Understanding Captive Portal Support for Unauthenticated Browser Users
When an unauthenticated user requests access to an SRX Series protected resource using an HTTP or HTTPS browser, the SRX Series device presents the user with a captive portal interface to allow the user to authenticate. Normally, this process occurs without interference. However, prior to introduction of this feature, HTTP or HTTPS-based workstation services running in the background, such as Microsoft updates and control checks, could trigger captive portal authentication before the HTTP or HTTPS browser-based user’s access request did. The situation posed a race condition. If a background process triggered captive portal first, the SRX Series device presented it with a “401 Unauthorized” page. The service discarded the page without informing the browser, and the browser user was never presented with the authentication portal. The SRX Series device did not support simultaneous authentication from the same source IP address on different SPUs.
The SRX Series device now supports simultaneous HTTP or HTTPS pass through authentication across multiple SPUs, including support for web-redirect authentication. If an HTTP or HTTPS packet arrives while the SPU is querying the Captive Portal (CP), the SRX Series device queues the packet to be handled later.
Starting in Junos Space Security Director Release 17.1, Security Director supports Auth Only Browser and Auth User Agent parameters to give you high control over how HTTP or HTTPS traffic is handled.
Auth Only Browser—Authenticate only browser traffic. If you specify this parameter, the SRX Series device distinguishes HTTP or HTTPS browser traffic from other HTTP or HTTPS traffic. The SRX Series device does not respond to non-browser traffic. You can use the auth-user-agent parameter in conjunction with this control to further ensure that the HTTP traffic is from a browser.
Auth User Agent—Authenticate HTTP or HTTPS traffic based on the User-Agent field in the HTTP or HTTPS browser header. You can specify one user-agent value per configuration. The SRX Series device checks the user-agent value that you specify against the User-Agent field in the HTTP or HTTPS browser header for a match to determine if the traffic is HTTPor HTTPS browser-based. You can use this parameter with the Auth Only Browser parameter or individually for both Pass Through and User Firewall authentication types.