Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring Pass-Through Authentication
This example shows how to configure pass-through authentication for a firewall.
Requirements
Before you begin, define firewall users. See Firewall User Authentication Overview.
Overview
Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, a Telnet, or an HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall. Figure 33 shows the topology used in this example.
Figure 33: Configuring Pass-Through Firewall Authentication
Configuration
CLI Quick Configuration
To quickly configure pass-through authentication, copy the following commands and paste them into the CLI:
[edit]set interfaces ge-0/0/1 unit 0 family inet address
20.20.20.1/24set interfaces ge-5/0/0 unit 0 family inet address
30.30.30.1/24set access profile FWAUTH client FWClient1 firewall-user
password pwdset access firewall-authentication pass-through
default-profile FWAUTHset access firewall-authentication pass-through
telnet banner success "WELCOME TO JUNIPER TELNET SESSION"set security zones security-zone UT-ZONE host-inbound-traffic
system-services allset security zones security-zone UT-ZONE interfaces
ge-0/0/1.0 host-inbound-traffic protocols allset security zones security-zone T-ZONE host-inbound-traffic
system-services allset security zones security-zone T-ZONE interfaces
ge-5/0/0.0 host-inbound-traffic protocols allset security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match source-address anyset security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match destination-address anyset security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match application junos-telnetset security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 then permit firewall-authentication pass-through
client-match FWClient1Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure pass-through authentication:
- Configure two interfaces and assign IP addresses
to them.
Note: For this example, it is optional to assign two addresses to the interfaces.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24
user@host# set interfaces ge-5/0/0 unit 0 family inet address 30.30.30.1/24 - Create the FWAUTH access profile for
the FWClient1 user, specify the user’s password, and define
a success banner for Telnet sessions.[edit access]
user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd
user@host# set firewall-authentication pass-through default-profile FWAUTH
user@host# set firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION" - Configure security zones.
Note: For this example, it is optional to configure a second interface for a security zone.
[edit security zones]
user@host# set security-zone UT-ZONE host-inbound-traffic system-services all
user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all
user@host# set security-zone T-ZONE host-inbound-traffic system-services all
user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all - Assign security policy P1 to the security
zones.[edit security policies]
user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any
user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any
user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet
user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWClient1 - Use Telnet to authenticate the FWClient1
firewall user to host2.
regress@FWClient1# run telnet 30.30.30.2
Trying 30.30.30.2...
Connected to 30.30.30.2.
Escape character is '^]'.
Firewall User Authentication
Username: FWClient1
Password:***
WELCOME TO JUNIPER TELNET SESSION
Host1 (ttyp0)
login: regress
Password:
--- JUNOS 10.1R1.1 built 2009-10-12 13:30:18 UTC
%
Results
From configuration mode, confirm your configuration by entering these commands:
- show interfaces
- show access
- show security zones
- show security policies
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
user@host# show interfaces...
}
ge-0/0/1 {
unit 0 {
family inet {
address 20.20.20.1/24;
}
}
}
ge-5/0/0 {
unit 0 {
family inet {
address 30.30.30.1/24;
}
}
}
...
user@host# show accessprofile FWAUTH {
authentication-order password;
client FWClient1 {
firewall-user {
password "$9$XHhxVYGDkf5F"; ## SECRET-DATA
}
}
}
firewall-authentication {
pass-through {
default-profile FWAUTH;
telnet {
banner {
success "WELCOME TO JUNIPER TELNET SESSION";
}
}
}
}
user@host# show security zones...
}
security-zone UT-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone T-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-5/0/0.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
user@host# show security policies...
from-zone UT-ZONE to-zone T-ZONE {
policy P1 {
match {
source-address any;
destination-address any;
application junos-telnet;
}
then {
permit {
firewall-authentication {
pass-through {
client-match FWClient1;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table
Purpose
Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.
Action
From operational mode, enter these show commands:
user@host> show security firewall-authentication
historyuser@host> show security firewall-authentication
history identifier 1user@host> show security firewall-authentication
usersuser@host> show security firewall-authentication
users identifier 3For more information, see the Junos OS CLI Reference.
user@host> show security firewall-authentication
historyHistory of firewall authentication data: Authentications: 2 Id Source Ip Date Time Duration Status User 1 20.20.20.2 2010-10-12 21:24:02 0:00:24 Failed FWClient1 2 20.20.20.2 2010-10-12 21:24:48 0:00:22 Success FWClient1
user@host> show security firewall-authentication
history identifier 1Username: FWClient1 Source IP: 20.20.20.2 Authentication state: Success Authentication method: Pass-through using Telnet Access start date: 2010-10-12 Access start time: 21:24:02 Duration of user access: 0:00:24 Source zone: UT-ZONE Destination zone: T-ZONE Access profile: FWAUTH Bytes sent by this user: 0 Bytes received by this user: 2660
user@host> show security firewall-authentication
usersFirewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status User 4 20.20.20.2 UT-ZONE T-ZONE FWAUTH 1 Success FWClient1
user@host> show security firewall-authentication
users identifier 3Username: FWClient1 Source IP: 20.20.20.2 Authentication state: Success Authentication method: Pass-through using Telnet Age: 3 Access time remaining: 9 Source zone: UT-ZONE Destination zone: T-ZONE Access profile: FWAUTH Interface Name: ge-0/0/1.0 Bytes sent by this user: 0 Bytes received by this user: 1521
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Firewall User Authentication Overview
- Understanding Pass-Through Authentication
