TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring Firewall Authentication for a User Logical System

This example shows how to configure firewall authentication for a user logical system.

Requirements

Before you begin:

Log in to the user logical system as the user logical system administrator. See User Logical System Configuration Overview.
Use the show system security-profiles auth-entry command to see the firewall authentication entries allocated to the user logical system. See the Junos OS CLI Reference .
Access profiles must be configured in the master logical system by the master administrator. See Example: Configuring Access Profiles.

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. In this example, users in the ls-marketing-dept and ls-accounting-dept logical systems are required to authenticate when initiating certain connections to the product designers subnet. This example configures the firewall authentication described in Table 1.

Note: This example uses the access profile configured in Example: Configuring Access Profiles and the address book entries configured in Example: Configuring Zones for a User Logical System.

Table 1: User Logical System Firewall Authentication Configuration

Feature	Name	Configuration Parameters
Security policy	permit-authorized-users Note: Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. If you have previously configured a policy that permits traffic for the same from zone, to zone, source address, and destination address but with application any, the policy configured in this example would never be matched. (See Example: Configuring Security Policies in a User Logical System.) Therefore, this policy should be reordered so that it is checked first.	Permit firewall authentication for the following traffic: From zone: ls-product-design-untrust To zone: ls-product-design-trust Source address: otherlsys Destination address: product-engineers Application: junos-h323 The ldap1 access profile is used for pass-through authentication.
Firewall authentication		Pass-through authentication HTTP login prompt “welcome” Default access profile ldap1

Feature

Name

Configuration Parameters

Security policy

permit-authorized-users

Note: Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. If you have previously configured a policy that permits traffic for the same from zone, to zone, source address, and destination address but with application any, the policy configured in this example would never be matched. (See Example: Configuring Security Policies in a User Logical System.) Therefore, this policy should be reordered so that it is checked first.

Permit firewall authentication for the following traffic:

From zone: ls-product-design-untrust
To zone: ls-product-design-trust
Source address: otherlsys
Destination address: product-engineers
Application: junos-h323

The ldap1 access profile is used for pass-through authentication.

Firewall authentication

Pass-through authentication
HTTP login prompt “welcome”
Default access profile ldap1

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match source-address otherlsys set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match destination-address product-designers set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match application junos-h323 set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1 insert security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users before policy permit-all-from-otherlsysset access firewall-authentication pass-through default-profile ldap1 set access firewall-authentication pass-through http banner login “welcome”

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure firewall authentication in a user logical system:

Log in to the user logical system as the user logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configurelsdesignadmin1@host:ls-product-design#
Configure a security policy that permits firewall authentication.
[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match source-address otherlsyslsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match destination -address product-designerslsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match application junos-h323lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1
Reorder the security policies.
[edit]lsdesignadmin1@host:ls-product-design# insert security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users before policy permit-all-from-otherlsys
Configure firewall authentication.
[edit access firewall-authentication]lsdesignadmin1@host:ls-product-design# set pass-through default-profile ldap1lsdesignadmin1@host:ls-product-design# set pass-through http banner login "welcome"

Results

From configuration mode, confirm your configuration by entering the show security policies and show access firewall-authentication commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

lsdesignadmin1@host:ls-product-design# show security policiesfrom-zone ls-product-design-untrust to-zone ls-product-design-trust {policy permit-authorized-users {match {source-address otherlsys;destination-address product-designers;application junos-h323;}then {permit {firewall-authentication {pass-through {access-profile ldap1;}}}}}policy permit-all-from-otherlsys {match {source-address otherlsys;destination-address product-designers;application any;}then {permit;}}}lsdesignadmin1@host:ls-product-design# show access firewall-authenticationpass-through {default-profile ldap1;http {banner {login welcome;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication and Monitoring Users and IP Addresses

Verifying Firewall User Authentication and Monitoring Users and IP Addresses

Purpose

Display firewall authentication user history. Verify the number of firewall users who successfully authenticated and those who failed to log in.

Action

From operational mode, enter these show commands.

lsdesignadmin1@host:ls-product-design> show security firewall-authentication historylsdesignadmin1@host:ls-product-design> show security firewall-authentication history identifier idlsdesignadmin1@host:ls-product-design> show security firewall-authentication userslsdesignadmin1@host:ls-product-design> show security firewall-authentication users identifier id