Example: Configure Firewall User Authentication with Unified Policies
SUMMARY Read this example to understand how to configure pass-through authentication and web authentication in a unified policy to restrict or permit users to access network resources.
Overview
Firewall user authentication enables you to authenticate users before users can access network resources behind a firewall. When you've enabled firewall user authentication, a user must provide a username and password for authentication when initiating a connection across the firewall.
Starting in Junos OS Release 21.2R1, we support firewall user authentication with unified policies. Support is available for both pass-through authentication and Web authentication. Table 1 provides workflow for pass-through authentication and Web authentication methods.
| Firewall User Authentication Method | Workflow |
|---|---|
| Pass-Through Authentication with a Traditional Security Policy and a Unified Policy |
|
| Pass-Through Authentication with a Traditional Security Policy and a Unified Policy with Dynamic Application as "any" |
See Configuration of Pass-Through Authentication with Unified Policy. |
| Web Authentication with a Unified Policy |
See Configuration of Web Authentication with Unified Policy. |
Topology
Figure 1 shows the topology used in this example.
As shown in the topology, firewall users in the untrust zone need to access an external server (IP address 10.1.2.1) in the trust zone. The user authenticates with the security device before accessing the server. The device queries a local database to determine the authentication result. After successful authentication, the security device allows subsequent traffic from the same source IP address until the user's session times out and closes.
In this example, you'll configure the following functionality on the SRX Series Firewall:
-
Configure a user database that is local to the security device in an access profile. Add one or more clients within the profile, representing end users. The client-name represents the username. Enter the password for each user in plain-text format.
- Associate access profile with pass-through or Web firewall authentication methods. Set a customized banner for display to the end user.
- Configure security policy to allow or restrict traffic and apply firewall user authentication for the allowed traffic.
Requirements
This example uses the following hardware and software components:
- An SRX Series Firewall or vSRX Virtual Firewall
- Junos OS Release 21.2R1
Before You Begin:
- Install a valid application identification feature license on your SRX Series Firewall. See Installing and Verifying Licenses for an Application Signature Package.
- Install application signature database on the SRX Series Firewall. See Downloading and Installing the Junos OS Application Signature Package.
Configuration of Firewall User Authentication with Traditional Policy and Unified Policy
| Scenarios | Policies | Workflow When User Initiates a Session | Result |
|---|---|---|---|
| Authentication with traditional security policy and unknown user | Policy P1
|
|
Permits an unauthenticated user after a successful firewall user authentication. |
| Authentication with unified policy and an authenticated user | Policy P2
|
|
Permits an authenticated user without firewall user authentication. |
| Authentication with unified policy | Policy P3
|
|
Permits traffic with firewall user authentication. |
To redirect the traffic from an unauthenticated-user to a UAC captive portal for authentication, see Example: Configuring a User Role Firewall on an SRX Series Device.
CLI Quick Configuration
To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file. Remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set services ssl termination profile ssl-a server-certificate SERVER-CERTIFICATE-1 set security policies from-zone untrust to-zone trust policy p1 match source-address any set security policies from-zone untrust to-zone trust policy p1 match destination-address any set security policies from-zone untrust to-zone trust policy p1 match application junos-http set security policies from-zone untrust to-zone trust policy p1 match application junos-https set security policies from-zone untrust to-zone trust policy p1 match source-identity unauthenticated-user set security policies from-zone untrust to-zone trust policy p1 match source-identity unknown-user set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication user-firewall access-profile PROFILE-1 set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication user-firewall ssl-termination-profile ssl-a set security policies from-zone untrust to-zone trust policy p1 then log session-init set security policies from-zone untrust to-zone trust policy p1 then log session-close set security policies from-zone untrust to-zone trust policy p2 match source-address any set security policies from-zone untrust to-zone trust policy p2 match destination-address any set security policies from-zone untrust to-zone trust policy p2 match application any set security policies from-zone untrust to-zone trust policy p2 match source-identity authenticated-user set security policies from-zone untrust to-zone trust policy p2 match dynamic-application junos:GOOGLE set security policies from-zone untrust to-zone trust policy p2 then permit set security policies from-zone untrust to-zone trust policy p3 match source-address any set security policies from-zone untrust to-zone trust policy p3 match destination-address any set security policies from-zone untrust to-zone trust policy p3 match application any set security policies from-zone untrust to-zone trust policy p3 match dynamic-application junos:YAHOO set security policies from-zone untrust to-zone trust policy p3 then permit firewall-authentication user-firewall access-profile PROFILE-1 set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24 set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-1 firewall-user password "$ABC123" set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-2 firewall-user password "$ABC123" set access profile PROFILE-1 session-options client-idle-timeout 10 set access firewall-authentication pass-through default-profile PROFILE-1 set access firewall-authentication web-authentication default-profile PROFILE-1
Step-by-Step Procedure
-
Configure interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24
-
Create security zones and assign the interfaces.
[edit] user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
-
Set up access profile and add user details.
[edit] user@host# set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-1 firewall-user password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6" user@host# set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-2 firewall-user password "$9$/Bv59pBIRSleWB17-ws4o" user@host# set access profile PROFILE-1 session-options client-idle-timeout 10
We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned these users to client-group GROUP-1.
-
Configure authentication methods and assign the access profile.
[edit] user@host# set access firewall-authentication pass-through default-profile PROFILE-1 user@host# set access firewall-authentication web-authentication default-profile PROFILE-1
-
Configure an SSL termination profile.
[edit] user@host# set services ssl termination profile ssl-a server-certificate SERVER-CERTIFICATE-1
-
Configure a security policy to permit unauthenticated users with firewall user authentication.
[edit] user@host# set security policies from-zone untrust to-zone trust policy p1 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match application junos-http user@host# set security policies from-zone untrust to-zone trust policy p1 match application junos-https user@host# set security policies from-zone untrust to-zone trust policy p1 match source-identity unauthenticated-user user@host# set security policies from-zone untrust to-zone trust policy p1 match source-identity unknown-user user@host# set security policies from-zone untrust to-zone trust policy p1 match source-identity unknown-user user@host# set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication user-firewall access-profile PROFILE-1 user@host# set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication user-firewall ssl-termination-profile ssl-a user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-init user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-close
-
Configure a security policy to permit authenticated users without firewall user authentication.
[edit] user@host# set security policies from-zone untrust to-zone trust policy p2 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p2 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p2 match application any user@host# set security policies from-zone untrust to-zone trust policy p2 match source-identity authenticated-user user@host# set security policies from-zone untrust to-zone trust policy p2 match dynamic-application junos:GOOGLE user@host# set security policies from-zone untrust to-zone trust policy p2 then permit
-
Configure a security policy to permit the traffic with firewall user authentication.
[edit] user@host# set security policies from-zone untrust to-zone trust policy p3 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p3 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p3 match application any user@host# set security policies from-zone untrust to-zone trust policy p3 match dynamic-application junos:YAHOO user@host# set security policies from-zone untrust to-zone trust policy p3 then permit firewall-authentication user-firewall access-profile PROFILE-1 user@host#
- Add an entry to a local authentication table. Note that each entry must
include an IP address.
user@host> request security user-identification local-authentication-table add user-name CLIENT-1 ip-address 10.1.1.1
Results
From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit ]user@host# show security policies
from-zone untrust to-zone trust {
policy p1 {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
source-identity [ unauthenticated-user unknown-userset unknown-user ];
}
then {
permit {
firewall-authentication {
user-firewall {
access-profile PROFILE-1;
ssl-termination-profile ssl-a;
}
}
}
log {
session-init;
session-close;
}
}
}
policy p2 {
match {
source-address any;
destination-address any;
application any;
source-identity authenticated-user;
dynamic-application junos:GOOGLE;
}
then {
permit;
}
}
policy p3 {
match {
source-address any;
destination-address any;
application any;
dynamic-application junos:YAHOO;
}
then {
permit {
firewall-authentication {
user-firewall {
access-profile PROFILE-1;
}
}
}
}
}
}
user@host# show security zones
security-zone trust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
user@host# show interfaces
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.254/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.2.254/24;
}
}
}
[edit]
user@host# show access
profile PROFILE-1 {
client CLIENT-1 {
client-group GROUP-1;
firewall-user {
password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6"; ## SECRET-DATA
}
}
client CLIENT-2 {
client-group GROUP-1;
firewall-user {
password "$9$/Bv59pBIRSleWB17-ws4o"; ## SECRET-DATA
}
}
session-options {
client-idle-timeout 10;
}
}
firewall-authentication {
pass-through {
default-profile PROFILE-1;
web-authentication {
default-profile PROFILE-1;
}
}
If
you are done configuring the feature on your device, enter
commit from configuration mode.
Verifying Firewall User Authentication Is Working
To verify that the firewall user authentication is working, open a Web browser on the client machine. Access the server by entering the server IP address 10.1.2.1. The system prompts for the login and password details as shown in Figure 2.
After successfully entering the credentials, you can access the server.
Configuration of Pass-Through Authentication with Unified Policy
any. CLI Quick Configuration
To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set services ssl termination profile ssl-a server-certificate SERVER-CERTIFICATE-1 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24 set security policies from-zone untrust to-zone trust policy p1 match source-address any set security policies from-zone untrust to-zone trust policy p1 match destination-address any set security policies from-zone untrust to-zone trust policy p1 match application any set security policies from-zone untrust to-zone trust policy p1 match dynamic-application any set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication pass-through access-profile PROFILE-1 set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl-a set security policies from-zone untrust to-zone trust policy p1 then log session-init set security policies from-zone untrust to-zone trust policy p1 then log session-close set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-1 firewall-user password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6" set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-2 firewall-user password "$9$/Bv59pBIRSleWB17-ws4o" set access profile PROFILE-1 session-options client-idle-timeout 10 set access firewall-authentication pass-through default-profile PROFILE-1 set access firewall-authentication web-authentication default-profile PROFILE-1
Step-by-Step Procedure
-
Configure interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24
-
Define security zones and assign interfaces.
[edit] user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
-
Set up access profile and add user details.
[edit] user@host# set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-1 firewall-user password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6" user@host# set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-2 firewall-user password "$9$/Bv59pBIRSleWB17-ws4o" user@host# set access profile PROFILE-1 session-options client-idle-timeout 10
We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned the users to client-group GROUP-1.
-
Configure authentication methods and assign the access profile.
[edit] user@host# set access firewall-authentication pass-through default-profile PROFILE-1 user@host# set access firewall-authentication web-authentication default-profile PROFILE-1
-
Configure an SSL termination profile.
[edit] user@host# set services ssl termination profile ssl-a server-certificate SERVER-CERTIFICATE-1
-
Configure a security policy with dynamic application as
any.[edit] user@host# set security policies from-zone untrust to-zone trust policy p1 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match application any user@host# set security policies from-zone untrust to-zone trust policy p1 match dynamic-application any user@host# set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication pass-through access-profile PROFILE-1 user@host# set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl-a user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-init user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-close
Results
From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]user@host# show security policies]
from-zone untrust to-zone trust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile PROFILE-1;
ssl-termination-profile ssl-a;
}
}
}
log {
session-init;
session-close;
}
}
}
}
[edit]
user@host# show security zones
security-zone trust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.254/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.2.254/24;
}
}
}
[edit]
user@host# show access
profile PROFILE-1 {
client CLIENT-1 {
client-group GROUP-1;
firewall-user {
password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6"; ## SECRET-DATA
}
}
client CLIENT-2 {
client-group GROUP-1;
firewall-user {
password "$9$/Bv59pBIRSleWB17-ws4o"; ## SECRET-DATA
}
}
session-options {
client-idle-timeout 10;
}
}
firewall-authentication {
pass-through {
default-profile PROFILE-1;
}
web-authentication {
default-profile PROFILE-1;
}
}
If
you are done configuring the feature on your device, enter
commit from configuration mode.
Verifying Pass-Through Authentication Is Working
To verify that firewall user authentication is working, open a Web browser on the client machine. Access the server by entering server IP address 10.1.2.1. The system prompts for login and password details as shown in Figure 3.
After successfully entering the credentials, you can access the server.
Configuration of Web Authentication with Unified Policy
CLI Quick Configuration
To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set system services web-management http interface ge-0/0/0.0 set system services web-management https system-generated-certificate set system services web-management https interface ge-0/0/0.0 set security policies from-zone untrust to-zone trust policy p1 match source-address any set security policies from-zone untrust to-zone trust policy p1 match destination-address any set security policies from-zone untrust to-zone trust policy p1 match application junos-http set security policies from-zone untrust to-zone trust policy p1 match application junos-https set security policies from-zone untrust to-zone trust policy p1 match dynamic-application junos:HTTP set security policies from-zone untrust to-zone trust policy p1 match dynamic-application junos:SSH set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication web-authentication set security policies from-zone untrust to-zone trust policy p1 then log session-init set security policies from-zone untrust to-zone trust policy p1 then log session-close set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.253/24 web-authentication http set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.253/24 web-authentication https set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24 set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-1 firewall-user password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6" set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 set access profile PROFILE-1 client CLIENT-2 firewall-user password "$9$/Bv59pBIRSleWB17-ws4o" set access profile PROFILE-1 session-options client-idle-timeout 10 set access firewall-authentication pass-through default-profile PROFILE-1 set access firewall-authentication web-authentication default-profile PROFILE-1 set access firewall-authentication web-authentication banner success "WELCOME to JUNIPER HTTP SESSION"
Step-by-Step Procedure
-
Create interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.254/24 user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.253/24 web-authentication http user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.253/24 web-authentication https user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.254/24
Use a secondary IP address for the Web authentication. In this example, we're using 10.1.1.253/24 for web authentication. Note that the secondary IP address must use the same subnet as primary IP address.
-
Create security zones and assign interfaces.
[edit] user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all user@host# set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
- Enable the interface for the Web
authentication.
[edit] user@host# set system services web-management http interface ge-0/0/0.0 user@host# set system services web-management https system-generated-certificate
-
Set up access profile and add user details.
[edit] user@host# set access profile PROFILE-1 client CLIENT-1 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-1 firewall-user password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6" user@host# set access profile PROFILE-1 client CLIENT-2 client-group GROUP-1 user@host# set access profile PROFILE-1 client CLIENT-2 firewall-user password "$9$/Bv59pBIRSleWB17-ws4o" user@host# set access profile PROFILE-1 session-options client-idle-timeout 10
We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned the users to client-group GROUP-1.
-
Configure Web authentication properties
[edit] user@host# set access firewall-authentication web-authentication default-profile PROFILE-1 user@host# set access firewall-authentication web-authentication banner success "WELCOME to JUNIPER HTTP SESSION"
-
Create a security policy with dynamic-application.
[edit] user@host# set security policies from-zone untrust to-zone trust policy p1 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p1 match application junos-http user@host# set security policies from-zone untrust to-zone trust policy p1 match application junos-https user@host# set security policies from-zone untrust to-zone trust policy p1 match dynamic-application junos:HTTP user@host# set security policies from-zone untrust to-zone trust policy p1 then permit firewall-authentication web-authentication user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-init user@host# set security policies from-zone untrust to-zone trust policy p1 then log session-close
Results
From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]user@host# show security policies
from-zone untrust to-zone trust {
policy p1 {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
dynamic-application [ junos:HTTP junos:SSH ];
}
then {
permit {
firewall-authentication {
web-authentication;
}
}
log {
session-init;
session-close;
}
}
}
}
[edit]
user@host# show security zones
security-zone trust {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.254/24;
address 10.1.1.253/24 {
web-authentication {
http;
https;
}
}
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.2.254/24;
}
}
}
[edit]
user@host# show access
profile PROFILE-1 {
client CLIENT-1 {
client-group GROUP-1;
firewall-user {
password "$9$2ngZjHkPQ39.PhrvLVb.P5Tz6"; ## SECRET-DATA
}
}
client CLIENT-2 {
client-group GROUP-1;
firewall-user {
password "$9$/Bv59pBIRSleWB17-ws4o"; ## SECRET-DATA
}
}
session-options {
client-idle-timeout 10;
}
}
firewall-authentication {
pass-through {
default-profile PROFILE-1;
}
}
web-authentication {
default-profile PROFILE-1;
banner {
success "WELCOME to JUNIPER HTTP SESSION";
}
}
}
[edit]
user@host# show system services
ssh {
root-login allow;
}
web-management {
http {
interface [ fxp0.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
If
you are done configuring the feature on your device, enter
commit from configuration mode.
Verifying Web Authentication Is Working
To verify that Web authentication is working, open a Web browser on the client machine. First, access the security device using a Web browser. Use the IP address 10.1.1.253 which we've configured for Web authentication. The device prompts for a username and password as shown in Figure 4.
After successful authentication, the system displays the configured banner as shown in Figure 5, and you can get access to the server.
Verification
Monitoring Firewall Users
Purpose
Display firewall authentication user history to verify the firewall users details.
Action
From operational mode, enter these show commands:
user@host> show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
15 10.1.1.1 N/A N/A PROFILE- 1 Success CLIENT-2
user@host> show security firewall-authentication users identifier 16 Username: CLIENT-2 Source IP: 10.1.1.1 Authentication state: Success Authentication method: User-firewall using HTTP Age: 1 Access time remaining: 9 Lsys: root-logical-system Source zone: N/A Destination zone: N/A Access profile: PROFILE-1 Interface Name: ge-0/0/0.0 Bytes sent by this user: 56986 Bytes received by this user: 436401 Client-groups: GROUP-1
lab@vSRX-01> show security firewall-authentication users identifier 15 Username: CLIENT-2 Source IP: 10.1.1.1 Authentication state: Success Authentication method: Web-authentication using HTTP Age: 2 Access time remaining: 8 Lsys: root-logical-system Source zone: N/A Destination zone: N/A Access profile: PROFILE-1 Interface Name: ge-0/0/0.0 Bytes sent by this user: 0 Bytes received by this user: 0 Client-groups: GROUP-1
user@host> show security firewall-authentication history
History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
0 10.1.1.1 2021-05-12 06:44:26 0:00:59 Failed
14 10.1.1.1 2021-05-12 07:33:43 0:10:00 Success CLIENT-2
Meaning
Command output provides details such as logged in users, authentication method used, profile applied, login attempts and so on.
Verifying Security Policy Utilization Details
Purpose
Display the utility rate of security policies according to the number of hits received.
Action
From operational mode, enter these show commands:
user@host> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 untrust trust p2 2 Permit
Meaning
Command output provides details on the security policies applied on the traffic.