Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Pass-Through Authentication

    This example shows how to configure pass-through authentication to authenticate firewall users. A firewall user is a network user who must provide a username and password when initiating a connection across the firewall.

    Pass-through authentication allows SRX Series administrators to restrict users who attempt to access a resource in another zone using FTP, Telnet, HTTP, or HTTPS. If the traffic matches a security policy whose action is pass-through authentication, the user is required to provide login information.

    For HTTPS, to ensure security the HTTPS default certificate key size is 2048 bits. If you do not specify a certificate size, the default size is assumed.

    Requirements

    Before you begin, define firewall users. See Firewall User Authentication Overview.

    This example uses the following hardware and software components:

    • SRX Series device

    • Firewall user’s system

    • Packet destination system

    Overview

    The pass-through authentication process is triggered when a client, referred to as a firewall user, attempts to initiate an FTP, a Telnet, or an HTTP session to access a resource in another zone. The SRX Series firewall acts as a proxy for an FTP, a Telnet, an HTTP, or an HTTPS server so that it can authenticate the firewall user before allowing the user access to the actual FTP, Telnet, or HTTP server behind the firewall.

    If traffic generated from a connection request sent by a firewall user matches a security policy rule bidirectionally and that rule specifies pass-through firewall authentication as the action of its then clause, the SRX Series device requires the firewall user to authenticate to a Junos OS proxy server.

    If the authentication is successful, subsequent traffic from the same source IP address is automatically allowed to pass through the SRX Series device if the traffic matches the security policy tuples.

    Figure 1 shows the topology used in this example.

    Figure 1: Configuring Pass-Through Firewall Authentication

    Configuring Pass-Through
Firewall Authentication

    Note: Although the topology shows use of an external server, it is not covered in the configuration. It is outside the scope of this example.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

    set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.35/24
    set interfaces ge-5/0/0 unit 0 family inet address 192.0.2.1/24
    set access profile FWAUTH client FWClient1 firewall-user password password
    set access firewall-authentication pass-through default-profile FWAUTH
    set access firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"
    set security zones security-zone UT-ZONE host-inbound-traffic system-services all
    set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    set security zones security-zone T-ZONE host-inbound-traffic system-services all
    set security zones security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWClient1

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    To configure pass-through authentication:

    1. Configure two interfaces and assign IP addresses to them.

      Note: For this example, it is optional to assign two addresses to the interfaces.

      [edit]
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.35/24
      user@host# set interfaces ge-5/0/0 unit 0 family inet address 192.0.2.1/24
    2. Create the FWAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner for Telnet sessions.
      [edit access]
      user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd
      user@host# set firewall-authentication pass-through default-profile FWAUTH
      user@host# set firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"
    3. Configure security zones.

      Note: For this example, it is optional to configure a second interface for a security zone.

      [edit security zones]
      user@host# set security-zone UT-ZONE host-inbound-traffic system-services all
      user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
      user@host# set security-zone T-ZONE host-inbound-traffic system-services all
      user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
    4. Assign security policy P1 to the security zones.
      [edit security policies]
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWClient1
    5. Use Telnet to authenticate the FWClient1 firewall user to host2.
      user@FWClient1# run telnet 192.0.2.1/24
      Trying 192.0.2.1/24...
      Connected to 192.0.2.1/24
      Escape character is '^]'.
      Firewall User Authentication
      Username: FWClient1
      Password:$ABC123
      WELCOME TO JUNIPER TELNET SESSION
      Host1 (ttyp0)
      login: user
      Password: $ABC123
      --- JUNOS 10.1R1.1 built 2009-10-12 13:30:18 UTC
      %

    Results

    From configuration mode, confirm your configuration by entering these commands.

    • show interfaces

    • show access

    • show security zones

    • show security policies

    If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, the output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    user@host# show interfaces
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 203.0.113.35;
    }
    }
    }
    ge-5/0/0 {
    unit 0 {
    family inet {
    address 192.0.2.1/24;
    }
    }
    }
    ...
    user@host# show access
    profile FWAUTH {
    authentication-order password;
    client FWClient1 {
    firewall-user {
    password "$ABC123"; ## SECRET-DATA
    }
    }
    }
    firewall-authentication {
    pass-through {
    default-profile FWAUTH;
    telnet {
    banner {
    success "WELCOME TO JUNIPER TELNET SESSION";
    }
    }
    }
    }
    user@host# show security zones
    security-zone UT-ZONE {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    protocols {
    all;
    }
    }
    }
    }
    security-zone T-ZONE {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    ge-5/0/0.0 {
    host-inbound-traffic {
    protocols {
    all;
    }
    }
    }
    }
    }
    user@host# show security policies
    ...
    from-zone UT-ZONE to-zone T-ZONE {
    policy P1 {
    match {
    source-address any;
    destination-address any;
    application junos-telnet;
    }
    then {
    permit {
    firewall-authentication {
    pass-through {
    client-match FWClient1;
    }
    }
    }
    }
    }
    }

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table

    Purpose

    Display firewall authentication user history and verify the number of firewall users who successfully authenticated and the number of firewall users who failed to log in.

    Action

    From operational mode, enter these show commands:

    user@host> show security firewall-authentication history
    History of firewall authentication data:
    Authentications: 2
    Id Source Ip Date Time Duration Status User
    1 203.0.113.12 2010-10-12 21:24:02 0:00:24 Failed FWClient1
    2 203.0.113.12 2010-10-12 21:24:48 0:00:22 Success FWClient1
    user@host> show security firewall-authentication history identifier 1
    Username: FWClient1
    Source IP: 203.0.113.12
    Authentication state: Success
    Authentication method: Pass-through using Telnet
    Access start date: 2010-10-12
    Access start time: 21:24:02
    Duration of user access: 0:00:24
    Source zone: UT-ZONE
    Destination zone: T-ZONE
    Access profile: FWAUTH
    Bytes sent by this user: 0
    Bytes received by this user: 2660
    
    user@host> show security firewall-authentication users
    Firewall authentication data:
    Total users in table: 1
    Id Source Ip Src zone Dst zone Profile Age Status User
    4 203.0.113.12     UT-ZONE  T-ZONE   FWAUTH     1 Success   FWClient1
    
    user@host> show security firewall-authentication users identifier 3
    Username: FWClient1
    Source IP: 203.0.113.12
    Authentication state: Success
    Authentication method: Pass-through using Telnet
    Age: 3
    Access time remaining: 9
    Source zone: UT-ZONE
    Destination zone: T-ZONE
    Access profile: FWAUTH
    Interface Name: ge-0/0/1.0
    Bytes sent by this user: 0
    Bytes received by this user: 1521
    

    Modified: 2017-08-31