2
Guest User Authorization
The Enterprise Guest Access appliance also ensures that only
authorized guest users can log into and access those areas of
your network to which they are authorized access based on their
identity and device integrity. It integrates and leverages Juniper’s
Host Checker functionality, used in tens of thousands of Juniper
Networks SA Series SSL VPN Appliances and IC Series Unified
Access Control Appliances, enabling you to define policy that
scans guest user devices attempting to connect to your network
for a variety of security applications and states, including custom
endpoint checks. It also enables you to create and enforce
network access based on time and duration. In this way, Enterprise
Guest Access enables you to deliver differentiated network access
for various guest user categories such as one-time guest users,
contractors, vendors, and others.
Secure Network Access
The Enterprise Guest Access appliance enables and builds a
Layer 2 bridge to ensure secure network access. With Layer 2
bridging enabled, your guest users are provided with an IP address
from your corporate network. Since the Enterprise Guest Access
appliance is inline, it is the first place that your guest users
will come to when they attempt to access your network. The
Enterprise Guest Access appliance will first serve the guest user a
web-based captive portal page when access is attempted. Users
will use their guest credentials, which include the user name and
password provided to them by your guest access administrator.
They will log in and be provided with a network session. During
the deployment of Enterprise Guest Access, you will have created
resource access policies on the appliance which direct guest users
to resources that are provisioned on the network and to which
they have authorized access (for example, the Internet). User
traffic has no other route to the corporate network except through
the Layer 2 Enterprise Guest Access appliance bridge. Users and
guests are connected to the external interface, and protected
resources are connected to the internal interface.
Provisioning and Management
The Enterprise Guest Access appliance also simplifies guest
user network access provisioning and management. Access is
controlled through an enterprise customizable web-based captive
portal, directing users to input their guest access credentials—
created and provided to the guest user by your receptionist or
any corporate sponsor—to gain authenticated, authorized access
to your network and resources. Guest user access credentials
are as simple as a user name and password. Guest user network
access may be provisioned for up to 200 guest users on a single
Enterprise Guest Access appliance. And, identity information of
guest users is stored in a database on the appliance, which is
perfect for addressing regulatory compliance audits.
Since its operation does not require that an agent be downloaded
to the user’s device, Enterprise Guest Access works with devices
running most major operating system platforms, including
Microsoft Windows, Apple Mac OS, and Linux. Being agentless
means that Enterprise Guest Access requires no configuration
on a guest user’s device, and using a web-based captive portal
means it needs zero configuration to set up, greatly simplifying its
deployment and use.
Guest Administrator Accounts
A limited number of guest administrator accounts may be created.
Your IT or technical staff can provision a local user or employee
with limited administration rights to provide temporary access
accounts for external guest users. Guest user account manager
information is stored in a database local to the enterprise guest
access appliance. This is useful for administrator tracking and
regulatory compliance audits. Provisioning of numerous guest user
account managers, typical for an office or site which is without
reception or administrative staff, can be easily undertaken.
Authenticated access for guest user account managers to the
enterprise guest access appliance is accomplished natively or
by interfacing with and leveraging existing SMB or enterprise
authentication data stores, such as Microsoft Active Directory or
Lightweight Directory Access Protocol (LDAP), and authentication,
authorization, and accounting (AAA) capabilities.
Time-Based Network Access Policies
The Enterprise Guest Access appliance enables guest user
accounts to be created based on flexible, time-based network
access policies. Guest user accounts may be created with a specific
start and end time. For example, guest user network access might
start at 9:00 a.m. and end at 5:00 p.m. Guest user accounts may
also be created for a specific hourly duration, such as guest user
network access being allowed for 8 hours. Guest user access can
also be limited by the administrator to a specific number of days, in
an hours-based format, such as for 24 hours, 48 hours, or up to 72
hours. Enterprise Guest Access affords you flexibility and control in
the management of guest user network access.
Network Access Control
The Enterprise Guest Access appliance also provides a simple to
deploy, easy to administer way of addressing NAC, while providing
an upgrade path to Juniper’s comprehensive network and
application access control solution, Unified Access Control, at any
time by leveraging the access and security policies already created
and instituted by the SMB or enterprise with the Enterprise Guest
Access appliance. This saves both time and cost.
