외부 사용자 인증(CLI 절차)
개요
이 구성은 도메인 로그인과 동일한 사용자 이름 및 암호를 사용하고 방화벽 관리자와 상호 작용하지 않고도 자격 증명을 변경하거나 복구할 수 있기 때문에 더욱 안전합니다. 또한 암호를 자주 변경해야 하기 때문에 관리자의 워크로드도 줄어듭니다. 사용자 인증을 위해 이 구성을 사용하는 것이 좋습니다.
그림 1에 설명된 대로 인터페이스, 존 및 보안 정책을 포함하여 SRX 시리즈 디바이스의 기본 설정을 완료했다고 가정합니다.
사전 필수 요건에 대한 자세한 내용은 시스템 요구 사항을 참조하십시오.
SRX 시리즈 디바이스가 기본 시스템 생성 인증서 대신 서명된 인증서 또는 자체 서명 인증서를 사용하는지 확인해야 합니다. Juniper Secure Connect 구성을 시작하기 전에 다음 명령을 실행하여 인증서를 SRX 시리즈 디바이스에 바인딩해야 합니다.
user@host# set system services web-management https pki-local-certificate <cert_name>
예를 들어:
user@host# set system services web-management https pki-local-certificate SRX_Certificate
SRX_Certificate 있는 경우 CA 또는 자체 서명 인증서에서 얻은 인증서입니다.
CLI 빠른 구성
SRX 시리즈 디바이스에서 이 예제를 신속하게 구성하려면 다음 명령을 복사하여 텍스트 파일에 붙여넣고, 줄 바꿈을 제거하고, 네트워크 구성에 필요한 세부 정보를 변경한 다음[ 편집] 계층 수준에서 CLI에 명령을 복사하여 붙여넣습니다.
[edit] user@host# set security ike proposal JUNIPER_SECURE_CONNECT authentication-method pre-shared-keys set security ike proposal JUNIPER_SECURE_CONNECT dh-group group19 set security ike proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-gcm set security ike proposal JUNIPER_SECURE_CONNECT lifetime-seconds 28800 set security ike policy JUNIPER_SECURE_CONNECT mode aggressive set security ike policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT set security ike policy JUNIPER_SECURE_CONNECT pre-shared-key ascii-text "$9$yYJeMXVwgUjq7-jqmfn6rev" set security ike gateway JUNIPER_SECURE_CONNECT dynamic hostname ra.example.com set security ike gateway JUNIPER_SECURE_CONNECT dynamic ike-user-type group-ike-id set security ike gateway JUNIPER_SECURE_CONNECT ike-policy JUNIPER_SECURE_CONNECT set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection optimized set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection interval 10 set security ike gateway JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5 set security ike gateway JUNIPER_SECURE_CONNECT version v1-only set security ike gateway JUNIPER_SECURE_CONNECT aaa access-profile Juniper_Secure_Connect set security ike gateway JUNIPER_SECURE_CONNECT tcp-encap-profile SSL-VPN set security ike gateway JUNIPER_SECURE_CONNECT external-interface ge-0/0/0 set security ike gateway JUNIPER_SECURE_CONNECT local-address 192.0.2.0 set security ipsec proposal JUNIPER_SECURE_CONNECT encryption-algorithm aes-256-gcm set security ipsec proposal JUNIPER_SECURE_CONNECT lifetime-seconds 3600 set security ipsec policy JUNIPER_SECURE_CONNECT perfect-forward-secrecy keys group19 set security ipsec policy JUNIPER_SECURE_CONNECT proposals JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT bind-interface st0.0 set security ipsec vpn JUNIPER_SECURE_CONNECT ike gateway JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT ike ipsec-policy JUNIPER_SECURE_CONNECT set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts-1 local-ip 0.0.0.0/0 set security ipsec vpn JUNIPER_SECURE_CONNECT traffic-selector ts-1 remote-ip 0.0.0.0/0 set security remote-access profile ra.example.com ipsec-vpn JUNIPER_SECURE_CONNECT set security remote-access profile ra.example.com access-profile Juniper_Secure_Connect set security remote-access profile ra.example.com client-config JUNIPER_SECURE_CONNECT set security remote-access profile ra.example.com options multi-access set security remote-access client-config JUNIPER_SECURE_CONNECT connection-mode manual set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection interval 60 set security remote-access client-config JUNIPER_SECURE_CONNECT dead-peer-detection threshold 5 set security remote-access default-profile ra.example.com set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet network 192.168.2.0/24 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet range Range low 192.168.2.11 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet range Range high 192.168.2.100 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-dns 10.8.8.8/32 set access address-assignment pool Juniper_Secure_Connect_Addr-Pool family inet xauth-attributes primary-wins 192.168.4.10/32 set access profile Juniper_Secure_Connect authentication-order radius set access profile Juniper_Secure_Connect address-assignment pool Juniper_Secure_Connect_Addr-Pool set access profile Juniper_Secure_Connect radius-server 192.168.3.10 port 1812 set access profile Juniper_Secure_Connect radius-server 192.168.3.10 secret "$9$JSUi.QF/0BEP5BEcyW8ZUj" set access profile Juniper_Secure_Connect radius-server 192.168.3.10 timeout 5 set access profile Juniper_Secure_Connect radius-server 192.168.3.10 retry 3 set access firewall-authentication web-authentication default-profile Juniper_Secure_Connect set services ssl termination profile Juniper_SCC-SSL-Term-Profile server-certificate JUNIPER_SECURE_CONNECT(RSA) set security tcp-encap profile SSL-VPN ssl-profile Juniper_SCC-SSL-Term-Profile set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match source-address any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match destination-address any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 match application any set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then permit set security policies from-zone trust to-zone VPN policy JUNIPER_SECURE_CONNECT-1 then log session-close set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match source-address any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match destination-address any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 match application any set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then permit set security policies from-zone VPN to-zone trust policy JUNIPER_SECURE_CONNECT-2 then log session-close set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.0/24 set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.0/24 set interfaces st0 unit 0 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone VPN interface st0.0 set security zones security-zone vpn interfaces ge-0/0/1.0
단계별 절차
명령줄 인터페이스를 사용하여 VPN 설정을 구성하려면 다음을 수행합니다.
운영 모드에서 , show access
및 show services
명령을 입력show security
하여 구성을 확인합니다. 출력이 의도한 구성을 표시하지 않는 경우 이 예제의 구성 지침을 반복하여 수정합니다.
[edit] user@host> show security ike { proposal JUNIPER_SECURE_CONNECT { authentication-method pre-shared-keys; dh-group group19; encryption-algorithm aes-256-gcm; lifetime-seconds 28800; } policy JUNIPER_SECURE_CONNECT { mode aggressive; proposals JUNIPER_SECURE_CONNECT; pre-shared-key ascii-text "$9$oWZDk5Qnp0I.P0IEcvMaZU"; ## SECRET-DATA } gateway JUNIPER_SECURE_CONNECT { ike-policy JUNIPER_SECURE_CONNECT; dynamic { hostname ra.example.com; ike-user-type group-ike-id; } dead-peer-detection { optimized; interval 10; threshold 5; } external-interface ge-0/0/1; aaa { access-profile Juniper_Secure_Connect; } version v1-only; tcp-encap-profile SSL-VPN; } } ipsec { proposal JUNIPER_SECURE_CONNECT { encryption-algorithm aes-256-gcm; lifetime-seconds 3600; } policy JUNIPER_SECURE_CONNECT { perfect-forward-secrecy { keys group19; } proposals JUNIPER_SECURE_CONNECT; } vpn JUNIPER_SECURE_CONNECT { bind-interface st0.0; ike { gateway JUNIPER_SECURE_CONNECT; ipsec-policy JUNIPER_SECURE_CONNECT; } traffic-selector ts-1 { local-ip 0.0.0.0/0; remote-ip 0.0.0.0/0; } } } remote-access { profile ra.example.com { ipsec-vpn JUNIPER_SECURE_CONNECT; access-profile Juniper_Secure_Connect; client-config JUNIPER_SECURE_CONNECT; } client-config JUNIPER_SECURE_CONNECT { connection-mode manual; dead-peer-detection { interval 60; threshold 5; } } default-profile ra.example.com; } policies { from-zone trust to-zone VPN { policy JUNIPER_SECURE_CONNECT-1 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } from-zone VPN to-zone trust { policy JUNIPER_SECURE_CONNECT-2 { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } } tcp-encap { profile SSL-VPN { ssl-profile Juniper_SCC-SSL-Term-Profile; } }
[edit] user@host> show access access { profile Juniper_Secure_Connect { authentication-order radius; address-assignment { pool Juniper_Secure_Connect_Addr-Pool; } radius-server { 192.168.3.10 { port 1812; secret "$9$JSUi.QF/0BEP5BEcyW8ZUj"; ## SECRET-DATA timeout 5; retry 3; } } } address-assignment { pool Juniper_Secure_Connect_Addr-Pool { family inet { network 192.168.2.0/24; range Range { low 192.168.2.11; high 192.168.2.100; } xauth-attributes { primary-dns 10.8.8.8/32; primary-wins 192.168.4.10/32; } } } } firewall-authentication { web-authentication { default-profile Juniper_Secure_Connect; } } }
[edit] user@host> show services ssl { termination { profile Juniper_SCC-SSL-Term-Profile { server-certificate JUNIPER_SECURE_CONNECT(RSA); } } }
이미 SSL 종료 프로파일과 연결할 서버 증명서가 있는지 확인합니다.
[edit] user@host> show interfaces ge-0/0/0 { unit 0 { family inet { address 192.0.2.0/24; } } } ge-0/0/1 { unit 0 { family inet { address 198.51.100.0/24; } } } st0 { unit 1 { family inet; } }
[edit] user@host> show security zones security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone vpn { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.1; ge-0/0/1.0; } }
디바이스에서 기능 구성을 마치면 구성 모드에서 커밋을 입력합니다.