Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Web Authentication

    This example shows how to enable Web authentication and set up a policy that allows access to a user when traffic encounters a policy that has Web authentication enabled.

    Requirements

    Before you begin:

    Overview

    To enable Web authentication, you must specify the IP address of the device hosting the HTTP session. These settings are used if the firewall user accessing a protected resource wants to be authenticated by directly accessing the webserver or Web authentication. The following instructions show how to set up a policy that allows access to the FWClient1 user when traffic encounters a policy that has Web authentication enabled (Policy-W). (See Figure 1.) In this example, FWClient1 has already authenticated through the Web authentication login page.

    The FWClient1 firewall user does the following to get authenticated:

    1. Points the browser to the Web authentication IP (20.20.20.1) to get authenticated first
    2. Starts traffic to access resources specified by the policy-W policy

    Figure 1: Web Authentication Example

    Web Authentication Example

    When you configure the device as described in these instructions and the user successfully authenticates, the screen illustrated in Figure 2 appears.

    Figure 2: Web Authentication Success Banner

    Web Authentication Success Banner

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24
    set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.3/24 web-authentication http
    set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.1/24
    set access profile WEBAUTH client FWClient1 firewall-user password pwd
    set access firewall-authentication web-authentication default-profile WEBAUTH
    set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
    set security zones security-zone UT-ZONE host-inbound-traffic system-services all
    set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    set security zones security-zone T-ZONE host-inbound-traffic system-services all
    set security zones security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match application any
    set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWClient1
    set system services web-management http interface ge-0/0/1.0

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure Web authentication:

    1. Configure two interfaces and assign IP addresses to them.

      Note: For this example, it is optional to assign two addresses to the interfaces.

      [edit]
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.3/24 web-authentication http
      user@host# set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.1/24
    2. Create the WEBAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner.
      [edit access]
      user@host# set profile WEBAUTH client FWClient1 firewall-user password pwd
      user@host# set firewall-authentication web-authentication default-profile WEBAUTH
      user@host# set firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
    3. Configure security zones.

      Note: For this example, it is optional to configure a second interface for a security zone.

      [edit security zones]
      user@host# set security-zone UT-ZONE host-inbound-traffic system-services all
      user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
      user@host# set security-zone T-ZONE host-inbound-traffic system-services all
      user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
    4. Assign security policy P1 to the security zones.
      [edit security policies]
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match application any
      user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWClient1
    5. Activate the HTTP daemon on your device.
      [edit]
      user@host# set system services web-management http interface ge-0/0/1.0

    Results

    From configuration mode, confirm your configuration by entering these commands:

    • show interfaces
    • show access
    • show security zones
    • show security policies
    • show system services

    If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    user@host# show interfaces
    ...
}
ge-0/0/1{
    unit 0 {
        family inet {
            address 20.20.20.1/24 {
            address 20.20.20.3/24 {
                web-authentication http;
            }
        }
    }
}
fe-5/0/0 {
    unit 0 {
        family inet {
            address 30.30.30.1/24;
        }
    }
}
...
    user@host# show access
    profile WEBAUTH { 
    client FWClient1 {
        firewall-user {
            password "$9$XHhxVYGDkf5F"; ## SECRET-DATA
        }
    }
}
firewall-authentication { 
    web-authentication {
        default-profile WEBAUTH;
        banner {
            success "WEB AUTH LOGIN SUCCESS";
        }
    }
}
    user@host# show security zones
    ...
}
security-zone UT-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}
security-zone T-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-5/0/0.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}
    user@host# show security policies
    ...
from-zone UT-ZONE to-zone T-ZONE {
    policy P1 {
       match {
            source-address any;
            destination-address any;
            application any;
       }
       then {
            permit {
                firewall-authentication {
                    web-authentication {
                        client-match FWClient1;
                    }
                }
            }
       }
    }
}
    user@host# show system services
    ...
ftp;
ssh;
telnet;
web-management {
    http {
        interface g-0/0/1.0;
    }
}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table

    Purpose

    Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

    Action

    From operational mode, enter these show commands:

    user@host> show security firewall-authentication history

    user@host> show security firewall-authentication history identifier 1

    user@host> show security firewall-authentication users

    user@host> show security firewall-authentication users identifier 3
    user@host> show security firewall-authentication history
    History of firewall authentication data:
Authentications: 1
Id Source Ip Date Time Duration Status User
5 20.20.20.2      2010-04-24 01:08:57 0:10:30    Success  FWClient1
    user@host> show security firewall-authentication history identifier 1
    Username: FWClient1
Source IP: 20.20.20.2
Authentication state: Success
Authentication method: Web-authentication 
Access start date: 2010-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Source zone: N/A
Destination zone: N/A
Access profile: WEBAUTH
Bytes sent by this user: 0
Bytes received by this user: 2660
    user@host> show security firewall-authentication users
    Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
4 20.20.20.2     N/A  N/A   WEBAUTH     1 Success   FWClient1
    user@host> show security firewall-authentication users identifier 3
    Username: FWClient1
Source IP: 20.20.20.2
Authentication state: Success
Authentication method: Web-authentication 
Age: 3
Access time remaining: 9
Source zone: N/A
Destination zone: N/A
Access profile: WEBAUTH
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page