Example: Configuring HTTPS Traffic to Trigger Pass-Through Authentication
This example shows how to configure HTTPS traffic to trigger pass-through authentication. HTTPS is more secure than HTTP, so it has become more popular and is more widely used.
This example uses the following hardware and software components:
SRX Series device
Two PCs running Linux and Open SSL. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.
Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Services Gateways.
Starting in Junos OS Release 12.1X44-D10 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on SRX5400, SRX5600, and SRX5800 devices.
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on vSRX, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Services Gateways.
Before you begin:
An SRX Series device has to decode HTTPS traffic to trigger pass-through authentication. Then, SSL termination proxy creates and installs a private key file and a certification file. The following list describes the steps to create and install a private key file and a certification key file.
If you have an official
.crt file and
.key file, then you can
directly upload and install the files on the SRX Series device. If
you do not have a
.crt file and
.key file, follow the procedure to create and install
the files. Instructions specified in Step 1 and Step 2 must be run
on a PC with Linux and OpenSSL installed. Instructions specified in
Step 3 and Step 4 must be run in operational mode.
To create and install a private key file and a certification file:
On a PC create the
.keyfile.openssl genrsa -out /tmp/device.key 1024
On a PC, create the
.crtfile.openssl req -new -x509 -days 365 -key /tmp/server.key -out /tmp/device.crt -subj "/C=CN/ST=BJ/L=BJ/O=JNPR/OU=CNRD/CN=203.0.113.11/emailAddressfirstname.lastname@example.org"
.crtfiles to an SRX Series device, and install the files on the device using the following command from operational mode:user@host> request security pki local-certificate load filename /var/tmp/device.crt key /var/tmp/device.key certificate-id device
Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series device.
HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
In this example, HTTPS traffic is used to trigger pass-through authentication because HTTPS is more secure than HTTP. For HTTPS traffic to trigger pass-through authentication you must first configure the SSL termination profile.
Figure 1 shows an example of pass-through authentication using HTTPS traffic. In this example, a host or a user from an untrust zone tries to access resources on the trust zone. The SRX Series device uses HTTPS to collect the username and password information. Subsequent traffic from the host or user is allowed or denied based on the result of this authentication.
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
To configure HTTPS traffic to trigger pass-through authentication:
- Configure interfaces and assign IP addresses.[edit interfaces]user@host# set ge-0/0/0 unit 0 family inet address 192.0.2.12/24user@host# set ge-1/0/0 unit 0 family inet address 203.0.113.1/24
- Configure security policies to permit firewall authenticated
traffic from zone trust to zone untrust.[edit security policies]user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through access-profile local_pfuser@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl_pf
- Specify a policy action to take when a packet matches
the criteria.[edit security policies]user@host# set from-zone trust to-zone untrust policy p1 match source-address anyuser@host# set from-zone trust to-zone untrust policy p1 match destination-address anyuser@host# set from-zone trust to-zone untrust policy p1 match application anyuser@host# set from-zone trust to-zone untrust policy p1 then log session-inituser@host# set from-zone trust to-zone untrust policy p1 then log session-close
- Configure security zones and assign interfaces.[edit security zones]user@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols alluser@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
- Configure application services for zones.[edit security zones]user@host# set security-zone trust host-inbound-traffic system-services all protocols alluser@host# set security-zone untrust host-inbound-traffic system-services all protocols all
- Create an access profile and configure the client as a
firewall user and set the password.[edit access]user@host# set profile local_pf client user1 firewall-user password <password>
- Configure the type of firewall and the default profile
name where the authentication settings are defined.[edit access]user@host# set firewall-authentication pass-through default-profile local_pf
- Configure the SSL termination profile and enter a local
certificate identifier name.[edit services]user@host# set ssl termination profile ssl_pf server-certificate device
From configuration mode, confirm your configuration by entering the show interfaces, show security policies, show security zones, show access, and show services ssl termination commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verifying the Configuration
Verify that the configuration is correct.
From operational mode, enter the show security firewall-authentication users command for identifier 1.
The show security firewall-authentication users command displays the firewall authentication user information for the specified identifier. If the output displays Pass-through using HTTPS in the Authentication method field and Success in the Authentication state field, then your configuration is correct.