Question 108 - JN0-636 discussion

To control access to network resources based on the identity of an authenticated device on the SRX Series firewalls, you need to perform the following steps:

A) Configure an end-user-profile that characterizes a device or set of devices. An end-user-profile is a device identity profile that contains a collection of attributes that are characteristics of a specific group of devices, or of a specific device, depending on the attributes configured in the profile. The end-user-profile must contain a domain name and at least one value in each attribute. The attributes include device-identity, device-category, device-vendor, device-type, device-os, and device-osversion1.

You can configure an end-user-profile by using the Junos Space Security Director or the CLI2.

C) Reference the end-user-profile in the security policy. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You can reference the end-user-profile in the source-end-user-profile field of the security policy to identify the traffic source based on the device from which the traffic issued. The SRX Series device matches the IP address of the device to the enduser-profile and applies the security policy accordingly3. You can reference the end-user-profile in the security policy by using the Junos Space Security Director or the CLI4.

E) Configure the authentication source to be used to authenticate the device. An authentication source is a system that provides the device identity information to the SRX Series device. The authentication source can be Microsoft Windows Active Directory or a third-party network access control (NAC) system. You need to configure the authentication source to be used to authenticate the device and to send the device identity information to the SRX Series device. The SRX Series device stores the device identity information in the device identity authentication table5. You can configure the authentication source by using the Junos Space Security Director or the CLI6.

The other options are incorrect because:

B) Referencing the end-user-profile in the security zone is not a valid step to control access to network resources based on the identity of an authenticated device. A security zone is a logical grouping of interfaces that have similar security requirements. You can reference the user role in the security zone to identify the user who is accessing the network resources, but not the end-userprofile7.

D) Applying the end-user-profile at the interface connecting the devices is also not a valid step to control access to network resources based on the identity of an authenticated device. You cannot apply the end-user-profile at the interface level, but only at the security policy level. The end-userprofile is not a firewall filter or a security policy, but a device identity profile that is referenced in the security policy1.

Reference:

End User Profile Overview

Creating an End User Profile

source-end-user-profile

Creating Firewall Policy Rules

Understanding the Device Identity Authentication Table and Its Entries

Configuring the Authentication Source for Device Identity

user-role