Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Captive Portal for Unauthenticated Browsers

 

Generally, an SRX Series device redirects an unauthenticated user to the captive portal for authentication. While redirecting to the captive portal, the background process such as Microsoft updates triggers the captive portal before it triggers HTTP/HTTPS browser-based user’s access, which makes the browser to display “401 Unauthorized” page without presenting authentication portal. The auth-only-browser and auth-user-agent parameters give you control to handle HTTP/HTTPS traffic.

Understanding SRX Series Assured Captive Portal Support for Unauthenticated Browser Users

When an unauthenticated user requests access to an SRX Series protected resource using an HTTP/HTTPS browser, the SRX Series device presents the user with a captive portal interface to allow the user to authenticate. Normally, this process occurs without interference. However, prior to introduction of this feature, HTTP/HTTPS-based workstation services running in the background, such as Microsoft updates and control checks, could trigger captive portal authentication before the HTTP/HTTPS browser-based user’s access request did. The situation posed a race condition. If a background process triggered captive portal first, the SRX Series device presented it with a “401 Unauthorized” page. The service discarded the page without informing the browser, and the browser user was never presented with the authentication portal. The SRX Series device did not support simultaneous authentication from the same source (IP address) on different SPUs.

Starting with Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1, the SRX Series device supports simultaneous HTTP/HTTPS pass-through authentication across multiple SPUs, including support for web-redirect authentication. If an HTTP/HTTPS packet arrives while the SPU is querying the CP, the SRX Series device queues the packet to be handled later.

Additionally, the following two parameters are made available to give you greater control over how HTTP/HTTPS traffic is handled.

  • auth-only-browser—Authenticate only browser traffic. If you specify this parameter, the SRX Series device distinguishes HTTP/HTTPS browser traffic from other HTTP/HTTPS traffic. The SRX Series device does not respond to non-browser traffic. You can use the auth-user-agent parameter in conjunction with this control to further ensure that the HTTP traffic is from a browser.

  • auth-user-agent—Authenticate HTTP/HTTPS traffic based on the User-Agent field in the HTTP/HTTPS browser header. You can specify one user-agent value per configuration. The SRX Series device checks the user-agent value that you specify against the User-Agent field in the HTTP/HTTPS browser header for a match to determine if the traffic is HTTP/HTTPS browser-based.

    You can use this parameter with the auth-only-browser parameter or alone for both pass-through and user-firewall firewall-authentication.

    You can specify only one string as a value for auth-user-agent. It must not include spaces and you do not need to enclose the string in quotation marks.

    Note

    Starting with Junos OS 17.4R1, you can assign IPv6 addresses in addition to IPv4 addresses when you configure source addresses. To configure IPv6 source address, issue any or any-IPv6 command at [edit security policies from-zone trust to-zone untrust policy policy-name match source-address] hierarchy level.

Here are some examples of how to configure security policies to use the auth-only-browser and auth-user-agent firewall authentication features.

For Pass-Through Authentication

Configures a security policy for pass-through authentication that uses the auth-only-browser parameter.

Configures a security policy for pass-through authentication that uses the auth-user-agent parameter without auth-only-browser.

Configures a security policy for pass-through authentication that uses the auth-only-browser with the auth-user-agent parameter.

For User Firewall Authentication

Configures a security policy for user-firewall authentication that uses the auth-only-browser parameter.

Configures a security policy for user-firewall authentication that uses the auth-user-agent parameter without auth-only-browser.

Configures a security policy for user-firewall authentication that uses the auth-only-browser with the auth-user-agent parameter.

Understanding the Forced Timeout Setting Assigned to Active Directory Authentication Entries for Users Authenticated Through Captive Portal

This topic covers the effect of the firewall authentication forced timeout setting as it applies to active directory authentication entries for users who authenticate through captive portal.

When a user authenticates through captive portal, an authentication table entry is generated for that user based on the information that the SRX Series device obtains from the firewall authentication module. At that point, the default traffic-based authentication timeout logic is applied to the entry.

As an administrator, it is important for you to have control over how long non-domain users who authenticate through captive portal remain authenticated. The firewall authentication forced timeout feature gives you that control. Use of it ensures that non-domain users do not remain authenticated indefinitely. For example, assume that the flow of traffic is continuous to and from the device of a non-domain user authenticated through captive portal. Given the behavior of the default traffic-based authentication timeout, the non-domain user would remain authenticated indefinitely.

When the firewall authentication forced timeout value is configured, it is used in conjunction with the traffic-based timeout logic.

Here is how timeout settings, including firewall authentication forced timeout, affect active directory authentication entries for users authenticated through captive portal. In all of the following instances, an authentication entry was generated for a user based on firewall authentication information after the user authenticated through captive portal.

  • The firewall authentication forced timeout is set for 3 hours.

    Traffic continues to be received and generated by a device associated with an authentication entry for a user. After 3 hours the authentication entry expires, although at that time there are sessions anchored in Packet Forwarding Engine for the authentication entry.

  • If set, the firewall authentication forced timeout has no effect.

    An authentication entry does not have sessions anchored to it. It expires after the time set for the authentication entry timeout, for example, 30 minutes.

  • The firewall authentication forced timeout configuration is deleted.

    Firewall authentication forced timeout has no effect on new authentication entries. Firewall authentication forced timeout remains enforced for existing authentication entries to which it applied before it was deleted. That is, for those authentication entries, the original forced timeout setting remains in effect.

  • The firewall authentication forced timeout configuration setting is changed.

    The new tine-out setting is applied to new incoming authentication entries. Existing entries keep the original, former setting.

  • The firewall authentication forced timeout is set to 0, disabling it.

    If the firewall authentication forced timeout is set to a new value, that value is assigned to all incoming authentication entries. There is no firewall authentication forced timeout setting for existing authentication entries.

  • The firewall authentication forced timeout value is not configured.

    • The SRX Series device generates an authentication entry for a user. The default traffic-based timeout logic is applied to the authentication entry.

    • The active directory timeout value is configured for 50 minutes. A traffic-based timeout of 50 minutes is applied to an authentication entry.

    • The active directory timeout is not configured. The default traffic-based timeout of 30 minutes is applied to an authentication entry.