Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Pass-Through Authentication

    Pass-through user authentication is a form of active authentication; the user is prompted to enter a username and password when pass-through authentication is invoked. If the user’s identity is validated, the user is allowed to pass through the firewall and gain access to the requested resources.

    When a user attempts to initiate an HTTP, an HTTPS, an FTP, or a Telnet connection request that has a policy requiring authentication, the device intercepts the request and prompts the user to enter a username and password. Depending on the configuration, the device validates the username and password by checking them against those stored in the local database or on an external authentication server.

    If an external authentication server is used, after the user’s credentials are collected, they are processed through firewall user authentication. The following external authentication servers are supported:

    • RADIUS authentication and authorization (compatible with Juniper Steel-Belted Radius servers)

      You can use an external RADIUS server if, in addition to authentication, you want to obtain authorization information about the user’s access right (what the user can do on the network).

    • LDAP authentication only (supports LDAP version 3, compatible with Windows AD)

    • SecurID authentication only (uses an RSA SecurID external authentication server)

    A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, an LDAP, or a SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy triggers an authentication check.

    Note: You use family inet to assign an IPv4 address. You use family inet6 to assign an IPv6 address. An interface can be configured with both an IPv4 and an IPv6 address. For the sake of brevity, these examples use IPv4 addresses only.

    Figure 1: Policy Lookup for a User

    Policy Lookup for a User

    The steps in Figure 1 are as follows:

    1. A client user sends an FTP, an HTTP, an HTTPS, or a Telnet packet to

    2. The device intercepts the packet, notes that its policy requires authentication from either the local database or an external authentication server, and buffers the packet.

    3. The device prompts the user for login information through FTP, HTTP, HTTPS, or Telnet.

    4. The user replies with a username and password.

    5. The device either checks for an authentication user account on its local database or sends the login information to the external authentication server as specified in the policy.

    6. Finding a valid match (or receiving notice of such a match from the external authentication server), the device informs the user that the login has been successful.

    7. For HTTP, HTTPS, or Telnet traffic, the device forwards the packet from its buffer to its destination IP address, However, for FTP traffic, after successful authentication, the device closes the session and the user must reconnect to the FTP server at IP address

    Note: For security purposes, we recommend that you use web-redirect rather than direct pass-through authentication on security policies that you configure for HTTP pass-through authentication. The web browser may provide security by automatically including credentials for subsequent requests to the target web server.

    After the device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through pass through—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.

    The pass-through user authentication method is recommended in situations when security has a higher priority than convenience. This authentication method applies only to the session and child sessions matching the policy that triggered it. You can apply this method on Internet-facing links, if used with caution.

    Modified: 2017-08-31