Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Integrated User Firewall

 

As the name denotes, integrated user firewall provides simpler user firewall functionality without the need of Unified Access Control (UAC) integration with network access control (NAC). Integrated user firewall collects user information through Lightweight Directory Access Protocol (LDAP), and by enforcing policies, access is allowed or denied.

Example: Configuring Integrated User Firewall on SRX Series

This example shows how to implement the integrated user firewall feature by configuring a Windows Active Directory domain, an LDAP base, unauthenticated users to be directed to captive portal, and a security policy based on a source identity. All configurations in this example for the captive portal are over the Transport Layer Security (TLS).

Requirements

This example uses the following hardware and software components:

  • One SRX Series device

  • Junos OS Release 12.1X47-D10 or later for SRX Series devices

No special configuration beyond device initialization is required before configuring this feature.

Overview

In a typical scenario for the integrated user firewall feature, domain and non-domain users want to access the Internet through an SRX Series device. The SRX Series device reads and analyzes the event log of the domain controllers configured in the domain. Thus, the SRX Series device detects domain users on an Active Directory domain controller. Active Directory domain generates an authentication table as the Active Directory authentication source for the integrated user firewall. The SRX Series device uses this information to enforce the policy to achieve user-based or group-based access control.

For any non-domain user or domain user on a non-domain device, the network administrator can specify a captive portal to force the user to submit to firewall authentication (if the SRX Series device supports captive portal for the traffic type. For example, HTTP). After the user enters a name and password and passes firewall authentication, the SRX Series device gets firewall authentication user-to-group mapping information from the LDAP server and can enforce user firewall policy control over the user accordingly.

Starting with Junos OS Release 17.4R1, you can use IPv6 addresses for Active Directory domain controllers in addition to IPv4 addresses. To illustrate this support, this example uses 2001:db8:0:1:2a0:a502:0:1da as the address for the domain controller.

You cannot use the Primary Group, whether by its default name of Domain Users or any other name, if you changed it, in integrated user firewall configurations.

When a new user is created in Active Directory (AD), the user is added to the global security group Primary Group which is by default Domain Users. The Primary Group is less specific than other groups created in AD because all users belong to it. Also, it can become very large.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To establish a Windows Active Directory domain, to configure captive portal, and to configure another security policy, perform the steps in this section.

Once configured, when traffic arrives, the SRX Series device consults the user firewall process, which in turn consults the Active Directory authentication source to determine whether the source is in its authentication table. If the user firewall hits an authentication entry, the SRX Series device checks the policy configured in Step 4 for further action. If the user firewall does not hit any authentication entry, the SRX Series device checks the policy configured in Step 3 to enforce the user to do captive portal.

  1. Configure the LDAP base distinguished name.
  2. Configure a domain name, the username and password of the domain, and the name and IP address of the domain controller in the domain.
  3. Configure an access profile and set the authentication order and LDAP options.

    When the no-tls-certificate-check option is configured, the SRX Series device ignores the validation of the server’s certificate and accepts the certificate without checking.

  4. Configure a policy for the source-identity “unauthenticated-user” and “unknown-user” and enable the firewall authentication captive portal. Configuring the source identity is required in case there is no authentication sources configured, it is disconnected.
  5. Configure a second policy to enable a specific user.

    When you specify a source identity in a policies statement, prepend the domain name and a backslash to the group name or username. Enclose the combination in quotation marks.

  6. Set the Active Directory authentication table as the authentication source for integrated user firewall information retrieval and specify the sequence in which user information tables are checked.

    You must set the Active Directory authentication table as the authentication source for integrated user firewall information retrieval and specify the sequence in which user information tables are checked using the command set security user-identification authentication-source active-directory-authentication-table priority value.

    The default value of this option is 125. The default priority for all the authentication sources is as follows:

    • Local authentication: 100

    • Integrated user firewall: 125

    • User role firewall: 150

    • Unified Access Control (UAC): 200

    The field priority specifies the sources for the Active Directory authentication table. The value set determines the sequence for searching among various supported authentication tables to retrieve a user role. Note that these are the only currently supported values. You can enter any value from 0 through 65,535. The default priority of the Active Directory authentication table is 125. This means that even if you do not specify a priority value, the Active Directory authentication table will be searched starting at sequence of value 125 (integrated user firewall).

    A unique priority value is assigned to each authentication table. Lower the value, higher is the priority. For example, a table with priority 120 is searched before a table with priority 200. Setting the priority value of a table to 0 disables the table and eliminates the priority value from the search sequence.

    For more details, see Understanding Active Directory Authentication Tables and active-directory-authentication-table.

(Optional) Configuration of PKI and SSL Forward Proxy to Authenticate Users

Step-by-Step Procedure

Optionally, for non-domain users, you can configure public key infrastructure (PKI) to validate integrity, confidentiality, and authenticity of traffic. PKI includes digital certificates issued by the Certificate Authority (CA), certificate validity and expiration dates, details about the certificate owner and issuer, and security policies.

For any non-domain user or domain user on a non-domain machine, the administrator specifies a captive portal to force the user to do firewall authentication (if the SRX Series device supports captive portal for the traffic type). After the user enters a name and password and passes firewall authentication, the SRX Series device gets firewall authentication user/group information and can enforce the user firewall policy to control the user accordingly. In addition to captive portal, if the IP address or user information is not available from the event log, the user can again log in to the Windows PC to generate an event log entry. Then the system generates the user’s authentication entry accordingly.

To enable the SRX Series device to authenticate the users through HTTPs, the SSL forward proxy must be configured and enabled. You need to generate a local certificate, add an SSL termination profile, add an SSL proxy profile, and reference the SSL proxy profile in the security policy. If the SSL forward proxy is not enabled, the SRX Series device cannot authenticate users who are using HTTPS, but for users who are using HTTP, FPT, and Telnet, the authentication can be performed as expected.

To generate PKI and enable SSL forward proxy, perform the following steps:

  1. Generate a PKI public/private key pair for a local digital certificate.
  2. Manually generate a self-signed certificate for the given distinguished name.
  3. Define the access profile to be used for SSL termination services. This option is available only on SRX5400, SRX5600, and SRX5800 devices.
  4. Configure the loaded certificate as root-ca in the SSL proxy profile. This option is available only on SRX5400, SRX5600, and SRX5800 devices.
  5. Specify the ignore-server-auth-failure option if you do not want to import the entire CA list and you do not want dropped sessions. This option is available only on SRX5400, SRX5600, and SRX5800 devices.
  6. Add an SSL termination profile into security policies. This option is available only on SRX5400, SRX5600, and SRX5800 devices.

Results

From configuration mode, confirm your integrated user firewall configuration by entering the show services user-identification active-directory-access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your policy configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your access profile configuration by entering the show access profile profile1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Connectivity to a Domain Controller

Purpose

Verify that at least one domain controller is configured and connected.

Action

From operational mode, enter the show services user-identification active-directory-access domain-controller status command.

Meaning

The domain controller is shown to be connected or disconnected.

Verifying the LDAP Server

Purpose

Verify that the LDAP server is providing user-to-group mapping information.

Action

From operational mode, enter the show services user-identification active-directory-access user-group-mapping status command.

Meaning

The LDAP server address, port number, and status are displayed.

Verifying Authentication Table Entries

Purpose

See which groups users belong to and the users, groups, and IP addresses in a domain.

Action

From operational mode, enter the show services user-identification active-directory-access active-directory-authentication-table all command.

Meaning

The IP addresses, usernames, and groups are displayed for each domain.

Verifying IP-to-User Mapping

Purpose

Verify that the event log is being scanned.

Action

From operational mode, enter the show services user-identification active-directory-access statistics ip-user-mapping command.

Meaning

The counts of the queries and failed queries are displayed.

Verifying IP Probe Counts

Purpose

Verify that IP probes are occurring.

Action

From operational mode, enter the show services user-identification active-directory-access statistics ip-user-probe command.

Meaning

The counts of the IP probes and failed IP probes are displayed.

Verifying User-to-Group Mapping Queries

Purpose

Verify that user-to-group mappings are being queried.

Action

From operational mode, enter the show services user-identification active-directory-access statistics user-group-mapping command.

Meaning

The counts of the queries and failed queries are displayed.

Configuring Integrated User Firewall on NFX Devices

In a typical scenario for the integrated user firewall feature, domain users want to access the Internet through an NFX device. The device reads and analyzes the event log of the domain controllers configured in the domain. Thus, the device detects domain users on an Active Directory domain controller. Active Directory domain generates an authentication table as the Active Directory authentication source for the integrated user firewall. The device uses this information to enforce the policy to achieve user-based or group-based access control.

When a new user is created in Active Directory (AD), the user is added to the global security group Primary Group which is by default Domain Users. The Primary Group is less specific than other groups created in AD because all users belong to it. Also, it can become very large.

You cannot use the Primary Group, whether by its default name of Domain Users or any other name, if you changed it, in integrated user firewall configurations.

To establish a Windows Active Directory domain and to configure another security policy:

  1. Configure the LDAP base distinguished name.
  2. Configure a domain name, the username and password of the domain, and the name and IP address of the domain controller in the domain.
  3. Configure a second policy to enable a specific user.

    When you specify a source identity in a policies statement, prepend the domain name and a backslash to the group name or username. Enclose the combination in quotation marks.

  4. Set the Active Directory authentication table as the authentication source for integrated user firewall information retrieval and specify the sequence in which user information tables are checked.

To verify that the configuration is working properly:

  1. Verify that at least one domain controller is configured and connected by entering the show services user-identification active-directory-access domain-controller status command.

  2. Verify that the LDAP server is providing user-to-group mapping information by entering the show services user-identification active-directory-access user-group-mapping status command..

  3. Verify the authentication table entries by entering the show services user-identification active-directory-access active-directory-authentication-table all command. The IP addresses, usernames, and groups are displayed for each domain.

  4. Verifying IP-to-user mapping by entering the show services user-identification active-directory-access statistics ip-user-mapping command. The counts of the queries and failed queries are displayed.

  5. Verify that IP probes are occurring by entering the show services user-identification active-directory-access statistics ip-user-probe command.

  6. Verify that user-to-group mappings are being queried by entering the show services user-identification active-directory-access statistics user-group-mapping command.

Example: Configuring Integrated User Firewall on SRX Series devices to Use Web-Redirect for Unauthenticated and Unknown Users

This example shows how to use web-redirect for unauthenticated users and unknown users to redirect to the authentication page through http.

Requirements

This example uses the following hardware and software components:

  • One SRX Series device

  • Junos OS Release 15.1X49-D70 or later for SRX Series devices

No special configuration beyond device initialization is required before configuring this feature.

Overview

The fwauth access profile redirects web-redirect requests of pass-through traffic to HTTP webauth (in JWEB httpd server). Once authentication is successful, fwauth creates a firewall authentication for the user firewall.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure the integrated user firewall to use web-redirect for unauthenticated users requesting access to HTTP-based resources:

  1. Enable Web-management support for HTTP traffic.
  2. Configure interfaces and assign IP addresses. Enable Web authentication on ge-0/0/1 interface.
  3. Configure security policies that specifies an unauthenticated-user or unknown-user as the source-identity.

    Starting with Junos OS 17.4R1, you can assign IPv6 addresses in addition to IPv4 addresses when you configure source addresses. To configure IPv6 source address, issue any or any-IPv6 command at [edit security policies from-zone trust to-zone untrust policy policy-name match source-address] hierarchy level.

  4. Configure a security policy that permits firewall authentication of a user firewall with web-redirect as the action and specifies a pre configured access profile for the user.
  5. Configure a security policy that specifies the domain name.

Results

From configuration mode, confirm your configuration by entering the show system services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your integrated user-firewall configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your integrated user-firewall configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your policy configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verify the Configuration.

Purpose

Verify that the configuration is correct.

Action

From operational mode, enter the show security policies command.



Sample Output

user@host> show security policiesDefault policy: permit-allFrom zone: PCzone, To zone: TunnelzonePolicy: p1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1Source addresses: anyDestination addresses: anyApplications: junos-ftp, junos-tftp, junos-dns-tcp, junos-dns-udpAction: permit

Meaning

Display the security policy that permits firewall authentication of a user firewall with web-redirect as the action.

Example: Configuring Integrated User Firewall on SRX Series devices to Use Web-Redirect-to-HTTPS to Authenticate Unauthenticated and Unknown Users

This example shows how to use web-redirect-to-https for unauthenticated and unknown users attempting to access an HTTPS site to enable them to authenticate through the SRX Series device’s internal webauth server.

You can also use web-redirect-https to authenticate users attempting to access an HTTP site, although not shown in this example.

Requirements

This example uses the following hardware and software components:

  • One SRX Series device

  • Junos OS Release 15.1X49-D70 or later for SRX Series devices

Overview

The web-redirect-https feature allows you to securely authenticate unknown and unauthenticated users attempting to access either HTTP or HTTPS resources by redirecting the user’s browser to the SRX Series services gateway’s internal HTTPS webauth server for authentication. That is, the webauth server sends an HTTPS response to the client system redirecting its browser to connect to the webauth server for user authentication. The interface on which the client’s request arrives is the interface to which the redirect response is sent. HTTPS, in this case, secures the authentication process, not the user’s traffic.

After the user has been authenticated, a message is displayed to inform the user about the successful authentication. The browser is redirected to launch the user’s original destination URL, whether to an HTTP or HTTPS site, without requiring the user to retype that URL. The following message is displayed:

If the user’s target resource is to an HTTPS URL, for this process to succeed the configuration must include an SSL termination profile that is referenced in the applicable security policy. An SSL termination profile is not required if the target is an HTTP URL.

Use of this feature allows for a richer user login experience. For example, instead of a pop-up prompt asking the user to enter their user name and password, users are presented with the login page in a browser. Use of web-redirect-https has the same effect as if the user typed the Web authentication IP address in a client browser. In that sense, web-redirect-https provides a seamless authentication experience; the user does not need to know the IP address of the Web authentication source, but only the IP address of the resource that they are attempting to access.

For integrated user firewall, the security policy configuration statement includes the source-identity tuple, which allows you to specify a category of users to whom the security policy applies, in this case unauthenticated and unknown users. Specifying “any” as the value of the source-address tuple allows the source-identity tuple value to control the match.

For security reasons, it is recommended that you use the web-redirect-https for authentication instead of web-redirect, which is also supported. The web-redirect authentication feature uses HTTP for the authentication process, in which case the authentication information is sent in the clear and is therefore readable.

This example assumes that the user is attempting to access an HTTPS resource such as https://mymailsite.com.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure web-redirect-to-https for unauthenticated users or unknown users requesting access to HTTPS-based resources, enter the following statement.

  1. Enable Web-management support for HTTPS traffic.

    Note that this example applies to HTTPS user traffic, but web-redirect-to-https authentication is also supported for authenticated users whose traffic is to an HTTP URL site, although that specific scenario is not shown here. In that case, an SSL termination profile is not required.

  2. Configure interfaces and assign IP addresses. Enable Web authentication on ge-0/0/1 interface.
  3. Configure a security policy that specifies unauthenticated-user and unknown-user as the source-identity tuple values.

    Starting with Junos OS 17.4R1, you can assign IPv6 addresses in addition to IPv4 addresses when you configure source addresses. To configure IPv6 source address, issue any or any-IPv6 command at the [edit security policies from-zone trust to-zone untrust policy policy-name match source-address] hierarchy level.

  4. Configure the security policy to permit firewall authentication of a user firewall with web-redirect-to-https as the action and that specifies a preconfigured access profile for the user.
  5. Configure the domain name for the security policy.
  6. Configure the security policy to reference the SSL termination profile to be used.

    If you have an existing appropriate SSL termination profile that provides the services needed for your implementation, you can use it. Otherwise, follow Step 7 to create one.

  7. Specify the profile to be used for SSL termination services.
  8. Define the TLS type to configure the LDAP over StartTLS.
  9. Configure the peer host name to be authenticated.
  10. Specify the timeout value on the TLS handshake. You can enter 3 through 90 seconds.
  11. Specify TLS version (v1.1 and v1.2 are supported) as the minimum protocol version enabled in connections.

Results

From configuration mode, confirm your configuration by entering the show system services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your integrated user-firewall configuration by entering the show services ssl command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your integrated user-firewall configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your integrated user-firewall configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm your access profile configuration by entering the show access profile profile1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.