Skip Links

Clear Choice Test

Network access control

Introduction | Slideshow | Test archive | Test methodology

Juniper NAC: Powerful, complex

By , Network World
June 21, 2010 12:01 AM ET

Network World - Vendor: Juniper
Product: UAC v3.1
Pricing (1,000 users): $42,400
Strengths: Many deployment options, integration with SSL-VPN, powerful feature set
Weaknesses: Complexity, works best in Juniper-based network

Review: Trying to describe Juniper's UAC is difficult, because Juniper's NAC strategy has its tendrils in virtually every security product the company makes, from firewalls to switches to SSL VPNs.

Juniper UAC centers around their Infranet Controller, a hardware appliance that serves as a RADIUS proxy and server, an end-point security checker, and an access control policy manager. Once you’ve put in the appropriately sized Infranet Controller, though, Juniper stuns you with piles of options and flexibility.

Since NAC usually starts with authentication of some sort, Infranet Controller supports three different models: 802.1X or MAC-based authentication at the edge device, a captive portal for guest or staff authentication, and authentication using the UAC client. One nice feature of UAC is the ability to mix and match all three, although doing so will likely make an unmanageably complex configuration.

Authentication can be mixed with endpoint security checks, using either the UAC client for Mac and Windows, or Microsoft's NAP client. UAC builds on Juniper’s existing SSL VPN endpoint security base, so both installed clients and Web-based clients are supported for endpoint security checks.

Once users have passed authentication and endpoint security, access controls can be applied. Because Juniper encourages you to use 802.1X, it is able to push access control information down to switches at the edge. But Juniper has added hooks into its own ScreenOS and JunOS operating systems so that UAC can simultaneously push access controls into in-line devices including firewalls and many of its routing platforms.

One of the nice things about this approach is that you get many of the benefits of an in-line enforcement without the performance problems. UAC is also agnostic about the location of enforcement: you can use 802.1X controls, in-line controls, or both.

And, finally, UAC can push host-based access controls into network devices that are using the UAC client.

Juniper's end-point security checking doesn't end at the moment of authentication. Both continuous endpoint checking and external links to intrusion detection-/prevention-systems are supported, either using the TCG/TNC IF-MAP standard or a direct link if you’ve got Juniper’s own IDS/IPS.

UAC is the only product we tested that fully integrates a NAC product line with an SSL VPN product line — although the mechanism is fairly complex. Unfortunately, SSL VPNs don't inherently mix well with the mechanisms that vendors have chosen for NAC, so putting NAC and SSL VPN together seems to imply a single-vendor solution.

All this adds up to a difficult-to-master system. To Juniper's credit, though, I spent less time debugging problems with UAC than all the other NAC devices because by the time I figured out how to configure it, things just worked.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News