A firewall user is a network user who must provide
a username and password for authentication when initiating a connection
across the firewall. JUNOS software supports the following types
of users:
Administrators. For more information, see the JUNOS Software Administration Guide
Point-to-Point Protocol (PPP) users. For more information,
see the JUNOS Software Administration Guide
Firewall users. Firewall user authentication enables administrators
to restrict and permit users (firewall users) accessing protected
resources (different zones) behind a firewall based on their source
IP address and other credentials.
Authentication, Authorization, and Accounting (AAA) Servers
AAA provides an extra level of protection and control
for user access in the following ways:
Authentication determines the firewall user.
Authorization determines what the firewall user can do.
Accounting determines what the firewall user did on the
network.
You can use authentication alone or with authorization
and accounting. Authorization always requires a user to be authenticated
first. You can use accounting alone, or with authentication and authorization.
Once the user's credentials are collected, they
are processed in one of the following ways:
Administrative
authentication supports the following types of servers:
local
RADIUS
TACACS+
For more information on administrative authentication,
see the JUNOS Software Administration Guide).
Firewall user authentication supports the following
types of servers:
Local authentication and authorization
RADIUS authentication and authorization (compatible with
Funk RADIUS server)
LDAP authentication only (supports LDAP version 3 and
compatible with Windows AD)
SecurID authentication only (using an RSA SecurID external
authentication server)
Types of Firewall User Authentication
JUNOS software supports the following
two types of firewall user authentication:
Pass-Through Authentication—A host or a user from
one zone tries to access resources on another zone. You must use an
FTP, Telnet, or HTTP client to access the IP address of the protected
resource and to get authenticated by the firewall. The device uses
FTP, Telnet, or HTTP to collect username and password information,
and subsequent traffic from the user or host is allowed or denied
based on the result of this authentication.
Web Authentication—Users try to connect, using HTTP,
to an IP address on the device that is enabled for Web authentication;
in this scenario, you do not use HTTP to get to the IP address of
the protected resource. You are prompted for the username and password
that are verified by the device. Subsequent traffic from the user
or host to the protected resource is allowed or denied based on the
result of this authentication.
