The first scheme authenticates users when FTP,
HTTP, or Telnet traffic matching a policy requiring authentication
reaches the Juniper Networks device. In the second scheme, users authenticate
themselves before sending traffic (of any kind—not just FTP,
HTTP, or Telnet) that has a policy requiring user authentication.
When a user attempts to initiate an HTTP, an FTP, or
a Telnet connection request that has a policy requiring authentication,
the Juniper Networks device intercepts the request and prompts the
user to enter a name and password. Before granting permission, the
device validates the username and password by checking them against
those stored in the local database or on an external authentication
server. See Figure 98.
Figure 98: Policy Lookup for a User
A client user
sends an FTP, an HTTP, or a Telnet packet to 1.2.2.2.
The Juniper Networks device intercepts the packet, notes
that its policy requires authentication from either the local database
or an external authentication server, and buffers the packet.
The Juniper Networks device prompts the user for login
information through FTP, HTTP, or Telnet.
The user replies with a username and password.
The Juniper Networks device either checks for an authentication
user account on its local database or it sends the login information
to the external authentication server as specified in the policy.
Finding a valid match (or receiving notice of such a match
from the external authentication server), the Juniper Networks device
informs the user that the login has been successful.
The Juniper Networks device forwards the packet from its
buffer to its destination IP address 1.2.2.2.
After a Juniper Networks device authenticates a
user at a particular source IP address, it subsequently permits traffic—as
specified in the policy requiring authentication through pass through—from
any other user at that same address. This might be the case if the
user originates traffic from behind a NAT device that changes all
original source addresses to a single translated address.
Web Authentication
Web Authentication is an alternate form of firewall
user authentication. Instead of pointing to the resource you want
to connect to from your client browser, you point the browser to an
IP address on the device that is enabled for Web authentication. This
initiates an HTTP session to the IP address hosting the Web Authentication
feature on the device. The device then prompts you for your username
and password and caches the result in the device. Later when traffic
encounters a web-authentication policy, you are allowed or
denied access based on the prior Web authentication results as shown
in Figure 99.
Figure 99: Web Authentication Example
Follow these Web Authentication guidelines:
You can leave the default Web Authentication server as
the local database or you can choose an external auth server for the
role. The default Web Authentication profile determines if the user
authenticates using the local database or the external authentication
server. An access profile stores usernames and passwords of users
or points to external authentication servers where such information
is stored.
The Web Authentication address must be in the same subnet
as the interface that you want to use to host it. For example, if
you want authentication users to connect using Web Authentication
through ethernet3, which has IP address 1.1.1.1/24, then
you can assign Web Authentication an IP address in the 1.1.1.0/24 subnet.
You can put a Web Authentication address in the same subnet
as the IP address of any physical interface or virtual security interface
(VSI). (For information about different types of interfaces, see Security Zones and Interfaces.)
You can put Web Authentication addresses on multiple interfaces.
After a device authenticates a user at a particular source
IP address, it subsequently permits traffic—as specified in
the policy requiring authentication through Web Authentication—from
any other user at that same address. This might be the case if the
user originates traffic from behind a NAT device that changes all
original source addresses to a single translated address.
With Web Authentication enabled, any HTTP traffic to the
IP address will get the Web Authentication login page instead of the
admin login page. Disabling this option will show the admin login
page (assuming that [system services web-management HTTP] is enabled.
We recommend that you have a separate primary or preferred
IP address, if an address is used for Web Authentication.
