Application NoteMachine Authentication Using CertificatesA Step-by-Step Guide to Machine Authentication withDigital Certificates Using Juniper Networks Unified AccessControl (UAC) in Conjunction with Odyssey Access ClientEnterprise EditionJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408.745.20001.888 Number: 350115-001 Nov 2007

Machine Authentication Using CertificatesTable of ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Design Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Microsoft Windows CA Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Infranet Controller Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Request and Install Workstation Authentication Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Odyssey Access Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Confirm Proper Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Simultaneous Machine Authentication and User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 19Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesIntroductionWhat happens in an 802.1X environment when there is no user around to sign into a PC andauthenticate it onto the network? What happens if routine system maintenance such as automatedbackups, software updates and patches need to be performed at night when everyone has gonehome and logged out of their machines? The answer is “absolutely nothing.” With 802.1X, unlessproper authentication can be performed, the machine won’t be able to get onto the network. Thisis where machine authentication comes in. It permits an unattended machine to authenticateonto the network through the normal 802.1X authentication mechanisms. There are a couple ofdifferent forms of machine authentication, one involving machine credentials similar to a usernameand password, and another using machine certificates. This application note focuses specificallyon machine certificates: how to generate them, how to configure the Juniper Networks InfranetController to accept them, and how to configure Juniper Networks Odyssey Access Client to use them.ScopeThis application note will describe how to configure the Windows Certification Authority, InfranetController and the Odyssey Access Client to provide machine authentication using digital certificates.Design ConsiderationsHardware Requirements Infranet Controller models IC4000 or IC6000 Windows (2000/XP/Vista) PC Network switch configured for 802.1X authenticationSoftware Requirements Infranet Controller version 2.1R1 or greater Odyssey Access Client v4.7 or greater Windows 2003 Enterprise Certification AuthorityDescription and Deployment ScenarioIn order to use machine certificates to perform machine authentication, you need to completeseveral configuration steps, starting with the generation of the proper machine certificate on theMicrosoft Windows 2003 Enterprise Certification Authority (CA). After this step is completed,you need to configure the Infranet Controller (IC) for layer 2 access control and certificateauthentication. In a final step, you will configure the Odyssey Access Client Enterprise Edition(OAC-EE) for machine authentication using certificates.Copyright 2007, Juniper Networks, Inc.3

Machine Authentication Using CertificatesMicrosoft Windows CA ConfigurationIn order to have the Windows CA issue proper machine certificates, you will first have to make amodification to the Workstation Authentication template or, alternatively, you can use a workaroundin the Infranet Controller configuration. This template change or the IC workaround is necessitatedby the fact that the default Workstation Authentication certificate template used on the WindowsCA does not contain a Subject field. This missing Subject field causes authentication to fail on the ICwithout some changes. The following procedure describes how to modify the default WorkstationAuthentication certificate template on the Windows CA. The workaround on the IC configuration isdescribed later in this note.On the Windows CA, sign in as a Domain Administrator and launch the Microsoft ManagementConsole by clicking Start Run , enter mmc in the Run box and click OK.Figure 1: Start Run DialogWithin the MMC, select Add/Remove Snap-in from the File menu.Figure 2: Launch Add/Remove Snap-in4Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesClick the Add button. Select the Certificates Templates snap-in and click Add. Then select theCertification Authority snap-in and click Add. After adding both snap-ins, click Close to close theAdd Standalone Snap-in window and then click OK to finish.Figure 3: Add Snap-insIn the Certificate Templates snap-in, right-click on the Workstation Authentication template andselect Duplicate Template from the contextual menu.Figure 4: Create Duplicate Certificate TemplateCopyright 2007, Juniper Networks, Inc.5

Machine Authentication Using CertificatesWhen the Properties of New Template dialog appears, enter a new name for the Template DisplayName on the General Tab.Figure 5: Modify Template NameOn the Subject Name tab, select either Common Name or Fully distinguished name from theSubject name format pull-down menu. Click OK when done.Figure 6: Define Subject Name Format6Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesThe new certificate template should now appear in the list of templates.Figure 7: New Certificate Templates ListIn order to make this new template available to users, you must issue the template within thecertificate authority. Click on the plus sign next to the Certification Authority snap-in, then on theplus sign next to your certificate authority. Finally, right-click on the Certificate Templates folderand select New Certificate Template to Issue from the contextual menu.Figure 8: Issue New Certificate TemplateCopyright 2007, Juniper Networks, Inc.7

Machine Authentication Using CertificatesSelect the Workstation Authentication template that you just created and click OK.Figure 9: Select Certificate Template to IssueThat completes the modifications to the Windows CA. Your workstations can now request a machinecertificate that includes a Subject Name and will function properly with the Infranet Controller.Figure 10: Available Certificate TemplatesInfranet Controller ConfigurationThe first step on the IC configuration is to create a Certificate Authentication server. Go toAuthentication Auth Servers, select Certificate Server from the pull-down menu and clickNew Server Supply a Name for the server instance. If you have made the modifications to theWindows CA as described above, leave the User Name Template at its default value. If you chose notto make those modifications, you will need to modify the User Name Template in the auth serverconfiguration. Instead of certDN.CN use certAttr.altName.DNS . The User Name Templateis used by the IC to extract from the certificate the data that will be used to form the username.Using the default User Name Template in conjunction with the default Certificate Template on theWindows CA will result in a non-existent username (since the Subject field in the certificate is blank).8Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesFigure 11: Certificate Authentication ServerCreate a new role for the authenticated machine. Go to Users User Roles and click onNew Role You can, of course, use any existing role including those used for users. For this roleyou should require the Agent, but don’t permit Agentless. You also shouldn’t require any HostChecking for this role.Figure 12: Machine Authentication RoleCreate a new realm to handle machine certificate authentication. Go to Users User Realms andclick on New Realm Select the server you created above for the Authentication Server and createa role mapping rule that maps all users to the role you just created.Figure 13: Machine Authentication RealmCopyright 2007, Juniper Networks, Inc.9

Machine Authentication Using CertificatesGo to Authentication Signing In Sign-in Policies and click New URL to define a new sign-inpolicy. Alternatively you can use the default sign-in policy */. In the example below, the sign-in policyis */machinecert. Assign the realm created above to the sign-in policy.Figure 14: Machine Authentication Sign-in PolicyCreate a Location Group (or use an existing one) and assign the Sign-in Policy you just created to theLocation Group.Figure 15: Location Group Using Machine Authentication Sign-in PolicyDefine a RADIUS Client and assign the Location Group that you created above. The configuration is inUAC Network Access RADIUS Client.Figure 16: RADIUS Client Configuration10Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesThis completes the chain of configuration within the IC from switch or access point to roleassignment. For example: (1) a RADIUS request is received from a RADIUS Client; (2) the RADIUSClient determines the Location Group; (3) the Location Group determines the Sign-in Policy (URL);(4) the Sign-in Policy determines the Realm; (5) the Realm determines the Authentication Serverand, if authenticated, the Roles.As an option, you can define a RADIUS Attributes policy to perform VLAN assignment for thosemachines that successfully authenticate. For instance, machines that authenticate could be placedinto a System Update VLAN so that software upgrades and patches could be pushed to the machineeven when no user is logged in. Go to UAC Network Access RADIUS Attributes.Request and Install Workstation Authentication CertificateIn order to make any of this work, you need a machine certificate of the proper type installed on thePC that needs access. In order to get the certificate, you need to open the Certificates MMC snap-inon the PC (not on the Windows CA like you did earlier). Go to Start Run and enter mmc in theRun dialog box. Within the MMC, select Add/Remove Snap-in from the File menu. Click the Add button. Select the Certificates snap-in and click Add.Figure 17: Add Certificates Snap-inSelect Computer Account for the certificate type to manage and then click Next . Choose LocalComputer for the computer you want to manage and click Finish. After adding the snap-in, clickClose to close the Add Standalone Snap-in window and then click OK to finish.Figure 18: Complete Adding Certificate Snap-inCopyright 2007, Juniper Networks, Inc.11

Machine Authentication Using CertificatesYou now need to request the machine certificate. In the Certificates MMC, go to Personal Certificates, right-click and select All Tasks Request New Certificate.Figure 19: Request New CertificateNOTE: Should you receive the following error, it typically means that you are not logged into theWindows domain where the CA lives. In order to get the machine certificate, you must have loggedonto the Windows domain and been authenticated by a domain controller. You cannot have usedcached credentials to log into Windows. This usually means that the PC must be able to reach thedomain controller on the network when you log into Windows. You cannot do this operationremotely or in an 802.1 X environment without some special provisions.Figure 20: Certificate Request ErrorComplete the Certificate Request Wizard. Click Next , enter a Friendly Name for your certificateand click Next , then click Finish. When the certificate request process completes, click OK in thefinal dialog box.Figure 21: Completing the Certificate Request12Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesAfter completion of the wizard, you should have a new machine certificate shown in theCertificates MMC. You can tell this is a machine certificate in a couple of different ways. First,it’s in your personal certificate store for the Local Computer, not the Current User (which iswhere user certificates would be stored). Second, it’s Issued To your machine name, not yourusername. Finally, its Intended Purpose is only Client Authentication (user certificates will haveother purposes such as Secure Email).Figure 22: Installed Machine CertificateOdyssey Access Client ConfigurationNow it’s time to turn to the configuration of Odyssey Access Client. Before you begin, make surethat your version of Odyssey has been licensed as an Enterprise Edition. In the Odyssey AccessClient Manager, go to Help About and look for the words Enterprise Edition. If instead you seethe words UAC Edition, you will need to obtain an Enterprise Edition license key.Figure 23: Verify OAC VersionCopyright 2007, Juniper Networks, Inc.13

Machine Authentication Using CertificatesOpen the Odyssey Access Client Administrator by selecting Odyssey Access Client Administratorfrom the Tools menu.Figure 24: Opening OAC AdministratorWithin the Odyssey Access Client Administrator, double-click on the Connection Settings icon.Figure 25: Connection SettingsGo to the Machine Account tab and check the box to enable connections using machine account.Click OK.Figure 26: Enable Machine Account14Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesNext you need to configure the machine account settings. Double-click on the Machine Account icon.Figure 27: Machine Account SettingsOpen the Configuration section and click Profiles. Click Add to create a new machineaccount profile.Figure 28: Add Machine Account ProfileFirst, supply a Profile Name. Next check the Use machine credentials box and uncheck thePermit login using password box.Figure 29: User Info/Password TabCopyright 2007, Juniper Networks, Inc.15

Machine Authentication Using CertificatesOn the Certificate tab, check the Use machine credentials box. Check the Permit login using mycertificate checkbox and select the Use the following certificate radio button. Click the Browse button and select the machine certificate that you added in the previous section.Figure 30: User Info/Certificate TabOn the Authentication tab, make sure that EAP-TTLS is the only Authentication Protocol. You canuncheck the Validate server certificate if you’re using a private CA and this is a testing environment,however in a production environment you should leave the Validate server certificate box checked.In that case, you must add the CA root certificate into one of the Local Computer’s Trusted CA stores,and add the CA to the list of Trusted Servers within the Odyssey Access Client.Figure 31: Authentication Tab16Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesOn the TTLS tab, remove EAP-MS-CHAP-V2 from the Inner Protocol list. Click the Use mycertificate and perform inner authentication radio button under Personal certificate usage.This last setting is easy to miss and will render all of your other work useless if you forget it.Click OK when you’re finished.Figure 32: TTLS TabYou now need to add an adapter to the configuration. This adapter will be used by the machineto connect to the network. Under Configuration Adapters click Add and then select either aWireless or, more typically, a Wired adapter that will be used for 802.1X authentication.Figure 33: Add AdapterCopyright 2007, Juniper Networks, Inc.17

Machine Authentication Using CertificatesFinally, in the Adapters [ADAPTER] section, select the Profile that you created earlier and checkthe Connect to the network checkbox. You can now close the Machine Account window and theOdyssey Access Client Administrator window. This will save your client configuration.Figure 34: Completing the OAC ConfigurationConfirm Proper OperationReboot your PC and wait for the Windows logon dialog box to appear. At this point your PC shouldhave been authenticated onto the network using the machine certificate. On the Infranet Controller,go to System Status Active Users and observe the list of users. You should see an entry foryour PC in the list (note the entry for RFILER-LAP2 below).Figure 35: Active Users18Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesYou can also take a look at the user access log. On the IC go to System Log/Monitoring UserAccess Log. You should see log entries similar to those shown in the following figure.Figure 36: User LogSimultaneous Machine Authentication and User AuthenticationThe entire configuration up to this point has been geared to permit an unattended machine toauthenticate into an 802.1X network. If you want to also permit a user to authenticate from the samemachine, there are a couple of simple configuration changes that must be made, both to the InfranetController and the Odyssey Access Client.On the IC, it’s assumed that you have a working user authentication setup. The details of settingthat up are not included here. To permit a user to authenticate as well as the machine, add the UserAuthentication Realm to the existing Sign-in policy you used for machine authentication. In theexample below, the realm Agent is used for User Authentication. Simply add it to the list of realmsused for authentication for the given Sign-in Policy.Figure 37: Multiple RealmsIn addition to the change to the IC, you need to make two changes to the Odyssey Access Clientconfiguration. The first change is to the machine authentication profile. Open the Odyssey AccessClient Manager and select Odyssey Access Client Administrator from the Tools menu. Double-clickon Machine Account, then go to Configuration Profiles. Select the machine account profile youcreated earlier and click Properties Go to the JUAC tab and enter the Realm name that you usedon the IC for machine authentication. In this example, the realm name is MachineCert. Click OK,then close both the OAC Administrator windows.Figure 38: Machine Authentication ProfileCopyright 2007, Juniper Networks, Inc.19

Machine Authentication Using CertificatesIn addition to modifying the machine authentication profile, you need to modify the userauthentication profile as well. On the JUAC tab, enter the Realm name that is used for userauthentication. This should be the same Realm name that you added to theSign-in Policy above.Figure 39: User Authentication ProfileFollowing these changes, you should be able to use both machine authentication and userauthentication with the same Odyssey Access Client on the same 802.1X port, authenticatingwith the same Infranet Controller. Using the configuration described in this application note, whenthe PC boots it will attempt to authenticate with the IC using a machine certificate. Once the userpresses CTRL-ALT-DEL and logs into Windows, the machine connection is dropped and the userauthentication is attempted. Your active user list should no longer show the machine asauthenticated but should now show the user as authenticated.Figure 40: Active Users20Copyright 2007, Juniper Networks, Inc.

Machine Authentication Using CertificatesSummaryUsing the Infranet Controller in conjunction with Odyssey Access Client Enterprise Editionenables the use of machine certificates for machine authentication in an 802.1X environment.This permits unattended machine access to an 802.1X-secured network.About Juniper NetworksJuniper Networks, Inc. is the leader in high-performance networking. Juniper offers ahigh-performance network infrastructure that creates a responsive and trusted environmentfor accelerating the deployment of services and applications over a single network. This fuelshigh-performance businesses. Additional information can be found at 2007, Juniper Networks, Inc.21

Machine Authentication Using CertificatesCORPORATE HEADQUARTERSAND SALES HEADQUARTERS FORNORTH AND SOUTH AMERICAJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax:, MIDDLE EAST, AFRICAREGIONAL SALES HEADQUARTERSJuniper Networks (UK) LimitedBuilding 1Aviator ParkStation RoadAddlestoneSurrey, KT15 2PG, U.K.Phone: 44.(0).1372.385500Fax: 44.(0).1372.385501Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks,the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarksof Juniper Networks, Inc. in the United States and other countries. JUNOS andJUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, servicemarks, registered trademarks, or registered service marks are the property oftheir respective owners. Juniper Networks assumes no responsibility for anyinaccuracies in this document. Juniper Networks reserves the right to change,modify, transfer, or otherwise revise this publication without notice.22EAST COAST OFFICEJuniper Networks, Inc.10 Technology Park DriveWestford, MA 01886-3146 USAPhone: 978.589.5800Fax: 978.589.0800ASIA PACIFIC REGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd.26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803To purchase Juniper Networks solutions, pleasecontact your Juniper Networks sales representativeat 1-866-298-6428 or authorized reseller.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER Machine Authentication Using Certificates A Step-by-Step Guide to Machine Authentication with Digital Certificates Using Juniper Networks Unified Access Control (UAC)