Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Juniper Enterprise Guest Access
1. DATASHEET
ENTERPRISE GUEST ACCESS
Product Overview Product Description
Juniper Networks® Enterprise Guest Access is a license option for Juniper Networks
Whether large or small, companies MAG Series Junos Pulse Gateways that addresses all of your guest user network access
have guests. Guests can be virtually requirements. Enterprise Guest Access is based on the award winning Juniper Networks
anyone who conducts business with Unified Access Control (UAC) solution. With the Enterprise Guest Access option, you can
the company but is not an employee. easily provision guests and contractors, authenticate them securely, assess the health
Many of these guests require some state of their devices, control their access to your network and its sensitive resources, and
form of network access in order to coordinate your network access policies, security, and regulatory compliance across even
be productive. Providing a guest user the most distributed of network environments.
secure Internet access, let alone Enterprise Guest Access is quick and easy to deploy and use, employing a simplified guest
access to files on your network or user administration interface that allows even the most nontechnical of users to create
extranet, is anything but simple. You guest user access credentials and rights. It takes the burden of setting up guest user
can’t afford to let your guest users network access off the shoulders of your already overburdened IT staff, and it enables
access your sensitive corporate your administrative and support teams to take on this somewhat mundane yet crucially
network resources. important task.
For companies of all sizes, Juniper For small to medium sized businesses (SMBs) as well as enterprises and agencies with
Networks Enterprise Guest Access many guests or visitors, the Enterprise Guest Access license option delivers wired and
supports secure, authorized network wireless guest network access control (NAC) seamlessly through MAG Series Junos Pulse
resource access, manages guest Gateways, without any agents to deploy or maintain.
network usage, and reduces the
threats that come with unauthorized Enterprise Guest Access Architecture and
guest users and their compromised
devices.
Key Components
All-In-One Functionality
Enterprise Guest Access delivers role-based access control for guests, partners, and
contractors. Enterprise Guest Access delivers agentless (browser-based) wired and wireless
NAC for guest users seamlessly and supports secure, authorized network resource access,
manages network use, and reduces the threat of unauthorized users and compromised
devices. The Enterprise Guest Access option authenticates guest users and contractors,
and assesses the health state of their devices before granting them network access. And,
unlike a full blown NAC solution, Enterprise Guest Access does not require a firewall as
an enforcement point for a captive portal solution. The Enterprise Guest Access license
transforms your MAG Series gateway into an all-in-one appliance delivering two separate
functions—guest user provisioning and authentication, and guest user access enforcement.
1
2. Guest User Authorization Since its operation does not require that an agent be downloaded
Enterprise Guest Access also ensures that only authorized guest to the user’s device, Enterprise Guest Access works with devices
users can log into and access those areas of your network to running most major operating system platforms, including
which they are authorized access based on their identity and Microsoft Windows, Apple Mac OS, Linux, Apple iOS and Google
device integrity. It integrates and leverages Juniper’s Host Checker Android. Being agentless means that Enterprise Guest Access
functionality, used in tens of thousands of deployments of Juniper requires no configuration on a guest user’s device, and using a
Networks MAG Series Junos Pulse Gateways, SA Series SSL VPN web-based captive portal means it needs zero configuration to set
Appliances and IC Series Unified Access Control Appliances, up, greatly simplifying its deployment and use.
enabling you to define policy that scans guest user devices for
Guest Administrator Accounts
a variety of security applications and states, including custom
A limited number of guest administrator accounts may be
endpoint checks. It also enables you to create and enforce
created. Your IT or technical staff can provision a local user or
network access based on time and duration. In this way, Enterprise
employee with limited administration rights to provide temporary
Guest Access enables you to deliver differentiated network
access accounts for external guest users. Guest user account
access for various guest user categories such as one-time guest
manager information is stored in a database local to the MAG
users, contractors, vendors, and others. It also enables enterprise
Series gateway hosting Enterprise Guest Access. This is useful
selected and approved guest user account managers to provision
for administrator tracking and regulatory compliance audits.
temporary guest access accounts for corporate guest users, to
Provisioning of numerous guest user account managers, typical
create bulk accounts for numerous guest users, and to send guest
for an office or site which is without reception or administrative
user credentials via email to an expected guest user, simplifying
staff, can be easily undertaken. Authenticated access for guest
guest account creation and provisioning.
user account managers to the Enterprise Guest Access equipped
Secure Network Access MAG Series gateway is accomplished natively, or by interfacing
Enterprise Guest Access enables and builds a Layer 2 bridge to with and leveraging existing SMB or enterprise authentication data
ensure secure network access. With Layer 2 bridging enabled, your stores, such as Microsoft Active Directory or Lightweight Directory
guest users are provided with an IP address from your corporate Access Protocol (LDAP), and authentication, authorization, and
network. Since the MAG Series gateway hosting Enterprise Guest accounting (AAA) capabilities.
Access is inline, it is the first place that your guest users will
Time-Based Network Access Policies
come to when they attempt to access your network. Enterprise
Enterprise Guest Access enables guest user accounts to be
Guest Access will first serve the guest user a web-based captive
created based on flexible, time-based network access policies.
portal page when access is attempted. Users will use their guest
Guest user accounts may be created with a specific start and
credentials, which include the user name and password provided
end time. For example, guest user network access might start at
to them by your guest access administrator. They will log in and
9:00 a.m. and end at 5:00 p.m. Guest user accounts may also be
be provided with a network session. During the deployment of
created for a specific hourly duration, such as guest user network
Enterprise Guest Access, you will have created resource access
access being allowed for 8 hours. Guest user access can also be
policies on the MAG Series gateway which direct guest users to
limited by the administrator to a specific number of days, in an
resources that are provisioned on the network and to which they
hours-based format, such as for 24 hours, 48 hours, or up to 72
have authorized access (for example, the Internet). User traffic
hours. Enterprise Guest Access affords you flexibility and control in
has no other route to the corporate network except through the
the management of guest user network access.
Layer 2 Enterprise Guest Access bridge. Users and guests are
connected to the external interface, and protected resources are Network Access Control
connected to the internal interface. Enterprise Guest Access also provides a simple-to-deploy, easy
to administer way of addressing NAC, while providing an upgrade
Provisioning and Management
path to Juniper’s comprehensive network and application access
Enterprise Guest Access also simplifies guest user network access
control solution, Junos Pulse Access Control Service, at any time
provisioning and management. Access is controlled through an
by leveraging the access and security policies already created
enterprise customizable web-based captive portal, directing users
and instituted by the SMB or enterprise with the Enterprise Guest
to input their guest access credentials—created and provided to
Access option. This saves the SMB or enterprise both time and cost.
the guest user by your receptionist or any approved corporate
sponsor—to gain authenticated, authorized access to your network
and resources. Guest user access credentials are as simple as
a user name and password. Guest user network access may be
provisioned for up to 200 guest users on a single MAG Series
gateway or service module with the Enterprise Guest Access
license option. And, identity information of guest users is stored in a
database on the gateway, which is perfect for addressing regulatory
compliance audits.
2
3. Enterprise Guest Access Network Diagram
L2 Wired or Firewalling
Wireless and DHCP
Environment Services
Wireless Guest Guest SSID
MAG4610
Junos Pulse Gateway
INTERNET
External Port Internal Port
192.168.10.90 192.168.10.10
Wired Guest Internet
Firewall
Figure 1: Juniper Networks Enterprise Guest Access
Figure 1 provides a high-level view of Juniper Networks Enterprise 2. Guest access administrator provides credentials to the guest
Guest Access option. In this diagram, the MAG Series hosting the user, typically via e-mail or hard copy printout.
Enterprise Guest Access license is connected inline between the
wireless and wired guest users, and the Internet firewall. The MAG
Series gateway running the Enterprise Guest Access license, as the
inline enforcement point, blocks guest traffic until users have typed
their credentials into the captive portal served to them by the MAG
Series gateway and have been authenticated for network access.
Enterprise Guest Access Sample Workflow
1. Guest access administrator creates a guest user account on the
MAG Series gateway hosting Enterprise Guest Access.
3. Guest user attempts to access the network, and access is
redirected to the MAG Series hosting Enterprise Guest Access,
which serves the guest user a customized web-based captive
portal page in which the guest user types in their assigned
credentials.
MAG2600
Junos Pulse
Gateway Redirect
MAG2600
Junos Pulse
Gateway
4. When authentication is successful and the user’s device meets
the organization’s predefined security and access control
policies, the guest user is allowed to access the areas of the
network to which guest authorization has been granted.
INTERNET
MAG2600
Junos Pulse
Gateway
3
4. 5. When the guest user’s account expires, the MAG Series hosting
Enterprise Guest Access automatically logs the user off of the
network and does not allow network access until the guest
receives new, updated guest user credentials.
MAG6610
Junos Pulse
Gateway
Features and Benefits
The Enterprise Guest Access option offers a number of important features and benefits.
Feature Benefit
Available on a wide range of MAG Series Junos The Enterprise Guest Access option can be deployed on a wide range of MAG Series models,
Pulse Gateways from the small-footprint MAG2600 to the larger-scale MAG4610, MAG6610 and MAG6611.
Agentless No agent to deploy on a guest user’s endpoint device means the Enterprise Guest Access
license is simple to deploy and maintain, and for a guest user to operate, minimizing guest-
related help desk or support calls.
Identity- and role-based guest access Limit guest user access based on the user’s identity or role. Know which guest users are on your
network and when. Store guest user data locally for regulatory compliance audits.
Comprehensive pre-authentication endpoint The Host Checker in the Enterprise Guest Access option ensures that a guest user’s endpoint
integrity checks and posture assessment device meets a previously determined baseline of security and access policy before it can be
granted access to the network and its resources.
Support for wired and wireless guest access Ensures that a guest user's endpoint device meets a baseline security criteria—regardless of
the guest user’s access method, whether wired or wireless—and that the guest user will be
authenticated before being allowed to access the network and its resources.
Consistent endpoint baselining across the network For medium to large enterprises with many guest users, the Enterprise Guest Access license
ensures that a minimum baseline of endpoint device security and access policy, and endpoint
integrity is met and maintained.
Secure network access for up to 200 guest users Designed to address the network access control needs of SMBs and enterprises with many
guest users.
Simplified guest user creation Enables the administrative and support staff of an SMB or enterprise to create and distribute
guest user access rights and credentials, relieving the already overworked IT staff of this task.
It also enables creation of bulk accounts for numerous guest users, and sending guest user
credentials via e-mail, simplifying guest account creation.
Secure Layer 2 bridge The secure Layer 2 bridge of the Enterprise Guest Access option provides guest users with an IP
address, ensuring their secure network access.
Flexible time-based guest user network access Limits guest user network access based on specific hours, a specific number of hours, or a
specific number of days (in hours).
Guest administrator user database The list of guest administrators, stored in a database local to the MAG Series gateway hosting
Enterprise Guest Access as determined by the organization, can be used to address regulatory
compliance requirements.
Guest user database The list of guest users passing policy checks and receiving guest access rights and credentials
to access the network is stored in a database on the MAG Series gateway hosting Enterprise
Guest Access, helping to address regulatory compliance needs.
Consistent access control The Enterprise Guest Access license on MAG Series gateways, when deployed in smaller branch
offices or sites, can ensure that an enterprise secures its distributed network, whether remote or
local, with consistent, identity-enabled access control and shared security policies.
Simple upgrade to full, comprehensive Network Delivers a simple upgrade path to Junos Pulse Access Control Service delivering comprehensive
Access Control (NAC) network and application access control for small to large enterprises and government agencies
while leveraging existing, previously developed policies.
4
5. Juniper Networks Services and Support About Juniper Networks
Juniper Networks is the leader in performance-enabling services Juniper Networks is in the business of network innovation. From
that are designed to accelerate, extend, and optimize your devices to data centers, from consumers to cloud providers,
high-performance network. Our services allow you to maximize Juniper Networks delivers the software, silicon and systems that
operational efficiency while reducing costs and minimizing transform the experience and economics of networking. The
risk, achieving a faster time to value for your network. Juniper company serves customers and partners worldwide. Additional
Networks ensures operational excellence by optimizing the information can be found at www.juniper.net.
network to maintain required levels of performance, reliability, and
availability. For more details, please visit www.juniper.net/us/en/
products-services.
Ordering Information
Model Number Description
MAG Series Base Systems*
MAG2600 Base System MAG2600 Junos Pulse Gateway for SSL
VPN users or NAC users
MAG4610 Base System MAG4610 fixed configuration Junos Pulse
Gateway for SSL VPN users or NAC users
MAG6610 Base System MAG6610 Junos Pulse Gateway for SSL
VPN or NAC users; includes MAG-PS661
560 W AC power supply. Must order at
least one service module (MAG-SM160
or MAG-SM360)
MAG6611 Base System MAG6611 Junos Pulse Gateway for SSL
VPN or NAC users (includes MAG-PS662
750 W AC power supply); must order at
least one service module (MAG-SM160
or MAG-SM360)
MAG6610 and MAG6611 Modules
MAG-SM160 Service module for MAG6610 or MAG6611
that supports 1,000 SSL VPN or 5,000
NAC users
MAG-SM360 Service module for MAG6610 or MAG6611
that supports 10,000 SSL VPN or 15,000
NAC users
Endpoint License
MAGX600-GUEST-ACCESS Enterprise Guest Access License
* A maximum of 200 guests is supported on the MAG Series Junos Pulse Gateways with the
Enterprise Guest Access License.
5
6. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters Your recommended solution
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland provider:
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 Altaware, Inc.
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 http://www.altaware.com
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net
Email: sales@altaware.com
Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
Phone: 949-484-4125
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property of
their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1000354-003-EN Mar 2012 Printed on recycled paper
6