Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

User Authentication for Logical Systems

 

User authentication for logical systems enables to define firewall users and create policies that require the users to authenticate themselves through one of two authentication schemes: pass-through authentication or web authentication. For more information, see the following topics:

Example: Configuring Access Profiles (Master Administrators Only)

The master administrator is responsible for configuring access profiles in the master logical system. This example shows how to configure access profiles.

Requirements

Before you begin:

Overview

This example configures an access profile for LDAP authentication for logical system users. This example creates the access profile described in Table 1.

Note

The master administrator creates the access profile.

Table 1: Access Profile Configuration

Name

Configuration Parameters

ldap1

  • LDAP is used as the first (and only) authentication method.

  • Base distinguished name:

    • Organizational unit name (OU): people

    • Domain components (DC): example, com

  • A user’s LDAP distinguished name is assembled through the use of a common name identifier, username, and base distinguished name. The common name identifier is user ID (UID).

  • The LDAP server address is 10.155.26.104 and is reached through port 389.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Note

You must be logged in as the master administrator.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure an access profile in the master logical system:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Configure an access profile and set the authentication order.
  3. Configure LDAP options.
  4. Configure the LDAP server.

Results

From configuration mode, confirm your configuration by entering the show access profile profile-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Example: Configuring Security Features for the Master Logical Systems

This example shows how to configure security features, such as zones, policies, and firewall authentication, for the master logical system.

Requirements

Before you begin:

Overview

In this example, you configure security features for the master logical system, called root-logical-system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. This example configures the security features described in Table 2.

Table 2: root-logical-system Security Feature Configuration

Feature

Name

Configuration Parameter

Zones

ls-root-trust

Bind to interface ge-0/0/4.0.

ls-root-untrust

Bind to interface lt-0/0/0.1

Address books

root-internal

  • Address masters: 12.12.1.0/24

  • Attach to zone ls-root-trust

root-external

  • Address design: 12.1.1.0/24

  • Address accounting: 14.1.1.0/24

  • Address marketing: 13.1.1.0/24

  • Address set userlsys: design, accounting, marketing

  • Attach to zone ls-root-untrust

Security policies

permit-to-userlsys

Permit the following traffic:

  • From zone: ls-root-trust

  • To zone: ls-root-untrust

  • Source address: masters

  • Destination address: userlsys

  • Application: any

permit-authorized-users

Permit the following traffic:

  • From zone: ls-root-untrust

  • To zone: ls-root-trust

  • Source address: userlsys

  • Destination address: masters

  • Application: junos-http, junos-https

Firewall authentication

  • Web authentication

  • Authentication success banner “WEB AUTH LOGIN SUCCESS”

  • Default access profile ldap1

HTTP daemon

Activate on interface ge-0/0/4.0

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure zones and policies for the master logical system:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Create security zones and assign interfaces to each zone.
  3. Create address book entries.
  4. Attach address books to zones.
  5. Configure a security policy that permits traffic from the ls-root-trust zone to the ls-root-untrust zone.
  6. Configure a security policy that authenticates traffic from the ls-root-untrust zone to the ls-root-trust zone.
  7. Configure the Web authentication access profile and define a success banner.
  8. Activate the HTTP daemon on the device.

Results

From configuration mode, confirm your configuration by entering the show security, show access, and show system services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Policy Configuration

Purpose

Verify information about policies and rules.

Action

From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

Understanding Logical System Firewall Authentication

A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict and permit firewall users to access protected resources (different zones) behind a firewall based on their source IP address and other credentials.

The master administrator is responsible for configuring access profiles in the master logical system. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored. Access profiles configured at the master logical system are available to all user logical systems.

The master administrator configures the maximum and reserved numbers of firewall authentications for each user logical system. The user logical system administrator can then create firewall authentications in the user logical system. From a user logical system, the user logical system administrator can use the show system security-profile auth-entry command to view the number of authentication resources allocated to the user logical system.

To configure the access profile, the master administrator uses the profile configuration statement at the [edit access] hierarchy level in the master logical system. The access profile can also include the order of authentication methods, LDAP or RADIUS server options, and session options.

The user logical system administrator can then associate the access profile with a security policy in the user logical system. The user logical system administrator also specifies the type of authentication:

  • With pass-through authentication, a host or a user from one zone tries to access resources on another zone using an FTP, a telnet, or an HTTP client. The device uses FTP, Telnet, or HTTP to collect username and password information, and subsequent traffic from the user or host is allowed or denied based on the result of this authentication.

  • With Web authentication, users use HTTP to connect to an IP address on the device that is enabled for Web authentication and are prompted for the username and password. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the result of this authentication.

The user logical system administrator configures the following properties for firewall authentication in the user logical system:

  • Security policy that specifies firewall authentication for matching traffic. Firewall authentication is specified with the firewall-authentication configuration statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] hierarchy level.

    Users or user groups in an access profile who are allowed access by the policy can optionally be specified with the client-match configuration statement. (If no users or user groups are specified, any user who is successfully authenticated is allowed access.)

    For pass-through authentication, the access profile can optionally be specified and Web redirect (redirecting the client system to a webpage for authentication) can be enabled.

  • Type of authentication (pass-through or Web authentication), default access profile, and success banner for the FTP, Telnet, or HTTP session. These properties are configured with the firewall-authentication configuration statement at the [edit access] hierarchy level.

  • Host inbound traffic. Protocols, services, or both are allowed to access the logical system. The types of traffic are configured with the host-inbound-traffic configuration statement at the [edit security zones security-zone zone-name] or [edit security zones security-zone zone-name interfaces interface-name] hierarchy levels.

From a user logical system, the user logical system administrator can use the show security firewall-authentication users or show security firewall-authentication history commands to view the information about firewall users and history for the user logical system. From the master logical system, the master administrator can use the same commands to view information for the master logical system, a specific user logical system, or all logical systems.

Example: Configuring Firewall Authentication for a User Logical System

This example shows how to configure firewall authentication for a user logical system.

Requirements

Before you begin:

  • Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.

  • Use the show system security-profiles auth-entry command to see the firewall authentication entries allocated to the logical system.

  • Access profiles must be configured in the master logical system by the master administrator.

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

In this example, users in the ls-marketing-dept and ls-accounting-dept logical systems are required to authenticate when initiating certain connections to the product designers subnet. This example configures the firewall authentication described in Table 3.

Note

This example uses the access profile configured and address book entries configured in Example: Configuring Security Zones for a User Logical Systems.

Table 3: User Logical System Firewall Authentication Configuration

Feature

Name

Configuration Parameters

Security policy

permit-authorized-users

Note: Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. If you have previously configured a policy that permits traffic for the same from-zone, to-zone, source address, and destination address but with application any, the policy configured in this example would never be matched. (See Example: Configuring Security Policies in a User Logical Systems.) Therefore, this policy should be reordered so that it is checked first.

Permit firewall authentication for the following traffic:

  • From zone: ls-product-design-untrust

  • To zone: ls-product-design-trust

  • Source address: otherlsys

  • Destination address: product-engineers

  • Application: junos-h323

The ldap1 access profile is used for pass-through authentication.

Firewall authentication

  • Pass-through authentication

  • HTTP login prompt “welcome”

  • Default access profile ldap1

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure firewall authentication in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.
  2. Configure a security policy that permits firewall authentication.
  3. Reorder the security policies.
  4. Configure firewall authentication.

Results

From configuration mode, confirm your configuration by entering the show security policies and show access firewall-authentication commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication and Monitoring Users and IP Addresses

Purpose

Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

From operational mode, enter these show commands.

Understanding Integrated User Firewall support in a Logical System

Starting in Junos OS Release 18.3R1, the support for authentication sources is extended to include Local authentication, Active Directory (AD) authentication, and firewall authentication in addition to the existing support for authentication sources Juniper Identity Management Service (JIMS) and ClearPass authentication.

Starting in Junos OS Release 18.2R1, the support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the master logical system and the integrated user firewall authentication is supported in a user logical system.

In the shared model, user firewall related configuration is configured under master logical system, such as authentication source, authentication source priority, authentication entries timeout, and IP query or Individual query and so on. The user firewall provides user information service for an application in the SRX Series device, such as policy and logging. Traffic from a user logical system queries authentication tables from the master logical system.

The authentication tables are managed by a master logical system. The user logical systems share the authentication tables. Traffic from the master logical system and the user logical systems query the same authentication table. User logical systems enable the use of the source-identity in security policy.

For example, if the master logical system is configured with employee and the user logical system is configured with the source-identity manager, then the reference group of this authentication entry includes employee and manager. This reference group contains the same authentication entries from master logical system and user logical system.

Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode. In this model, the logical system extracts the authentication entries from the root level. The master logical system is configured to the JIMS server based on the logical system and tenant system name. In active mode the SRX series device actively queries the authenticaton entries received from the JIMS server through HTTPs protocol. To reduce the data exchange, firewall filters are applied.

The user firewall uses the logical system name as a diffrentiator and is consistent between the JIMS server and SRX series device. The JIMS server sends the diffrentiator which is included in the authentication entry. The authentication entries are distributed into the root logical system, when the diffrentiator is set as default for master logical system.

The user firewall support In-service software upgrade (ISSU) for logical systems, as user firewall changes the internal database table format from Junos OS Release 19.2R1 onwards. Prior to Junos OS Release 19.2R1, the ISSU is not supported for logical systems.

Limitation of Using User Firewall Authentication

Using user firewall authentication on tenant systems has the following limitation:

  • The authentication entries are collected by the JIMS server based on the IP address from the customer network. If the IP addresses overlap, then the authentication entry changes when users login under different user logical systems.

Limitation of Using User Firewall Authentication in Customized Model on Logical Systems

Using user firewall authentication in customized model on logical systems has the following limitation:

  • The JIMS server configurations to be configured under the root logical systems.

  • The logical system name should be consistent and unique between the JIMS server and the SRX series device.

Example: Configuring Integrated User Firewall Identification Management for a User Logical System

This example shows how to configure the SRX Series device's advanced query feature for obtaining user identity information from the Juniper Identity Management Service (JIMS) and the security policy to match the source identity for a user logical system. In the root logical system, user firewall is configured with JIMS, and then the root logical system manages all of authentication entries coming from JIMS. In this example, all of user logical systems share their authentication entries with the root logical system.

Requirements

This example uses the following hardware and software components:

  • SRX1500 devices operating in chassis clustering

  • JIMS server

  • Junos OS Release 18.2 R1

Before you begin:

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on master logical system, policy p1 with source-identity "group1" of dc0 domain on logical system lsys1, policy p1 with source-identity "group1" of dc0 domain on logical system lsys2, and send traffic from and through logical system lsys1 to logical system lsys2. You can view the authentication entries on master logical system and user logical systems (lsys1 and lsys2) even after rebooting the primary node.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring user firewall identification management

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure user firewall identification management:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Create logical systems.
  3. Configure a security policy lsys1_policy1 with source-identity group1 on logical system lsys1 that permits traffic from lsys1_trust to lsys1_trust.
  4. Configure a security policy lsys1_policy2 that permits traffic from lsys1_trust to lsys1_untrust.
  5. Configure a security policy lsys1_policy3 that permits traffic from lsys1_untrust to lsys1_trust.
  6. Configure security zone and assign interfaces to each zone.
  7. Configure a security policy lsys2_policy1 with source-identity group1 that permits traffic from lsys2_untrust to lsys2_untrust on lsys2.
  8. Configure security zones and assign interfaces to each zone on lsys2.
  9. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series device requires this information to contact the server.
  10. Configure security policies and zones on master logical system.
  11. Configure security zones and assign interfaces to each zone on master logical system.

Results

From configuration mode, confirm your configuration by entering the show services user-identification identity-management show chassis cluster command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying chassis cluster status and authentication entries

Purpose

To verify authentication entries in a logical system.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source identity-management logical-system all command.

user@host> show services user-identification authentication-table authentication-source identity-management logical-system all

Meaning

The output displays the authentication entries that are shared from user logical system to root logical system.

Verifying chassis cluster status

Purpose

Verify chassis cluster status after rebooting the primary node.

Action

To verify the configuration is working properly, enter the show chassis cluster status command.

user@host> show chassis cluster status

Meaning

The output displays user identification management session existing on lsys1 and lsys2 after rebooting the primary node.

Example: Configure Integrated User Firewall in Customized Model for Logical System

This example shows how to configure the integrated user firewall by using a customized model through the Juniper Identity Management Service (JIMS) server with active mode for a logical system. The master logical systems does not share the authentication entries with the logical system. The SRX series device queries the authentication entries received from the JIMS server through HTTPs protocol in active mode.

In this example following configurations are performed:

  • Active JIMS Server Configuration

  • Logical System IP Query Configuration

  • Logical System Authentication Entry Configuration

  • Logical System Security Policy Configuration

Requirements

This example uses the following hardware and software components:

  • JIMS server version 2.0

  • Junos OS Release 19.3R1

Before you begin, be sure you have following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPs requests.

  • The client ID from the JIMS server for active query server.

  • The client secret from the JIMS server for active query server.

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on the master logical system, policy p2 with source-identity group1 on logical system LSYS1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Integrated User Firewall in Customized Model:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configuring Integrated User Firewall in Customized Model:

  1. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series device requires this information to contact the server.
  2. Configure the IP query delay time for LSYS1.
  3. Configure the authentication entry attributes for LSYS1.
  4. Configure the security policy p2 that permits traffic from-zone untrust to-zone trust for LSYS1.

Results

From configuration mode, confirm your configuration by entering the show services user-identification logical-domain-identity-management and show logical-systems LSYS1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the User Identification Identity Management status

Purpose

Verify the user identification status for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management status command.

user@host>show services user-identification logical-domain-identity-management status

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show status on the Juniper Identity Management Service servers.

Verifying the User Identification Identity Management status counters

Purpose

Verify the user identification counters for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management counters command.

user@host>show services user-identification logical-domain-identity-management counters

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show counters on the Juniper Identity Management Service servers.

Verifying the User Identification Authentication Table

Purpose

Verify the user identity information authentication table entries for the specified authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source all logical-system LSYS1 command.

user@host>show services user-identification authentication-table authentication-source all logical-system LSYS1

Meaning

The output displays the entire content of the specified authentication source’s authentication table, or a specific domain, group, or user based on the user name. Display the identity information for a user based on the IP address of the user’s device.

Release History Table
Release
Description
Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode.
Starting in Junos OS Release 18.3R1, the support for authentication sources is extended to include Local authentication, Active Directory (AD) authentication, and firewall authentication in addition to the existing support for authentication sources Juniper Identity Management Service (JIMS) and ClearPass authentication.
Starting in Junos OS Release 18.2R1, the support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the master logical system and the integrated user firewall authentication is supported in a user logical system.