessing all network and Internet resources, we recommend that you configure Host Enforcer policies to allow the specific types of traffic on endpoints before you enable the Host Enforcer option on a role.

Specify the location of the session start scripts / session stop script you want to run on Windows endpoints after Odyssey Access Client connects or disconnects with the Infranet Controller. You can specify a fully qualified path. Scripts can be accessed locally or remotely by means of file share or other permanently available local network resource. You can also use environment variables, such as %USERNAME% in the script path name. For example:

odyssey-settings

Agentless tab

Specifies the IC Access and Preconfigured Installer settings

\\abc\users\%USERNAME%\myscript.bat

Click the odyssey-settings button. See “Configuring OAC Settings for a User Role (NSM Procedure)”.

Page 60

NSM Infranet Controller Configuration Guide

Table 7: User Role Access Configuration Details (continued)

Your ActionFunctionOption

Select this option to allow access to endpoints in addition to using Odyssey AccessClient on Windows machines. If you don’t select the agentless option, the Infranet Controller allows access to protected resources by means of Odyssey Access Client only.

NOTE: To configure agentless access, you must also configure a permit infranet auth policy on the Infranet Enforcer to allow access for agentless endpoint platforms. For configuration instructions, see “Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure)”.

Select this option to disable use of AJAX for heartbeats.

Documentation

EnableAgentless Access for this role

Disable use of AJAX for heartbeats

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

•

Allows users to use agentless access to access protected resources.

Disables use of AJAX for heartbeats.

Procedure) on page 55

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring OAC Settings for a User Role (NSM Procedure)

Each time the user accesses a resource that is protected by the Infranet Controller, the Odyssey Access Client configuration settings you specify will be used.

NOTE: Except for the login name in the profile, all of the other configuration

settings you specify on the Infranet Controller overwrite any existing settings on the endpoint if Odyssey Access Client is already installed when the user accesses the Infranet Controller.

To configure odyssey settings:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure the user-role access option.

3. Click the Configuration tab. In the configuration tree, select Users > User Roles.

4. Add or open a user role and click the Agent tab.

5. Click the odyssey–settings button and configure the settings as specified in Table 8

on page 43.

Page 61

Chapter 6: Configuring User Roles and Administrator Roles

There are two tabs under Odyssey Settings. The first tab, IC Access, allows you to configure authentication and connection settings for the Odyssey Access Client. The second tab, Preconfigured Installer, provides an interface that allows you to upload a preconfigured version of Odyssey Access Client that you can deploy to users when they access a role.

6. Click one:

•

OK — Saves the changes.

•

Cancel — Cancels the modifications.

Table 8: OAC Configuration Details

Your ActionFunctionOption

IC Access tab

Name of Profile and Infranet Controller

Displays the hostname or the Infranet Controller URL.

Select the profile name.

•

Use Infranet Controller's host name—Specifies the name of the profile and

the Infranet Controller instance in Odyssey Access Client. If the Infranet Controller does not have a hostname configured, the URL for the Infranet Controller or the redirect URL from a captive portal is used instead.

•

Use this name:—Specifies the name of the profile and the Infranet Controller instance in Odyssey Access Client.

Profile name

Require connection to this Infranet Controller

Specifies the profile name. The field is enabled only if the Use this name option is selected in Name of Profile and Infranet Controller box.

Requires Odyssey Access Client to always attempt to connect to this Infranet Controller and prevents the user from disconnecting from this Infranet Controller. The user also cannot delete the properties of this Infranet Controller from the Odyssey Access Client configuration.

Enter the name for the profile and the Infranet Controller instance in Odyssey Access Client.

Select this option to require connection to the Infranet Controller.

Page 62

NSM Infranet Controller Configuration Guide

Table 8: OAC Configuration Details (continued)

Your ActionFunctionOption

Specifies the settings that you want to configure in the Odyssey Access Client profile.

Specifies the login prompt to be displayed.

Select the login name.

•

Use qualified Windows login name (domain name).— Configures the login name with the

user’s Windows domain name and username in the format domain name\username. Use this option if you are using an Active Directory authentication server that requires a domain name in addition to a username for authentication.

•

Use unqualified Windows login name— Configures the login name with the user’s Windows user name only. Use this option for authentication servers that require a user name only for authentication.

•

Prompt for login name using the following Prompt:— Displays a dialog box for the user

to enter a name during the initial Odyssey AccessClient installation only. The login name is then configured and the user is not prompted again. You can also configure the text string used for the prompt in the dialog box.

Enter the login prompt if you have selected the

Prompt for login name using the following Prompt: in the Login name box.

Permit login using password

Select password type to use

authentication for how you want Odyssey Access Client to obtain the user’s credentials to sign into the Infranet Controller.

Specifies the password type to use. This field appears only if you select

Permit login using password field.

Select to enable password authentication.Enables password

Select the option for how you want Odyssey Access Client to obtain the user’s credentials.

•

Use Windows password — Enables Odyssey Access Client to automatically authenticate the user to the Infranet Controllerby using the user’s Windows password. During the initial Odyssey Access Client installation, the user must enter a password once, but then the Odyssey Access Client automaticallyuses the Windows password after that.

•

Prompt for password— Enables Odyssey Access Client to prompt the user to enter a password when the user is authenticated the first time after startup. Odyssey Access Client reuses the user’s credentials for the duration of the Windows session. If you choose this option and if you have configured single sign-on, Odyssey Access Client does not prompt the user for the password.

Page 63

Chapter 6: Configuring User Roles and Administrator Roles

Table 8: OAC Configuration Details (continued)

Your ActionFunctionOption

Select protocol for outer authentication

Specifies whether the outer authentication protocol for traffic between Odyssey Access Client and the Infranet Controller are Tunneled TLS (TTLS) or Protected EAP (PEAP).

Select the protocol for outer authentication:

•

If you select Use EAP-TTLS as outer authentication protocol and you want to use

a client certificate as part of the EAP-TTLS authentication, click the eap-ttls button and select Use the user's certificate and perform inner authentication. This option uses EAP-TTLS certificate-based authentication and tunnels password credentials with inner authentication.Note that the most typical use of EAP-TTLS authentication is without a client certificate.

•

If you select Use EAP-PEAP as outer authentication protocol and you want to use

a client certificate as part of the EAP-PEAP authentication,click the eap-peap button and select Inner authentication is required.

NOTE:

•

Only enable the personal client certificate option for either EAP-TTLS or EAPPEAP to use a client certificate if you also configure a realm or role to require a client certificate on the endpoint. If you enable the personal client certificate option and do not configure the realm or role certificate restriction, you will cause unnecessary restrictions on the use of this Odyssey Access Client profile.

•

If you enable the personal client certificate option, the Infranet Controller automatically selectsPermit login using my Certificate and Use automatic certificate selection in the Odyssey Access Client profile.

Anonymous name

Enables users to appear to log in anonymously while passing the user’s login name (called the inner identity) through an encrypted tunnel. As a result, the user’s credentials are secure from eavesdropping and the user’s inner identity is protected.

As a general rule enter anonymous in the Anonymous name box, which is the default value. In some cases, you may need to add additional text. For example, if the outer identity is used to route the user’s authentication to the proper server, you may be required to use a format such as anonymous@acme.com. If you leavethe Anonymous name box blank, Odyssey AccessClient passes the user’s login name (inner identity) as the outer identity.

Page 64

NSM Infranet Controller Configuration Guide

Table 8: OAC Configuration Details (continued)

Your ActionFunctionOption

Configure wired adapter

Configure wireless adapter

Network name (SSID)

Association mode

adapter to use for wired access to the Infranet Controller at a later time, if the user is accessing the Infranet Controller through a wireless adapter during Odyssey Access Client installation.

Specifies the network settings you want to configure in Odyssey Access Client for wireless adapters.

Specifies the network name.

Specifies the association mode you want Odyssey AccessClient to use when associating to the access point hardware on your network.

Select the option.Configures a wired

Selectthe wireless adapter option. The Network name (SSID) option, Association mode option and Encryption method option are enabled only if the wireless adapter option is selected.

Enter the network name, which can use up to 32 alphanumeric characters and is case-sensitive. You must enter the name correctly to connect successfully. For example: <MyCorpNet>.

Select the association mode:

•

open—Connects to a network through an access point or switch that implements

802.1X authentication. Select this mode if users are not required to use shared mode or Wi-Fi Protected Access (WPA).

•

WPA—Connects to a network through an access point that implements WPA.

•

WPA2—Connects to a network through an access point that implements WPA2, the second generation of WPA that satisfies

802.11i.

Page 65

Chapter 6: Configuring User Roles and Administrator Roles

Table 8: OAC Configuration Details (continued)

Your ActionFunctionOption

Encryption method

Specifies the encryption method you want Odyssey Access Client to use. The available choices depend on the association mode you selected.

Select the encryption mode:

•

none—Uses 802.1X authentication without WEP keys. This option is available only if you configure access point association in open mode. This is a typical setting to use for wireless hotspots.

•

WEP—Uses WEP keys for data encryption. You can select this option if you selectedopen mode association. Select WEP encryption if the access points in your network require WEP encryption. Odyssey Access Client automatically generates the WEP keys.

•

AES—Uses the advancedencryption standard protocol. Select AES if the access points in your network require WPA or WPA2 association and are configured for AES data encryption.

•

TKIP—Uses the temporal key integrity protocol. Select TKIP if the access points in your network require WPA or WPA2 association and are configured for TKIP data encryption.

NOTE: If you select WEP encryption, the Infranet Controller automatically selects the Keys will

be generated automatically for data privacy

option in the Odyssey Access Client Network properties for the wireless adapter on Odyssey Access Client.

Documentation

Preconfigured Installer tab

Current Preconfiguration file

Preconfiguration file

zip containing the preconfiguredinstaller file.

containing the

Enter the filename.Specifies the name of the

Browse to locate the preconfigured installer file.Specifies the location

preconfiguredinstaller file.

Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

•

page 48

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on

page 40

• Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

Procedure) on page 55

Page 66

NSM Infranet Controller Configuration Guide

Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure)

An administrator role defines administrator session and personalization settings. You can create and configure an administrator role from the Infranet Controller configuration tree.

To create an administrator role:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure administrator role.

3. Click the Configuration tab. In the configuration tree, select Administrators > Admin

Roles.

4. Add or modify settings on the Admin Role tab as specified in Table 9 on page 48.

5. Click one:

•

OK — Saves the changes.

•

Cancel — Cancels the modifications.

NOTE: To create individual administrator accounts, you must add the users

through the appropriate authentication server (not the role). For example, to create an individual administrator account, select Authentication > Auth.

Servers > Administrators > Users from the NSM UI.

Table 9: Administrator Role Configuration Details

Your ActionFunctionOption

Admin Role > General tab

Name

the administrator role.

Admin Role > General > Overview tab

Description

Session Options

Describes the administrator role.

Specifies the maximum session length, roaming capabilities, and session persistence.

Enter a name.Specifies a unique name for

Enter a brief description for the administrator role.

Select General > Session Options to apply the settings to the role.

UI Options

Specifies the logo, color, navigation menus and the copyright notice.

Select General > UI Options to apply the settings to the role.

Page 67

Chapter 6: Configuring User Roles and Administrator Roles

Table 9: Administrator Role Configuration Details (continued)

Your ActionFunctionOption

Admin Role > General > Restrictions > Source IP Restrictions tab

•

Allow

Specifies from which IP addresses users can access an Infranet Controller sign-in page, be mapped to a role, or access a resource.

Select Users from any IP address to enable users to sign into the Infranet Controller from any IP address in order to satisfy the access management requirement.

•

Select Users from IP addresses which pass the specifies matching policies to allow you

to specify user access to the listed IP addresses.

Source IP Address

addresses.

Enter the IP address.Specifies the source IP

Enter the IP netmask.Specifies the IP netmask.Source IP

Netmask

•

Access

Specifies whether to allow or deny access.

Select Allow to allow the user to use the IP.

•

Select Deny to prevent users from using the IP.

Admin Role > General > Restrictions > Browser Restrictions tab

•

Allow

Specifies from which web browsers users can access an Infranet Controller sign-in page or be mapped to a role.

Select Browsers with any user-agent to allow users to access the Infranet Controller or resourcesusing any of the supported Web browsers.

•

SelectBrowserswhose user-agent pass the matching policies defined below to allow

you to define browser access control rules.

Specifies the format.User agent

Enter a string in the format

pattern

*<browser_string>*

where start (*) is an optional character used to match any character and <browser_string>is a case-sensitive pattern that must match a substring in the user-agent header sent by the browser.

Action

Admin Role > General > Restrictions >Certificate Restrictions tab

Specifies whether to allow or deny access.

NOTE: You cannot include escape characters (\) in browser restrictions.

•

Select Allow access to allow users to use a browser that has a user-agent header containing the<browser_string> substring.

•

Select Deny access to prevent users from using a browser that has a user-agent header containing the <browser_string> substring.

Page 68

NSM Infranet Controller Configuration Guide

Table 9: Administrator Role Configuration Details (continued)

Allow

Field

Value

Admin Role > General > Restrictions >Host Checker Restrictions tab

Restricts Infranet Controller and resource access by requiring client-side certificates

Your ActionFunctionOption

•

Select All users to allow users to access the Infranet Controller or resources from any machine.

•

SelectUsers with a trusted client certificate to allow users to access the Infranet Controller from a machine with a trusted client certificate.

Enter the certificate field.Specifies the certificatefield.Certificate

Enter the expected value.Specifies the expectedvalue.Expected

Enforce

Specifies the Host Checker policy at the role level.

•

Select Allow all users to restrict Host Checker to be installed in order for the user to meet the access requirement.

•

Select Allow users whose workstations meet the requirements specified by the Host Checker policies to requires that Host

Checker is running the specified Host Checker policies in order for the user to meet the access requirement.

Host Checker policies

to the role if

policies.

Specifies access to the roleAllow access

Select the required Host Checker policies.Specifies the Host Checker

•

Select All of the selected policies pass to allow access only if all the policy requirements are met.

•

SelectAny ONE of the selectedpolicies pass to allow access even if one policy requirement is met.

Admin Role > General > Users > Roles > Delegate User Roles

Administrators can manage ALL roles

Specifies whether the administratorcan manage all roles

Select the user roles. If you only want to allow the administrator role to manage selected user roles, select those roles in the Non-members list and click Add to move it to the Members list.

Access

Specifies which user role pages the delegated administrator can manage.

•

Select Write All to specify that members of the administrator role can modify all user role pages.

•

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user role pages.

Page 69

Chapter 6: Configuring User Roles and Administrator Roles

Table 9: Administrator Role Configuration Details (continued)

Your ActionFunctionOption

Admin Role > General > Users > Role > Delegate As Read-Only Role

Administrator can view (but not modify) ALL roles

Allows the administrator to view the user roles, but not manage.

Admin Role > General > Users > Realms > Delegate User Realms

Administrators can manage ALL realms

Specifies whether the administratorcan manage all user authentication realms

Select the user role that you want to allow the administrator to view.

NOTE: If you specify both write access and read-only access for a feature, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL roles check box under Delegate User Roles, and then select the Users role on the Delegate As Read-Only Roles page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users role.

Select the user realm. If you only want to allow the administrator role to manage selected realms, select those realms from theNon—members list and add to the Members list.

•

Access

Specifies which user authentication realms pages that the delegated administrator can manage.

Select Write All to specify that members of the administrator role can modify all user authentication realm pages.

•

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user authentication realm pages.

Admin Role > General > Users > Realms > Delegate As Read-Only Realms

Administrator can view (but not modify) ALL realms

Allows the administrator to view the user authentication realms, but not modify.

Select the user authentication realms that you want to allow the administrator to view.

NOTE: If you specify both write access and read-only access for an authentication realm page, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL realms check box under Delegate User Realms, and then select the Users role on the Delegate As Read-Only Realms page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users realm.

Admin Role > General > DelegatedAdministratorSettings > Management of Admin roles

Select to manage all the admin roles.Manages all admin roles.Manage ALL

admin roles

Page 70

NSM Infranet Controller Configuration Guide

Table 9: Administrator Role Configuration Details (continued)

Your ActionFunctionOption

Allow Add/Delete admin roles

Allows the security administrator the ability to create administrator roles,

Select to allow the security administrator to add and delete admin roles.

even if the security administrator is not part of the Administrators role.

•

Access

Indicates the level of access that you want to allow the security administrator role to set for system administrators.

Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.

•

Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.

•

Select Write All to specify that members of the security administrator role can modify all settings in the category.

•

Select Custom Settings to allow you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.

Admin Role > General > Delegated Administrator Settings > Management of Admin realms

Select to manage all the admin realms.Manages all admin realms.Manage ALL

admin realms

Allow Add/Delete admin realms

Allows the security administrator to create and delete administrator realms,

Select to allow the security administrator to add and delete admin realms.

even if the security administrator is not part of the administrators role.

Access

Indicates the level of realm access that you want to allow the security administrator role to set for system administrators for each major set of admin console pages.

•

Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.

•

Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.

•

Select Write All to specify that members of the security administrator role can modify all settings in the category.

•

Select Custom Settings to allow you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.

NOTE: All administrators that can manage admin roles and realms have at least read-only access to the admin role’s Name and Description and to the realm's Name and Description, as displayed on the General page.

Page 71

Chapter 6: Configuring User Roles and Administrator Roles

Table 9: Administrator Role Configuration Details (continued)

Your ActionFunctionOption

Admin Role > General > Delegated Resource Policies > All tab

•

Access

Indicates the level of access that you want to allow the administrator role for each Resource Policies submenu.

Admin Role > General > Delegated Resource Policies > Custom Settings

Additional AccessPolicies

Sets custom access levelsfor an individual policy

Select Deny All to specify that members of the administrator role cannot see or modify any resource policies.

•

Select Read All to specify that members of the administrator role can view, but not modify, all resource policies.

•

Select Write All to specify that members of the administrator role can modify all resource policies.

•

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for each type of resource policy or for individual resource policies.

Select the access level for the policy (Deny, Read, or Write).

Policies

Provides custom access level.

Select the resource policy for which you want to provide a custom accesslevel, and click Add.

Default Options for Delegated Admins > Session Options tab

Idle Timeout (minutes)

minutes an administrator

Enter the idle timeout duration in minutes.Specifies the number of

session may remain idle before ending. The minimum is 5 minutes. The default idle session limit is ten minutes, which means that if an administrator’s session is inactive for ten minutes, the Infranet Controller ends the session and logs the event in the system log (unless you enable session timeout warnings described below).

Max. Session Length (minutes)

Specifies the number of minutes an active administrator session may

Enter the session length in minutes. The default is 300 seconds, and the minimum is six minutes.

remain open before ending. The minimum is 6 minutes. The default time limit for an administrator session is sixty minutes, after which the Infranet Controller ends the session and logs the event in the system log.

Page 72

NSM Infranet Controller Configuration Guide

Table 9: Administrator Role Configuration Details (continued)

Roaming session

Roaming sessions allow users to work across source IP addresses. This is useful for mobile users with dynamically assigned IP addresses, as it allows them to sign in from their desk and continue working.

Your ActionFunctionOption

•

Select Enabled to enable roaming user sessions for users mapped to this group. A roaming user session works across source IP addresses, which allows mobile administrators (laptop users) with dynamic IP addresses to sign in to the Infranet Controller from one location and continue working from another. Disable this feature to prevent users from accessing a previously established session from a new source IP address. This helps protect against an attack spoofing a user’s session, provided the hacker was able to obtain a valid user's session cookie.

•

Select Limit to subnet to limit the roaming session to the local subnet specified in the Netmask field. Administrators may sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.

•

Select Disabled to disable roaming sessions for administrators mapped to this role. Administrators who sign in from one IP address may not continue an active Infranet Controller session from another IP address; administrator sessions are tied to the initial source IP address.

Default Options for Delegated Admins >UI Options tab

Logo image

Displays the logo in the Current appearance box only

Click the Browse button and locate your custom image file.

after you save your changes.

Background color

Updates the current appearance of the box.

Type the hexadecimal number for the background color or click the Color Paletteicon and pick the desired color.

•

Navigation Menus

Displays hierarchical navigation menus.

Select Auto-enabled to determine whether the administrator is signed in from a supported platform and enables or disables the hierarchical menus accordingly.

•

SelectEnabled to enable hierarchical menus, regardless of your platform. If the administrator is signed in from an unsupported platform, they may not be able to use the hierarchical menus, even though they are enabled.

•

Select Disabled to disable hierarchical menus for all members of the role.

Page 73

Chapter 6: Configuring User Roles and Administrator Roles

Table 9: Administrator Role Configuration Details (continued)

Your ActionFunctionOption

Select or clear the check box (optional).

NOTE: If you do not want user roles to see the copyright notice, you can also deselect the option in the Default Settings for user roles, in general. That way, all subsequent roles you create do not allow the notice to appear on the end-user UI.

Documentation

Show copyright notice in footer

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM

•

Specifies the copyright notice and label in the footer.

Procedure) on page 55

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on

page 40

• Configuring OAC Settings for a User Role (NSM Procedure) on page 42

Delegating Management Tasks to Infranet Controller Administrator Roles (NSM Procedure)

You can delegate management tasks to various delegated administrator roles.

To delegate management tasks to administrator roles:

1. In the navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure administrator role.

3. Click the Configuration tab. In the configuration tree, select Administrators > Admin

Roles.

4. Add or modify settings under Admin Role as specified in Table 10 on page 55.

5. Click one:

•

OK — Saves the changes.

•

Cancel — Cancels the modifications.

Table 10: Administrator Role Configuration for Delegation

Your ActionFunctionOption

Users > Roles > Delegate User Roles

Administrators can manage ALL roles

Specifies whether the administrator can manage all roles

Select the user roles. If you only want to allow the administrator role to manage selecteduser roles, select those roles in the Non-members list and click Add to move it to the Members list.

Page 74

NSM Infranet Controller Configuration Guide

Table 10: Administrator Role Configuration for Delegation (continued)

Access

Users > Role > Delegate As Read-Only Role

Administrator can view (but not modify) ALL roles

Specifies which user role pages the delegated administrator can manage.

Allows the administrator to view the user roles, but not manage.

Your ActionFunctionOption

•

Select Write All to specify that members of the administrator role can modify all user role pages.

•

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user role pages.

Selectthe user roles that you want to allow the administrator to view.

NOTE: If you specify both write access and read-only access for a feature, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL roles check box under Delegate User Roles, and then select the Users role on the Delegate As Read-Only Roles page then the Infranet Controller allows the delegated administrator role full management privileges to the Users role.

Users > Realms > Delegate User Realms

Administrators can manage ALL realms

Specifies whether the administrator can manage all user authentication realms

Select the user realm. If you only want to allow the administrator role to manage selected realms, select those realms in the Non-members list and click Add to move it to the Members list.

Access

Specifies which user

•

authenticationrealms pages that the delegated administrator can manage.

•

Users > Realms > Delegate As Read-Only Realms

Administrator can view (but not modify) ALL realms

Allows the administrator to view the user authentication realms, but not modify.

Select the user authentication realms that you want to allow the administrator to view.

Select Write All to specify that members of the administrator role can modify all user authentication realm pages.

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user authentication realm pages.

Page 75

Chapter 6: Configuring User Roles and Administrator Roles

Table 10: Administrator Role Configuration for Delegation (continued)

Your ActionFunctionOption

Delegated System Settings tab

•

System Tasks

Log/Monitoring

Authentication

Maintenance Tasks

Indicates the level of access that you want to allow for system tasks.

Indicates the level of access that you want to allow for log/monitoring.

Indicates the level of access that you want to allow for authentication.

Indicates the level of access that you want to allow for maintenance tasks.

Select Deny All to specify that members of the administrator role cannot view or modify any settings.

•

Select Read All to specify that members of the administrator role can view, but not modify settings.

•

Select Write All to specify that members of the administrator role can modify all settings.

•

Select Custom Settings to allow you to pick and choose privileges (Deny, Read, or Write) for System, Archiving and Troubleshooting pages.

Delegated Administrator Settings > Management of Admin roles

Select to manage all the admin roles.Manages all admin roles.Manage ALL

admin roles

Allow Add/Delete admin roles

Allows the security administrator to create administrator roles, even if

Select to allow the security administrator to add and delete admin roles.

the security administrator is not part of the administrators role.

•

Access

Indicates the level of access that you want to allow the security administrator role to set for system administrators.

Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.

•

Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.

•

Select Write All to specify that members of the security administrator role can modify all settings in the category.

•

Select Custom Settings to allow you to pick and choose security administratorprivileges (Deny, Read, or Write) for the individual features within the category.

Delegated Administrator Settings > Management of Admin realms

Select to manage all the admin realms.Manages all admin realms.Manage ALL

admin realms

Page 76

NSM Infranet Controller Configuration Guide

Table 10: Administrator Role Configuration for Delegation (continued)

Your ActionFunctionOption

Allow Add/Delete admin realms

Allows the security administrator to create and delete administrator realms, even if the security administrator is not part of the administrators role.

Access

Indicates the level of realm access that you want to allow the security administrator role to set for system administrators for each major set of admin console pages (General, Authentication Policy, and Role Mapping.)

Delegated Resource Policies > All tab

Access

Indicates the level of access that you want to allow the administrator role for each Resource Policies sub-menu

Select to allow the security administrator to add and delete admin realms.

•

Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.

•

Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.

•

Select Write All to specify that members of the security administrator role can modify all settings in the category.

•

Select Custom Settings to allow you to pick and choose security administratorprivileges (Deny, Read, or Write) for the individual features within the category.

•

Select Deny All to specify that members of the administrator role cannot see or modify any resource policies.

•

Select Read All to specify that members of the administrator role can view, but not modify, all resource policies.

•

Select Write All to specify that members of the administrator role can modify all resource policies.

•

Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for each type of resource policy or for individual resource policies.

Delegated Resource Policies > All (Custom Settings for Infranet Enforcer, Network Access, and Host Enforcer)

Additional Access Policies

Policies

Sets custom access levels for an individual policy

Provides custom access level.

Select the access level for the policy (Deny, Read, or Write.)

Select the resource policy for which you want to provide a custom accesslevel, and click Add.

Page 77

Chapter 6: Configuring User Roles and Administrator Roles

Documentation

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Configuring OAC Settings for a User Role (NSM Procedure) on page 42

• Configuring Access Options on an Infranet Controller User Role (NSM Procedure) on

page 40

Page 78

NSM Infranet Controller Configuration Guide

Page 79

CHAPTER 7

Configuring Security Requirements for Administrators and Users

•

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on page 61

•

Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on page 63

•

Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on page 64

•

Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on page 66

•

Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on page 67

•

Configuring Infranet Controller RADIUS Request Attribute Restrictions for User Realms (NSM Procedure) on page 69

•

Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet Controller Users (NSM Procedure) on page 70

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure)

SourceIP access restrictions control from which IP addresses users can access an Infranet Controller sign-in page, be mapped to a role, or access a resource.

To configure Infranet Controller source IP access restrictions:

1. In the navigation tree, select Device Manager> Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure source IP access restrictions.

3. Click the Configuration tab. In the Configuration tree, select:

•

Administrators > Admin Roles > Select Role > General > Restrictions > Source IP Restrictions to configure source IP access restrictions for admin roles.

•

Administrators > Admin Realms > Select Realm > AuthenticationPolicies > Source IP to configure source IP access restrictions for admin realms.

Page 80

NSM Infranet Controller Configuration Guide

•

Users > User Roles > Select Role > General > Restrictions > Source IP Restrictions to configure source IP access restrictions for user roles.

•

Users > User Realms > Authentication Policies > Source IP to configure source IP access restrictions for user realms.

4. Add or modify settings as specified in Table 11 on page 62.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 11: Source IP Access Restrictions Configuration Details

Allow

Specifies from which IP addresses users can access an Infranet Controller sign-in page, be mapped to a role, or access a resource.

Your ActionFunctionOption

•

Select Users from any IP address to enable users to sign into the Infranet Controller from any IP address.

•

SelectUsers from IP addresses which pass the specified matching policies

to allow access only to the listed IP addresses.

Documentation

Enter the IP address.Specifies the source IP address.Source IP Address

Enter the IP netmask.Specifies the IP netmask.Source IP Netmask

•

Access

Specifies whether to allow or deny access.

Select Allow to allow the user to use the IP address.

•

Select Deny to prevent users from using the IP address.

Enable Administrators to sign in on the

Specifies whether or not administrators can sign in from the external port

Select this option to enable administrators to sign in on the external port..

External Port

NOTE: This setting can be configured only for admin realms.

Enable Administrators to sign in on the

Specifies whether or not administrators can sign in from the internal port.

Internal Port

Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

•

Select this option.

NOTE: This setting can be configured only for admin realms.

page 63

• Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on

page 64

• Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on

page 66

Page 81

Chapter 7: Configuring Security Requirements for Administrators and Users

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

Configuring Infranet Controller Browser Access Restrictions (NSM Procedure)

Browser restrictions control from which Web browsers users can access an Infranet Controller sign-in page or be mapped to a role. If a user tries to sign into the Infranet Controllerusing an unsupported browser,the sign-in attempt fails and a messagedisplays stating that an unsupported browser is being used. This feature also ensures that users sign into the Infranet Controller from browsers that are compatible with corporate applications or are approved by corporate security policies.

To configure Infranet Controller browser access restrictions:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure browser access restrictions.

3. Click the Configuration tab. In the configuration tree, select the level at which you

want to implement browser access restrictions:

•

Realm level—Select:

•

Administrators > Admin Realms >Select Realm > Authentication Policies > Browser to configure browser access restrictions for admin realms.

•

Users > User Realms > Select Realm > Authentication Policies > Browser to configure browser access restrictions for user realms.

•

Role level—Select:

•

Administrators > Admin Roles > Select Role > General > Restrictions > Browser Restrictions to configure browser access restrictions for admin roles.

•

Users > User Roles> SelectRole > General > Restrictions > Browser Restrictions to configure browser access restrictions for user roles.

4. Add or modify settings as specified in Table 12 on page 64.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Page 82

NSM Infranet Controller Configuration Guide

Table 12: Browser Access Restrictions Configuring Details

Allow

Specifies from which Web browsers users can access an Infranet Controllersign-in pageor be mapped to a role.

Your ActionFunctionOption

•

SelectBrowserswith any user-agent to allow users to access the Infranet Controller or resources using any of the supported Web browsers.

•

Select Browsers whose user-agent pass the matching policies defined below to allow you to

define browser access control rules.

Documentation

User—Agent pattern

Action

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

•

Specifies the user agent string pattern.

Specifies whether to allow or deny browser access.

Enter a string in the format

*<browser_string>*

where start (*) is an optional characterused to match any character and <browser_string>is a case-sensitive patternthat must matcha substring in the user-agent header sent by the browser.

NOTE: You cannot include escape characters (\) in browser restrictions.

•

SelectAllowaccess to allow users to use a browser that has a user-agent header containing the<browser_string> substring.

•

Select Deny access to prevent users from using a browser that has a user-agent header containing the <browser_string> substring.

page 61

• Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on

page 64

• Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on

page 66

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure)

Certificate accessrestrictions restrictInfranet Controllerand resource access by requiring client side certificates.

Page 83

Chapter 7: Configuring Security Requirements for Administrators and Users

To configure Infranet Controller certificate access restrictions:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure certificate access restrictions.

3. Click the Configuration tab. In the configuration tree, select the level at which you

want to implement certificate access restrictions:

•

Realm level—Select:

•

Administrators > Admin Realms >Select Realm > Authentication Policies > Certificate to configure certificate access restrictions for admin realms.

•

Users > User Realms >Select Realm > Authentication Policies > Certificate to configure certificate access restrictions for user realms.

•

Role level—Select:

•

Administrators > Admin Roles > Select Role > General > Restrictions > Certificate Restrictions to configure certificate access restrictions for admin

roles.

•

Users > User Roles > Select Role > General > Restrictions > Certificate Restrictions to configure certificate access restrictions for user roles.

4. Add or modify settings as specified in Table 13 on page 65.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 13: Certificate Access Restrictions Configuring Details

Your ActionFunctionOption

•

Allow

Restricts Infranet Controller and resource access by requiring client-side certificates.

Select All users to allow users to access the Infranet Controller or resources from any machine.

•

Select Users with a trusted client certificate to allow users to accessthe Infranet Controller from a machine with a trusted client certificate.

•

Select All users, remember certificate while user is signed in to remember all the users’

certificate while they are signed in.

NOTE: This option is applicable for admin and user realms.

Certificate Field

Enter the certificate field information.Specifies the certificate field information for the field/value pair.

Page 84

NSM Infranet Controller Configuration Guide

Table 13: Certificate Access Restrictions Configuring Details (continued)

Your ActionFunctionOption

Enter the expected value information.Specifies the expected value

Documentation

Expected Value

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

•

information for the field/value pair.

page 61

• Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

page 63

• Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on

page 66

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring Infranet Controller Password Access Restrictions (NSM Procedure)

You can restrict Infranet Controller and resource access by password-length when administrators or users try to sign in to an Infranet Controller. The user must enter a password whose length meets the minimum password-length requirement specified for the realm.

To configure Infranet Controller password access restrictions:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure password access restrictions.

3. Click the Configuration tab. In the configuration tree, select the level at which you

want to implement password access restrictions. Then select:

•

Administrators > Admin Realms >Select Realm > Authentication Policies > Password to configure password access restrictions for admin realms.

•

Users > User Realms >Select Realm > Authentication Policies > Password to configure password access restrictions for user realms.

4. Add or modify settings as specified in Table 14 on page 67.

5. Click one:

•

OK—Saves the changes.

Page 85

Chapter 7: Configuring Security Requirements for Administrators and Users

•

Cancel—Cancels the modifications.

Table 14: Password Access Restrictions Configuration Details

Your ActionFunctionOption

Documentation

Options for primary authenticationserver

Primary password minimum length

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

•

Specifies the options for the primary authentication server.

Specifies the minimum number of characters a password must have.

•

Select Only allow users that have passwords of a minimum length to

restrict user access to only those who meet the Primary password minimum length requirement.

•

Select Allow all users to permit access to all the users.

Select or enter the minimum number of characters that a password must have.

page 61

• Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

page 63

• Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on

page 64

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure)

A Host Checker restricts user’s access to the Infranet Controller, a role, or a resource based on his Host Checker status.

To configure Infranet Controller Host Checker access restrictions:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure Host Checker access restrictions.

3. Click the Configuration tab. In the configuration tree, select the level at which you

want to implement Host Checker access restrictions:

•

Realm level—Select:

Page 86

NSM Infranet Controller Configuration Guide

•

Administrators > Admin Realms >Select Realm > Authentication Policies > Host Checker to configure Host Checker access restrictions for admin realms.

•

Users > User Realms >Select Realm > Authentication Policies > Host Checker to configure Host Checker access restrictions for user realms.

•

Role level—Select:

•

Administrators > Admin Roles > Select Role > General > Restrictions > Host Checker Restrictions to configure Host Checker access restrictions for admin

roles.

•

Users > User Roles > Select Role > General > Restrictions > Host Checker Restrictions to configure Host Checker access restrictions for user roles.

4. Add or modify settings as specified in

•

Table 15 on page 68 to configure role level restrictions.

•

Table 16 on page 68 to configure realm level restrictions.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 15: Host Checker Access Restrictions for Role Level Configuration Details

Your ActionFunctionOption

Enforce/Allow

Host Checker policies

Allow access to the role if

Specifies the Host Checker policy at the role level.

Checker policies.

Specifies access to the role.

•

Select Allow all users to permit access to all users.

•

Select Allow users whose workstations meet the requirements specified by the Host Checker policies to require that Host Checker is running

the specified Host Checker policies for the user to meet the access requirement.

Select the required Host Checker policies.Specifies the Host

•

Select All of the selected policies pass to allow accessonly if all the policy requirements are met.

•

Select Any ONE of the selected policies pass to allow access even if one policy requirement is met.

Table 16: Host Checker Access Restrictions for Realm Level Configuration Details

Evaluate ALL policies

Your ActionFunctionField

Select to evaluate all policies.Specifies if all policies must

be evaluated.

Page 87

Chapter 7: Configuring Security Requirements for Administrators and Users

Table 16: Host Checker Access Restrictions for Realm Level Configuration Details (continued)

Your ActionFunctionField

Documentation

Evaluate selected policies

Enforce ALL policies

Enforce selected policies

realm if

Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

•

Specifies that the selected policies are to be evaluated.

be enforced.

Specifies that the selected policies are to be enforced.

Specifies access to the realm.Allow access to the

Selectthe policies that must be evaluated and add them to the Members list.

Select to enforce all policies.Specifies if all policies must

Select the policies that must be enforced and add them to the Members list.

•

SelectAll of the enforcedpolicies pass to allow access only if all the enforced policy requirements are met.

•

Select Any ONE of the enforced policies pass to allow access even if

one enforced policy requirement is met.

page 61

• Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

page 63

• Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on

page 64

• Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on

page 66

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring InfranetController RADIUS Request AttributeRestrictions for User Realms (NSM Procedure)

You can create RADIUS request attribute policies to require authentication requests to contain specific RADIUS attribute values. If an endpoint attempts to access a realm with a RADIUS request attribute policy, the endpoint must meet the conditions specified in the policy.

Page 88

NSM Infranet Controller Configuration Guide

To add a RADIUS request attribute policy to a realm:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure RADIUS request attribute restrictions for user realms.

3. From the Configuration tab, select Users > User Realms >Select Realm >

Authentication Policies > RADIUS Request Attributes Policies to configure RADIUS request attribute restrictions for user realms.

4. Select the RADIUS request attribute policies, which the endpoint must meet, from

the Non-members area and click Add to move it to the Members area.

5. Select Allow access to realm if any ONE of the selected policies are passed.

6. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Documentation

Configuring RADIUS Request Attributes Policies (NSM Procedure) on page 83•

• Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

page 61

• Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

page 63

• Configuring Infranet Controller Password Access Restrictions (NSM Procedure) on

page 66

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet

Controller Users (NSM Procedure) on page 70

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Configuring the Number of Concurrent Sessions and Concurrent Users for Infranet Controller Users (NSM Procedure)

You can limit the number of concurrent sessions and concurrent users for Infranet Controller users. A user who enters a URL to one of this realm’s sign-in pages must meet any access management and concurrent user requirements specified for the authentication policy before the Infranet Controller presents the sign-in page to the user.

Page 89

Chapter 7: Configuring Security Requirements for Administrators and Users

To configure the number of concurrent sessions and concurrent users for Infranet Controller users:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device tree tab, and then double-click the Infranet Controller device for

which you want to configure the number of concurrent sessions and concurrent users.

3. Click the Configuration tab. In the configuration tree, select the level at which you

want to implement concurrent session restrictions. Then select:

•

Administrators > Admin Realms >SelectRealm > Authentication Policies > Limits to configure the number of concurrent sessions for admin realms.

•

Users > User Realms >SelectRealm > Authentication Policies > Limits to configure the number of concurrent sessions for user realms.

NOTE: The number of concurrent users can be configured only for user

realms.

4. Add or modify settings as specified in Table 17 on page 71.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 17: Number of Concurrent Sessions and Concurrent Users for Infranet Controller User Configuration Details

Your ActionFunctionOption

Limit number of concurrentusers

Guaranteed minimum

Limit the number of concurrent sessions per user

Limits the number of concurrent users on the realm.

Specifies the number of users between zero (0) and the maximum number of concurrent users defined for the realm, or you can set the number to the maximum allowed by your license if there is no realm maximum.

Specifies whether the number of concurrent sessions per user is limited.

Select this option to limit the number of concurrent users.

Select or enter the number of users between zero (0) and the maximum number of concurrent users defined for the realm.

Select this option to limit the number of concurrent sessions per user.

Page 90

NSM Infranet Controller Configuration Guide

Table 17: Number of Concurrent Sessions and Concurrent Users for Infranet Controller User Configuration Details (continued)

Your ActionFunctionOption

Documentation

Session limit

Maximum

• Configuring Infranet Controller Source IP Access Restrictions (NSM Procedure) on

Specifies the number of sessions permissible.

NOTE: You can configure this option only for user realms.

Specifies the maximum number of concurrent users.

NOTE: You can configure this option only for user realms.

Specify the number of sessions permitted. By default, the number is 1 if the realm maximum is greater than 0; otherwise, the default is 0. The maximum number must be no greater than the maximum number of concurrent users for the realm.

Selector enter the maximum number of concurrent users permissible.

page 61

• Configuring Infranet Controller Browser Access Restrictions (NSM Procedure) on

page 63

• Configuring Infranet Controller Certificate Access Restrictions (NSM Procedure) on

page 64

• Configuring Infranet Controller Host Checker Access Restrictions (NSM Procedure) on

page 67

• Configuring Infranet Controller User Roles (NSM Procedure) on page 35

• Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure) on

page 48

Page 91

CHAPTER 8

Configuring the Infranet Controller RADIUS Server and Layer 2 Access

•

Configuring the Infranet Controller as a RADIUS Server (NSM Procedure) on page 73

•

Using the Infranet Controller for 802.1X Network Access (NSM Procedure) on page 75

•

Configuring Location Groups (NSM Procedure) on page 76

•

Configuring RADIUS Clients (NSM Procedure) on page 77

•

Configuring RADIUS Return Attributes Policies (NSM Procedure) on page 80

•

Configuring RADIUS Request Attributes Policies (NSM Procedure) on page 83

•

Configuring an Infranet Enforcer as a RADIUS Client of the Infranet Controller (NSM Procedure) on page 84

•

Non-Juniper 802.1X Supplicant Configuration Overview on page 85

Configuring the Infranet Controller as a RADIUS Server (NSM Procedure)

The Infranet Controller contains an internal RADIUS server that can be configured to perform Extensible Authentication Protocol (EAP) inner and outer authentication, non-tunneled Web authentication without EAP, and MAC address authentication.

To configure the Infranet Controller as a RADIUS server, the following configurations must be performed:

Configuring Authentication Protocol Sets on page 73

Using RADIUS Proxy on page 75

Configuring Authentication Protocol Sets

To configure an authentication protocol set:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure authentication protocol sets.

3. Click the Configuration tab. In the configurationtree, select Authentication > Signing

In > Authentication Protocols.

Page 92

NSM Infranet Controller Configuration Guide

4. Add or modify settings on the authentication protocol sets as specified in Table 18 on

page 74.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 18: Authentication Protocol Sets Configuration Details

NOTE: The default 802.1X protocol set is configured to work with either EAP-TTLS or EAP-PEAP as the primary outer authentication protocol, and EAP-JUAC or EAP-MSCHAP- V2 for inner authentication (if EAP-PEAP is used) and EAP-JUAC, PAP, MSCHAP- V2, EAP-MS-CHAP-V2, or EAP-GenericTokenCard (if EAP-TTLS is used).

Your ActionFunctionOption

Authentication Protocol

Name

Description

for the authentication protocol.

Describes the authentication protocol.

Enter a name for the authentication protocol.Specifies a unique name

Enter a brief description for the authentication

protocol.

Authentication Protocol > Authentication Protocol

New Authentication Protocol

Specifies the main authentication protocol.

Select the authentication protocol from the list.

NOTE: If you are using inner RADIUS proxy, do

not select an inner protocol with EAP-PEAP or

EAP-TTLS. See “Using RADIUS Proxy.”

Authentication Protocol > PEAP

New PEAP

Specifies the inner authentication protocol.

If you select EAP-PEAP as the main

authentication protocol, under PEAP click Add

and select an inner authentication protocol from

the New PEAP list.

NOTE: If you are configuring a protocol set to

work with the Windows client and a Host

Checker Statement of Health policy, you must

choose the EAP-SOH protocol as the inner

authentication method within a PEAP tunnel.

Authentication Protocol > TTLS

New TTLS

Specifies the inner authentication protocol.

If you select EAP-TTLS as the main

authentication protocol, under TTLS click Add

and select an inner authentication protocol from

the New TTLS list.

Page 93

Using RADIUS Proxy

Chapter 8: Configuring the Infranet Controller RADIUS Server and Layer 2 Access

You can configure the Infranet Controller to proxy RADIUS inner or outer authentication to an external RADIUS server.

With RADIUS proxy, the Infranet Controller RADIUS server can forward authentication requests from a network access device to an external RADIUS server. The proxy target receives the request, performs the authentication, and returns the results. The Infranet Controller RADIUS server then passes the results to the network access device.

NOTE: When RADIUS proxy is used, realm or role restrictions cannot be

enforced. Host Checker policies, source IP restrictions, and any other limits that have been assigned are bypassed. RADIUS proxy should be used only if no restrictions have been applied. The exception is that session limitations can be enforced for inner proxy. With outer proxy, no session is established.

You configure RADIUS proxy at the realm level. If the authentication server for the realm is a RADIUS server, option buttons on the page allow you to select inner proxy, outer proxy, or do not proxy. Do not proxy is selected by default. If the authentication server is not a RADIUS server, the proxy option buttons are hidden.

If the authentication server selected for a realm is a RADIUS server, the Proxy Outer Authentication option button controls whether outer authentication is proxied, and the ProxyInner Authentication option button controls whether inner authentication is proxied.

You can also choose the Do not proxy option button if you do not want inner or outer authentication to be proxied. In this case, the Infranet Controller handles both inner and outer authentication. You must enable the JUAC protocol for this option.

Documentation

Configuring Role Mapping Rules (NSM Procedure) on page 90•

• Configuring RADIUS Clients (NSM Procedure) on page 77

• Using the Infranet Controller for 802.1X Network Access (NSM Procedure) on page 75

Using the Infranet Controller for 802.1X Network Access (NSM Procedure)

The IEEE 802.1X protocol provides authenticatedaccess to a LAN. The Infranet Controller RADIUS server can fulfill RADIUS authentication requests from RADIUS clients that support 802.1X. (If you are using an external RADIUS server for authentication, you can use the Infranet Controller RADIUS proxy feature.)

To configure the Infranet Controller as a RADIUS server for an 802.1X network access device, perform these tasks:

•

Configuring Location Groups (NSM Procedure)

•

Configuring RADIUS Clients (NSM Procedure)

•

Configuring a New RADIUS Vendor (NSM Procedure)

Page 94

NSM Infranet Controller Configuration Guide

•

Configuring RADIUS Attributes Policies (NSM Procedure)

•

Configuring an Infranet Enforcer as a RADIUS Client of the Infranet Controller (NSM Procedure)

•

Non-Juniper 802.1X Supplicant Configuration Overview

Documentation

Configuring Location Groups (NSM Procedure) on page 76•

• Configuring RADIUS Clients (NSM Procedure) on page 77

• Configuring a New RADIUS Vendor (NSM Procedure) on page 78

Configuring Location Groups (NSM Procedure)

You can use location groups to organize or logically group network access devices by associating the devices with specific sign-in policies. Location groups associate sign-in policies with network access devices.

To configure location groups:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure location groups.

3. Click the Configuration tab. In the configuration tree, select UAC > Network Access

> Location Groups.

4. Add or modify Location Groups tab as specified in Table 19 on page 76.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 19: Location Groups Configuration Details

Specifies the location group name.Name

Describes the location group.Description

Sign-in Policy

to associate with the location group.

MAC Authentication Realm

Specifies the MAC authentication realm.

Your ActionFunctionOption

Enter a name for the location group.

Enter a brief description for the location group.

Select the sign-in policy.Specifies the sign-in policy you want

Select the MAC authentication realm.

Page 95

Chapter 8: Configuring the Infranet Controller RADIUS Server and Layer 2 Access

Documentation

Configuring RADIUS Clients (NSM Procedure) on page 77•

• Configuring a New RADIUS Vendor (NSM Procedure) on page 78

• Configuring RADIUS Return Attributes Policies (NSM Procedure) on page 80

Configuring RADIUS Clients (NSM Procedure)

To enable the Infranet Controller to respond to a network access device, you must configure a RADIUS client in the Infranet Controller.

Configure RADIUS clients by following these procedures:

Uploading a New RADIUS Client Dictionary on page 77

Creating a RADIUS Dictionary Based on an Existing Model on page 78

Configuring a New RADIUS Vendor (NSM Procedure) on page 78

Creating a RADIUS Client on page 79

Uploading a New RADIUS Client Dictionary

To upload a new RADIUS client dictionary to the Infranet Controller:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to upload the RADIUS client dictionary.

3. Click the Configuration tab. In the configuration tree, select UAC > Network Access

> RADIUS Dictionary.

4. Add or modify settings on the RADIUS Dictionary tab as specified in Table 20 on

page 77.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

NOTE:

•

You can only remove dictionaries that are not associated with a vendor.

•

You can download any dictionary from the list, including preinstalled dictionaries. You can modify the downloaded dictionary, and then upload it as a new make or model.

Table 20: RADIUS Dictionary Configuration Details

Your ActionFunctionOption

Specifies the RADIUS dictionary name.Name

Enter a name for the RADIUS dictionary.

Page 96

NSM Infranet Controller Configuration Guide

Table 20: RADIUS Dictionary Configuration Details (continued)

Your ActionFunctionOption

Describes the RADIUS dictionary.Description

Dictionary

on a local or connected drive.

Creating a RADIUS Dictionary Based on an Existing Model

To create a RADIUS dictionary based on an existing manufacturer’s model:

1. Modify the existing dictionary.

a. Select the existing dictionary that you would like to copy. See “Uploading a New

RADIUS Client Dictionary” on page 77.

b. Download the file, make the required modifications, and then rename and save

the .dct file.

2. Browse for the file you have modified, and enter a new name and description for the

new dictionary. See “Uploading a New RADIUS Client Dictionary” on page 77.

NOTE: There is no vendor associated with the new dictionary.

Enter a brief description for the RADIUS dictionary.

Select the dictionary file.Specifiesthe dictionary file (.dct) path

Enter the filename.Specifies the dictionary filename.Dictionary filename

3. Associate the dictionary to a new RADIUS vendor. See “Configuring a New RADIUS

Vendor (NSM Procedure)” on page 78.

Configuring a New RADIUS Vendor (NSM Procedure)

To configure a new RADIUS vendor:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure a new RADIUS vendor.

3. Click the Configuration tab. In the configuration tree, select UAC > Network Access

> RADIUS Vendors.

4. Add or modify RADIUS vendors on the RADIUS Vendors tab as specified in Table 21

on page 79.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Page 97

Chapter 8: Configuring the Infranet Controller RADIUS Server and Layer 2 Access

Table 21: RADIUS Vendors Configuration Details

Your ActionFunctionOption

Name

Dictionary

Creating a RADIUS Client

To create a RADIUS client:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

3. Click the Configuration tab. In the configuration tree, select UAC > Network Access

4. Add or modify RADIUS clients on the RADIUS Clients tab as specified in Table 22 on

5. Click one:

Specifies a name for the RADIUS vendor.

Describes the RADIUS vendors.Description

associated with the RADIUS vendor.

which you want to create a RADIUS client.

> RADIUS Clients.

page 79.

•

OK—Saves the changes.

Enter a name for the RADIUS vendor.

Enter a brief description for the RADIUS vendor.

Select the dictionary.Specifies the dictionary to be

•

Cancel—Cancels the modifications.

Table 22: RADIUS Clients Configuration Details

Specifies the RADIUS client’s name.Name

Describes the RADIUS clients.Description

IP Address

access device.

IP Address Range

Specifies the number of IP addresses in the IP address range for the network access devices, starting with the address specified for IP address.

Your ActionFunctionOption

Enter a name for the RADIUS clients.

Enter a brief description for the RADIUS clients.

Enter the IP address.Specifies the IP address of the network

Enter the IP address range.

You can specify a range up to a maximum of 32,768 addresses.

Page 98

NSM Infranet Controller Configuration Guide

Table 22: RADIUS Clients Configuration Details (continued)

Your ActionFunctionOption

Shared Secret

Make/Model

Location Group

Support Disconnect Messages

Validates communications between the Infranet Controller and network access device.

attributes to be used by the Infranet Controllerwhen communicating with this client.

this network access device.

Allows the Infranet Controller to send unsolicited disconnect requests to the network access device. When a user session is deleted on the Infranet Controller, the disconnect messages cause the user’s session to be terminated immediately, and all session information is removed.

Enables the RADIUS clients.Enabled

Enter the shared secret.

The Infranet Controller supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters:

~!@#$%^&*()_+|\=-‘{}[]:”’;<>?/.,

Select the make or model.Specifies the dictionary of RADIUS

Select the location group.Specifies the location group to use with

Selectthis option to send terminate session requests to network access devices that support RFC 3576.

Selectthis option to enable RADIUS clients.

Documentation

Configuring Location Groups (NSM Procedure) on page 76•

• Configuring RADIUS Return Attributes Policies (NSM Procedure) on page 80

• Configuring RADIUS Request Attributes Policies (NSM Procedure) on page 83

Configuring RADIUS Return Attributes Policies (NSM Procedure)

You can configure RADIUS attributes policies on the Infranet Controller to send return list attributes to an 802.1X network access device. You can also configure other functions on a network access device's port based on the role assigned to the user who is currently using that port.

To configure RADIUS attributes policies:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the Infranet Controller device for

which you want to configure RADIUS return attributes policies.

Page 99

Chapter 8: Configuring the Infranet Controller RADIUS Server and Layer 2 Access

3. Click the Configuration tab. In the configuration tree, select UAC > Network Access

> RADIUS Attributes > RADIUS Return Attributes Policies.

4. Add or modify RADIUS return attributes policies as specified in Table 23 on page 81.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 23: RADIUS Return Attributes Policies Configuration Details

Your ActionFunctionOption

Name

Description

Location Group

Enable Open port

Enable VLAN

Specifies a name for the RADIUS return attributepolicy.

Describes the RADIUS return attribute policy.

Specifies the location groups for the RADIUS attributes policies.

Disables assigning endpoints to a VLAN or returning any RADIUS attributes.

Enables VLAN assignment according to RFC 3580 by returning the RADIUS tunnel attributes to the network access device.

Enter a name for the RADIUS return attribute policy.

Enter a brief description for the RADIUS return attributepolicy.

Selectthe locationgroup from the Non-member list and click Add to move them to the Members list.

NOTE: To apply the policy to all locationgroups, do not add any location groups and leave the default setting (all) listed in the Selected Location Groups list.

Selectthis option to disable all other RADIUS attributes options.

Select this option to configure VLAN assignment.

NOTE: Selecting this option is equivalent to manually specifying the three RFC 3580 RADIUS tunnel attributes in the Enable Return Attribute section.

VLAN

Enable Return Attribute

on the network infrastructure that you want to use for the role(s) to which this policy applies.

Enables the return-attribute option.

Specify the existing VLAN ID.Specifies the existing VLAN ID

Select this option to enable return attributes.

Page 100

NSM Infranet Controller Configuration Guide

Table 23: RADIUS Return Attributes Policies Configuration Details (continued)

Your ActionFunctionOption

return-attribute

Enable addition of Session-Timeout attribute with value equal to the Session Lifetime

Interface

Specifies the return attributes to be sent to the network access device.

Sends the Infranet Controller a session timeout value equal to the timeout value of the configured session length on all RADIUS accepts.

Specifies the Infranet Controller network interface for use by endpoints using RADIUS attributes policies to connect to the Infranet Controller.

Click return-attribute and add the return attribute.

1. From the Attribute drop-down list, select the return attribute you want to send.

2. For Value, enter the value for the selected attribute, and then click OK.

Clearthis check box to prevent the Infranet Controller from sending a session timeout value equal to the timeout value of the configured session length on all RADIUS accepts. This allows you to set the reauthentication timer statically on the switch port, if required

•

Select Automatic to use VLAN tagging . You must also connect the Infranet Controller internal interface to the trunk port on a VLAN-enabled switch that sees all of the VLAN traffic.

•

Select Internal if the endpoints using RADIUS attributes policies should use the IP address of the Infranet Controller's internal interface.

•

Select External if the endpoints on the configured VLAN should use the IP address of the Infranet Controller's external interface.

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INFRANET CONTROLLER GUIDE REV 01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual