Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring HTTPS Traffic to Trigger Pass-Through Authentication

    This example shows how to configure HTTPS traffic to trigger pass-through authentication. HTTPS is more secure than HTTP, so it has become more popular and is more widely used.

    Requirements

    This example uses the following hardware and software components:

    • SRX Series device

    • Two PCs running Linux and Open SSL. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.

    • Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Services Gateways.

    Note: Starting in Junos OS Release 12.1X44-D10 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on SRX5400, SRX5600, and SRX5800 devices.

    Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on vSRX, SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Services Gateways.

    Before you begin:

    An SRX Series device has to decode HTTPS traffic to trigger pass-through authentication. Then, SSL termination proxy creates and installs a private key file and a certification file. The following list describes the steps to create and install a private key file and a certification key file.

    Note: If you have an official .crt file and .key file, then you can directly upload and install the files on the SRX Series device. If you do not have a .crt file and .key file, follow the procedure to create and install the files. Instructions specified in Step 1 and Step 2 must be run on a PC with Linux and OpenSSL installed. Instructions specified in Step 3 and Step 4 must be run in operational mode.

    To create and install a private key file and a certification file:

    1. On a PC create the .key file.

      openssl genrsa -out /tmp/device.key 1024
    2. On a PC, create the .crt file.

      openssl req -new -x509 -days 365 -key /tmp/server.key -out /tmp/device.crt -subj "/C=CN/ST=BJ/L=BJ/O=JNPR/OU=CNRD/CN=203.0.113.11/emailAddress=device@mycompany.com"
    3. Upload the .key and .crt files to an SRX Series device, and install the files on the device using the following command from operational mode:

      user@host> request security pki local-certificate load filename /var/tmp/device.crt key /var/tmp/device.key certificate-id device

    Overview

    Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series device.

    HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

    In this example, HTTPS traffic is used to trigger pass-through authentication because HTTPS is more secure than HTTP. For HTTPS traffic to trigger pass-through authentication you must first configure the SSL termination profile.

    Figure 1 shows an example of pass-through authentication using HTTPS traffic. In this example, a host or a user from an untrust zone tries to access resources on the trust zone. The SRX Series device uses HTTPS to collect the username and password information. Subsequent traffic from the host or user is allowed or denied based on the result of this authentication.

    Figure 1: Pass-Through Authentication Using HTTPS Traffic

    Pass-Through Authentication
Using HTTPS Traffic

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

    set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.12/24
    set interfaces ge-1/0/0 unit 0 family inet address 203.0.113.1/24
    set security policies from-zone trust to-zone untrust policy p1 match source-address any
    set security policies from-zone trust to-zone untrust policy p1 match destination-address any
    set security policies from-zone trust to-zone untrust policy p1 match application any
    set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through access-profile local_pf
    set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl_pf
    set security policies from-zone trust to-zone untrust policy p1 then log session-init
    set security policies from-zone trust to-zone untrust policy p1 then log session-close
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces ge-1/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces ge-1/0/0.0 host-inbound-traffic protocols all
    set access profile local_pf client user1 firewall-user password <password>
    set access firewall-authentication pass-through default-profile local_pf
    set services ssl termination profile ssl_pf server-certificate device

    Step-by-Step Procedure

    To configure HTTPS traffic to trigger pass-through authentication:

    1. Configure interfaces and assign IP addresses.
      [edit interfaces]
      user@host# set ge-0/0/0 unit 0 family inet address 192.0.2.12/24
      user@host# set ge-1/0/0 unit 0 family inet address 203.0.113.1/24
    2. Configure security policies to permit firewall authenticated traffic from zone trust to zone untrust.
      [edit security policies]
      user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through access-profile local_pf
      user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl_pf
    3. Specify a policy action to take when a packet matches the criteria.
      [edit security policies]
      user@host# set from-zone trust to-zone untrust policy p1 match source-address any
      user@host# set from-zone trust to-zone untrust policy p1 match destination-address any
      user@host# set from-zone trust to-zone untrust policy p1 match application any
      user@host# set from-zone trust to-zone untrust policy p1 then log session-init
      user@host# set from-zone trust to-zone untrust policy p1 then log session-close
    4. Configure security zones and assign interfaces.
      [edit security zones]
      user@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
      user@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    5. Configure application services for zones.
      [edit security zones]
      user@host# set security-zone trust host-inbound-traffic system-services all protocols all
      user@host# set security-zone untrust host-inbound-traffic system-services all protocols all
    6. Create an access profile and configure the client as a firewall user and set the password.
      [edit access]
      user@host# set profile local_pf client user1 firewall-user password <password>
    7. Configure the type of firewall and the default profile name where the authentication settings are defined.
      [edit access]
      user@host# set firewall-authentication pass-through default-profile local_pf
    8. Configure the SSL termination profile and enter a local certificate identifier name.
      [edit services]
      user@host# set ssl termination profile ssl_pf server-certificate device

    Results

    From configuration mode, confirm your configuration by entering the show interfaces, show security policies, show security zones, show access, and show services ssl termination commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    user@host# show interfaces
    ...
    interfaces
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.0.2.12;
    }
    }
    }
    ge-1/0/0 {
    unit 0 {
    family inet {
    address 203.0.113.1/24;
    }
    }
    }
    user@host# show security policies
    ...
    policies
    from-zone trust to-zone untrust {
    policy p1 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    firewall-authentication {
    pass-through {
    access-profile local_pf;
    ssl-termination-profile ssl_pf;
    }
    }
    }
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    }
    user@host# show security zones
    ...
    zones {
    security-zone trust {
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone untrust {
    interfaces {
    ge-1/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    user@host# show access
    ...
    access {
    profile local_pf {
    client user1 {
    firewall-user {
    password password;
    }
    }
    }
    firewall-authentication {
    pass-through {
    default-profile local_pf;
    }
    }
    user@host# show services ssl termination
    ...
    services {
    ssl {
    termination {
    profile ssl_pf {
    server-certificate device;
    }
    }
    }
    }

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Verifying the Configuration

    Purpose

    Verify that the configuration is correct.

    Action

    From operational mode, enter the show security firewall-authentication users command for identifier 1.

    user@host> show security firewall-authentication users identifier 1
    Username: user1
    Source IP: 203.0.113.1/24
    Authentication state: Success
    Authentication method: Pass-through using HTTPS
    Age: 0
    Access time remaining: 10
    Lsys: root-logical-system
    Source zone: trust
    Destination zone: untrust
    Access profile: local_pf
    Interface Name: ge-0/0/0.0
    Bytes sent by this user: 946
    Bytes received by this user: 0

    Meaning

    The show security firewall-authentication users command displays the firewall authentication user information for the specified identifier. If the output displays Pass-through using HTTPS in the Authentication method field and Success in the Authentication state field, then your configuration is correct.

    Modified: 2017-08-31