My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:
- VMWare Server platform (VMWare fusion)
- Air Video HD Server (for streaming video over the network)
- General Internet download station
Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....
The last week, I've been experimenting with the Juniper Mobility System Software (MSS) in conjunction with two Juniper/Trapeze Access Points (type WLA522E). The MSS software is a Wireless LAN Controller (WLC) with manages the Access Points, and like so many Juniper Product; it can run in a virtual machine.
For the AP's to boot / connect to the network they need some basic information about where to find the WLC from which they receive their wireless settings. This can be done through DNS, or through DHCP. The first uses specific DNS records, and the latter uses DHCP Options (option 43 to be precise). I wanted to use the latter (which is a bit more challenging).
This blog post hold the key ingredients for successfully authenticating on layer 2 (802.1x or dot1x) and layer 3 with:
- Junos Pulse supplicant
- Juniper Pulse Access Control Service a.k.a. Unified Access Control (UAC)
- Juniper EX2200 switch
- Microsoft Windows 7 Enterprise Edition
The setup consists of four networks (VLAN's) and Internet access. Inter-VLAN communication is handled by a Juniper SRX210. The four VLAN's are:
- Untrust (VLAN 20)
- Trust (VLAN 10 - 192.168.1.0/24)
This VLAN hosts the UAC, Active Directory, DNS and DHCP services
- Production (VLAN 100 - 192.168.100.0/24)
Network where the normal workstations are placed
- Quarantine (VLAN 200 - 192.168.200.0/24)
This is where the naughty people/PC's are dropped
When a PC is placed in Quarantine, it looses all access to the Internet, but can still resolve domain names, access minimal internal services like the DHCP server and the UAC.
The components on the network are:
- Domain Controller + DNS Server - 192.168.1.10
- DHCP Server - 192.168.1.1
- UAC - 192.168.1.11
- Gateway(s) - .254