ON THIS PAGE
Configure User Authentication Methods
Pass-through authentication and web authentication are the two authenticating methods to authenticate the users.
Understanding Pass-Through Authentication
Pass-through user authentication is a form of active authentication; the user is prompted to enter a username and password when pass-through authentication is invoked. If the user’s identity is validated, the user is allowed to pass through the firewall and gain access to the requested resources.
When a user attempts to initiate an HTTP, an HTTPS, an FTP, or a Telnet connection request that has a policy requiring authentication, the device intercepts the request and prompts the user to enter a username and password. Depending on the configuration, the device validates the username and password by checking them against those stored in the local database or on an external authentication server.
If an external authentication server is used, after the user’s credentials are collected, they are processed through firewall user authentication. The following external authentication servers are supported:
RADIUS authentication and authorization (compatible with Juniper Steel-Belted Radius servers)
You can use an external RADIUS server if, in addition to authentication, you want to obtain authorization information about the user’s access right (what the user can do on the network).
LDAP authentication only (supports LDAP version 3, compatible with Windows AD)
SecurID authentication only (uses an RSA SecurID external authentication server)
A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, an LDAP, or a SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy triggers an authentication check.
You use family inet to assign an IPv4 address. You use family inet6 to assign an IPv6 address. An interface can be configured with both an IPv4 and an IPv6 address. For the sake of brevity, these examples use IPv4 addresses only.
The steps in Figure 1 are as follows:
A client user sends an FTP, an HTTP, an HTTPS, or a Telnet packet to 198.51.100.9.
The device intercepts the packet, notes that its policy requires authentication from either the local database or an external authentication server, and buffers the packet.
The device prompts the user for login information through FTP, HTTP, HTTPS, or Telnet.
The user replies with a username and password.
The device either checks for an authentication user account on its local database or sends the login information to the external authentication server as specified in the policy.
Finding a valid match (or receiving notice of such a match from the external authentication server), the device informs the user that the login has been successful.
For HTTP, HTTPS, or Telnet traffic, the device forwards the packet from its buffer to its destination IP address, 198.51.100.9/24. However, for FTP traffic, after successful authentication, the device closes the session and the user must reconnect to the FTP server at IP address 198.51.100.9/24.
For security purposes, we recommend that you use web-redirect rather than direct pass-through authentication on security policies that you configure for HTTP pass-through authentication. The web browser may provide security by automatically including credentials for subsequent requests to the target web server.
After the device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through pass through—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.
The pass-through user authentication method is recommended in situations when security has a higher priority than convenience. This authentication method applies only to the session and child sessions matching the policy that triggered it. You can apply this method on Internet-facing links, if used with caution.
Example: Configuring Pass-Through Authentication
This example shows how to configure pass-through authentication to authenticate firewall users. A firewall user is a network user who must provide a username and password when initiating a connection across the firewall.
Pass-through authentication allows SRX Series administrators to restrict users who attempt to access a resource in another zone using FTP, Telnet, HTTP, or HTTPS. If the traffic matches a security policy whose action is pass-through authentication, the user is required to provide login information.
For HTTPS, to ensure security the HTTPS default certificate key size is 2048 bits. If you do not specify a certificate size, the default size is assumed.
Requirements
Before you begin, define firewall users. See Firewall User Authentication Overview.
This example uses the following hardware and software components:
SRX Series device
Firewall user’s system
Packet destination system
Overview
The pass-through authentication process is triggered when a client, referred to as a firewall user, attempts to initiate an FTP, a Telnet, or an HTTP session to access a resource in another zone. The SRX Series firewall acts as a proxy for an FTP, a Telnet, an HTTP, or an HTTPS server so that it can authenticate the firewall user before allowing the user access to the actual FTP, Telnet, or HTTP server behind the firewall.
If traffic generated from a connection request sent by a firewall user matches a security policy rule bidirectionally and that rule specifies pass-through firewall authentication as the action of its then clause, the SRX Series device requires the firewall user to authenticate to a Junos OS proxy server.
If the authentication is successful, subsequent traffic from the same source IP address is automatically allowed to pass through the SRX Series device if the traffic matches the security policy tuples.
Figure 2 shows the topology used in this example.
Although the topology shows use of an external server, it is not covered in the configuration. It is outside the scope of this example.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.35/24 set interfaces ge-5/0/0 unit 0 family inet address 192.0.2.1/24 set access profile FWAUTH client FWClient1 firewall-user password password set access firewall-authentication pass-through default-profile FWAUTH set access firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION" set security zones security-zone UT-ZONE host-inbound-traffic system-services all set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all set security zones security-zone T-ZONE host-inbound-traffic system-services all set security zones security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWClient1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure pass-through authentication:
Configure two interfaces and assign IP addresses to them.
Note:For this example, it is optional to assign two addresses to the interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.35/24 user@host# set interfaces ge-5/0/0 unit 0 family inet address 192.0.2.1/24
Create the FWAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner for Telnet sessions.
[edit access] user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd user@host# set firewall-authentication pass-through default-profile FWAUTH user@host# set firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"
Configure security zones.
Note:For this example, it is optional to configure a second interface for a security zone.
[edit security zones] user@host# set security-zone UT-ZONE host-inbound-traffic system-services all user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all user@host# set security-zone T-ZONE host-inbound-traffic system-services all user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
Assign security policy P1 to the security zones.
[edit security policies] user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWClient1
Use Telnet to authenticate the FWClient1 firewall user to host2.
user@FWClient1# run telnet 192.0.2.1/24 Trying 192.0.2.1/24... Connected to 192.0.2.1/24 Escape character is '^]'. Firewall User Authentication Username: FWClient1 Password:$ABC123 WELCOME TO JUNIPER TELNET SESSION Host1 (ttyp0) login: user Password: $ABC123 --- JUNOS 10.1R1.1 built 2009-10-12 13:30:18 UTC %
Results
From configuration mode, confirm your configuration by entering these commands.
show interfacesshow accessshow security zonesshow security policies
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, the output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
user@host# show interfaces
ge-0/0/1 {
unit 0 {
family inet {
address 203.0.113.35;
}
}
}
ge-5/0/0 {
unit 0 {
family inet {
address 192.0.2.1/24;
}
}
}
...
user@host# show access
profile FWAUTH {
authentication-order password;
client FWClient1 {
firewall-user {
password "$ABC123"; ## SECRET-DATA
}
}
}
firewall-authentication {
pass-through {
default-profile FWAUTH;
telnet {
banner {
success "WELCOME TO JUNIPER TELNET SESSION";
}
}
}
}
user@host# show security zones
security-zone UT-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
security-zone T-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-5/0/0.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
user@host# show security policies
...
from-zone UT-ZONE to-zone T-ZONE {
policy P1 {
match {
source-address any;
destination-address any;
application junos-telnet;
}
then {
permit {
firewall-authentication {
pass-through {
client-match FWClient1;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table
Purpose
Display firewall authentication user history and verify the number of firewall users who successfully authenticated and the number of firewall users who failed to log in.
Action
From operational mode, enter these show commands:
user@host> show security firewall-authentication history History of firewall authentication data: Authentications: 2 Id Source Ip Date Time Duration Status User 1 203.0.113.12 2010-10-12 21:24:02 0:00:24 Failed FWClient1 2 203.0.113.12 2010-10-12 21:24:48 0:00:22 Success FWClient1
user@host> show security firewall-authentication history identifier 1 Username: FWClient1 Source IP: 203.0.113.12 Authentication state: Success Authentication method: Pass-through using Telnet Access start date: 2010-10-12 Access start time: 21:24:02 Duration of user access: 0:00:24 Source zone: UT-ZONE Destination zone: T-ZONE Access profile: FWAUTH Bytes sent by this user: 0 Bytes received by this user: 2660
user@host> show security firewall-authentication users Firewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status User 4 203.0.113.12 UT-ZONE T-ZONE FWAUTH 1 Success FWClient1
user@host> show security firewall-authentication users identifier 3 Username: FWClient1 Source IP: 203.0.113.12 Authentication state: Success Authentication method: Pass-through using Telnet Age: 3 Access time remaining: 9 Source zone: UT-ZONE Destination zone: T-ZONE Access profile: FWAUTH Interface Name: ge-0/0/1.0 Bytes sent by this user: 0 Bytes received by this user: 1521
Example: Configuring HTTPS Traffic to Trigger Pass-Through Authentication
This example shows how to configure HTTPS traffic to trigger pass-through authentication. HTTPS is more secure than HTTP, so it has become more popular and is more widely used.
Requirements
This example uses the following hardware and software components:
SRX Series device
Two PCs running Linux and Open SSL. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.
Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.
Starting in Junos OS Release 12.1X44-D10 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on SRX5400, SRX5600, and SRX5800 devices.
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on vSRX, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.
Before you begin:
An SRX Series device has to decode HTTPS traffic to trigger pass-through authentication. Then, SSL termination proxy creates and installs a private key file and a certification file. The following list describes the steps to create and install a private key file and a certification key file.
If you have an official .crt file and .key file, then you can directly upload and install the files on the SRX Series device. If you do not have a .crt file and .key file, follow the procedure to create and install the files. Instructions specified in Step 1 and Step 2 must be run on a PC with Linux and OpenSSL installed. Instructions specified in Step 3 and Step 4 must be run in operational mode.
To create and install a private key file and a certification file:
On a PC create the .key file.
openssl genrsa -out /tmp/server.key 1024
On a PC, create the .crt file.
openssl req -new -x509 -days 365 -key /tmp/server.key -out /tmp/device.crt -subj "/C=CN/ST=BJ/L=BJ/O=JNPR/OU=CNRD/CN=203.0.113.11/emailAddress=device@mycompany.com"
Upload the .key and .crt files to an SRX Series device, and install the files on the device using the following command from operational mode:
user@host> request security pki local-certificate load filename /var/tmp/device.crt key /var/tmp/device.key certificate-id device
Overview
Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series device.
HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
In this example, HTTPS traffic is used to trigger pass-through authentication because HTTPS is more secure than HTTP. For HTTPS traffic to trigger pass-through authentication you must first configure the SSL termination profile.
Figure 3 shows an example of pass-through authentication using HTTPS traffic. In this example, a host or a user from an untrust zone tries to access resources on the trust zone. The SRX Series device uses HTTPS to collect the username and password information. Subsequent traffic from the host or user is allowed or denied based on the result of this authentication.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.12/24 set interfaces ge-1/0/0 unit 0 family inet address 203.0.113.1/24 set security policies from-zone trust to-zone untrust policy p1 match source-address any set security policies from-zone trust to-zone untrust policy p1 match destination-address any set security policies from-zone trust to-zone untrust policy p1 match application any set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through access-profile local_pf set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl_pf set security policies from-zone trust to-zone untrust policy p1 then log session-init set security policies from-zone trust to-zone untrust policy p1 then log session-close set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-1/0/0.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-1/0/0.0 host-inbound-traffic protocols all set access profile local_pf client user1 firewall-user password <password> set access firewall-authentication pass-through default-profile local_pf set services ssl termination profile ssl_pf server-certificate device
Procedure
Step-by-Step Procedure
To configure HTTPS traffic to trigger pass-through authentication:
Configure interfaces and assign IP addresses.
[edit interfaces] user@host# set ge-0/0/0 unit 0 family inet address 192.0.2.12/24 user@host# set ge-1/0/0 unit 0 family inet address 203.0.113.1/24
Configure security policies to permit firewall authenticated traffic from zone trust to zone untrust.
[edit security policies] user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through access-profile local_pf user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through ssl-termination-profile ssl_pf
Specify a policy action to take when a packet matches the criteria.
[edit security policies] user@host# set from-zone trust to-zone untrust policy p1 match source-address any user@host# set from-zone trust to-zone untrust policy p1 match destination-address any user@host# set from-zone trust to-zone untrust policy p1 match application any user@host# set from-zone trust to-zone untrust policy p1 then log session-init user@host# set from-zone trust to-zone untrust policy p1 then log session-close
Configure security zones and assign interfaces.
[edit security zones] user@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic protocols all user@host# set security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
Configure application services for zones.
[edit security zones] user@host# set security-zone trust host-inbound-traffic system-services all protocols all user@host# set security-zone untrust host-inbound-traffic system-services all protocols all
Create an access profile and configure the client as a firewall user and set the password.
[edit access] user@host# set profile local_pf client user1 firewall-user password <password>
Configure the type of firewall and the default profile name where the authentication settings are defined.
[edit access] user@host# set firewall-authentication pass-through default-profile local_pf
Configure the SSL termination profile and enter a local certificate identifier name.
[edit services] user@host# set ssl termination profile ssl_pf server-certificate device
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show security policies, show security zones, show access, and show services ssl termination commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
user@host# show interfaces
...
interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 192.0.2.12;
}
}
}
ge-1/0/0 {
unit 0 {
family inet {
address 203.0.113.1/24;
}
}
}
user@host# show security policies
...
policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile local_pf;
ssl-termination-profile ssl_pf;
}
}
}
log {
session-init;
session-close;
}
}
}
}
}
user@host# show security zones
...
zones {
security-zone trust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
interfaces {
ge-1/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
user@host# show access
...
access {
profile local_pf {
client user1 {
firewall-user {
password password;
}
}
}
firewall-authentication {
pass-through {
default-profile local_pf;
}
}
user@host# show services ssl termination
...
services {
ssl {
termination {
profile ssl_pf {
server-certificate device;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Configuration
Purpose
Verify that the configuration is correct.
Action
From operational mode, enter the show security
firewall-authentication users command for identifier 1.
user@host> show security firewall-authentication users identifier 1
Username: user1
Source IP: 203.0.113.1/24
Authentication state: Success
Authentication method: Pass-through using HTTPS
Age: 0
Access time remaining: 10
Lsys: root-logical-system
Source zone: trust
Destination zone: untrust
Access profile: local_pf
Interface Name: ge-0/0/0.0
Bytes sent by this user: 946
Bytes received by this user: 0
Meaning
The show security firewall-authentication users command displays the firewall authentication user information for
the specified identifier. If the output displays Pass-through using
HTTPS in the Authentication method field and Success in the Authentication
state field, then your configuration is correct.
Understanding Web Authentication
Web authentication is an alternative to pass-through user authentication. Instead of pointing to the resource that you want to connect to from your client browser, you point the browser to an IP address on the device that is enabled for Web authentication. This initiates an HTTP session to the IP address hosting the Web authentication feature on the device. The device then prompts you for your username and password and caches the result in the device. Later, when traffic encounters a Web authentication policy, you are allowed or denied access based on the prior Web authentication results, as shown in Figure 4.
You use family inet to assign an IPv4 address. You use family inet6 to assign an IPv6 address. An interface can be configured with both an IPv4 and an IPv6 address. For the sake of brevity, these examples use IPv4 addresses only.
Follow these Web authentication guidelines:
You can leave the default Web authentication server as the local database or you can choose an external authentication server for the role. The default Web authentication profile determines if the user authenticates using the local database or the external authentication server. An access profile stores usernames and passwords of users or points to external authentication servers where such information is stored.
The Web authentication address must be in the same subnet as the interface that you want to use to host it. For example, if you want authentication users to connect using Web authentication through ethernet3, which has IP address 203.0.113.1/24, then you can assign Web authentication an IP address in the 203.0.113.0/24 subnet.
You can put a Web authentication address in the same subnet as the IP address of any physical interface or virtual security interface (VSI). (For information about different types of interfaces, see Security Zones Overview.)
You can put Web authentication addresses on multiple interfaces.
After a device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through Web authentication—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.
With Web authentication enabled, any HTTP traffic to the IP address will get the Web authentication login page instead of the administrator login page. Disabling this option will show the administrator login page (assuming that
[system services web-management HTTP]is enabled.We recommend that you have a separate primary or preferred IP address, if an address is used for Web authentication.
The Web authentication method is recommended in situations when the client devices are immediately adjacent to the security gateway and there is high assurance that the client devices are not multiuser hosts. This authentication method is best applied to wireless links and DMZ, or conference room links.
Example: Configuring Web Authentication
This example shows how to enable Web authentication and set up a policy that allows access to a user when traffic encounters a policy that has Web authentication enabled.
Requirements
Before you begin:
Define firewall users. See Firewall User Authentication Overview.
Add the Web authentication HTTP flag under the interface’s address hierarchy to enable Web authentication.
Overview
To enable Web authentication, you must specify the IP address of the device hosting the HTTP session. These settings are used if the firewall user accessing a protected resource wants to be authenticated by directly accessing the webserver or by Web authentication. The following instructions show how to set up a policy that allows access to the FWClient1 user when traffic encounters a policy that has Web authentication enabled (Policy-W). (See Figure 5.) In this example, FWClient1 has already authenticated through the Web authentication login page.
The FWClient1 firewall user does the following to get authenticated:
Points the browser to the Web authentication IP (198.51.100.63/24) to get authenticated first
Starts traffic to access resources specified by the policy-W policy
When you configure the device as described in these instructions and the user successfully authenticates, the screen illustrated in Figure 6 appears.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.23/24set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.63/24 web-authentication httpset interfaces fe-5/0/0 unit 0 family inet address 203.0.113.15/24set access profile WEBAUTH client FWClient1 firewall-user password pwdset access firewall-authentication web-authentication default-profile WEBAUTHset access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"set security zones security-zone UT-ZONE host-inbound-traffic system-services allset security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols allset security zones security-zone T-ZONE host-inbound-traffic system-services allset security zones security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols allset security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address anyset security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address anyset security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match application anyset security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWClient1set system services web-management http interface ge-0/0/1.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure Web authentication:
Configure two interfaces and assign IP addresses to them.
Note:For this example, it is optional to assign two addresses to the interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.23/24 user@host# set interfaces ge-0/0/1 unit 0 family inet address 198.51.100.63/24 web-authentication http user@host# set interfaces fe-5/0/0 unit 0 family inet address 203.0.113.15/24
Create the WEBAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner.
[edit access] user@host# set profile WEBAUTH client FWClient1 firewall-user password pwd user@host# set firewall-authentication web-authentication default-profile WEBAUTH user@host# set firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
Configure security zones.
Note:For this example, it is optional to configure a second interface for a security zone.
[edit security zones] user@host# set security-zone UT-ZONE host-inbound-traffic system-services all user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all user@host# set security-zone T-ZONE host-inbound-traffic system-services all user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
Assign security policy P1 to the security zones.
[edit security policies] user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 match application any user@host# set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWClient1
Activate the HTTP process (daemon) on your device.
[edit] user@host# set system services web-management http interface ge-0/0/1.0
Results
From configuration mode, confirm your configuration by entering these commands:
show interfacesshow accessshow security zonesshow security policiesshow system services
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show output includes only the
configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
user@host# show interfaces
...
}
ge-0/0/1{
unit 0 {
family inet {
address 198.51.100.23/24 {
address 198.51.100.63/24 {
web-authentication http;
}
}
}
}
fe-5/0/0 {
unit 0 {
family inet {
address 198.51.100.14/24;
}
}
}
...
user@host# show access
profile WEBAUTH {
client FWClient1 {
firewall-user {
password "$ABC123"; ## SECRET-DATA
}
}
}
firewall-authentication {
web-authentication {
default-profile WEBAUTH;
banner {
success "WEB AUTH LOGIN SUCCESS";
}
}
}
user@host# show security zones
...
}
security-zone UT-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone T-ZONE {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-5/0/0.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
user@host# show security policies
...
from-zone UT-ZONE to-zone T-ZONE {
policy P1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
web-authentication {
client-match FWClient1;
}
}
}
}
}
}
user@host# show system services
...
ftp;
ssh;
telnet;
web-management {
http {
interface g-0/0/1.0;
}
}If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table
Purpose
Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.
Action
From operational mode, enter these show commands:
user@host> show security firewall-authentication history user@host> show security firewall-authentication history identifier 1 user@host> show security firewall-authentication users user@host> show security firewall-authentication users identifier 3
user@host> show security firewall-authentication history
History of firewall authentication data:
Authentications: 1
Id Source Ip Date Time Duration Status User
5 198.51.100.75 2010-04-24 01:08:57 0:10:30 Success FWClient1
user@host> show security firewall-authentication history identifier 1
Username: FWClient1
Source IP: 198.51.100.752
Authentication state: Success
Authentication method: Web-authentication
Access start date: 2010-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Source zone: N/A
Destination zone: N/A
Access profile: WEBAUTH
Bytes sent by this user: 0
Bytes received by this user: 2660
user@host> show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
4 198.51.100.75 N/A N/A WEBAUTH 1 Success FWClient1
user@host> show security firewall-authentication users identifier 3
Username: FWClient1
Source IP: 198.51.100.75
Authentication state: Success
Authentication method: Web-authentication
Age: 3
Access time remaining: 9
Source zone: N/A
Destination zone: N/A
Access profile: WEBAUTH
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521
Example: Configuring HTTPS Traffic to Trigger Web Authentication
This example shows how to configure HTTPS traffic to trigger Web authentication. HTTPS is widely used for Web authentication because it is more secure than HTTP.
Requirements
Before you begin:
This example uses the following hardware and software components:
SRX Series device
Two PCs with Linux and Open SSL installed. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.
Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.
An SRX Series device has to decode the HTTPS traffic to trigger Web authentication. The following list describes the steps to create and install a private key file and a certification key file.
If you have an official .crt file and .key file, then you can directly upload and install the files
on the SRX Series device. If you do not have a .crt file
and .key file, then follow the procedure to create and
install the files. Instructions specified in Step 1 and Step 2 must
be run on a PC which has Linux and OpenSSL installed. Instructions
specified in Step 3 and Step 4 must be run in operational mode.
From the PC, create the
.keyfile.openssl genrsa -out /tmp/server.key 1024
From the PC, create the
.crtfile.openssl req -new -x509 -days 365 -key /tmp/server.key -out /tmp/device.crt -subj "/C=CN/ST=BJ/L=BJ/O=JNPR/OU=CNRD/CN=203.0.113.22/emailAddress=device@mycomany.com"
From the SRX Series device, upload the
.keyand.crtfiles and install the files on the device using the following command:user@host> request security pki local-certificate load filename /var/tmp/device.crt key /var/tmp/device.key certificate-id device
Overview
Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series device.
HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
In this example, HTTPS traffic is used to trigger Web authentication because HTTPS is more secure than HTTP.
The user uses HTTPS to access an IP address on the device that is enabled for Web authentication. In this scenario, the user does not use HTTPS to access the IP address of the protected resource. The user is prompted for a username and password, which are verified by the device. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the results of this Web authentication.
Figure 7 shows an example of Web authentication using HTTPS traffic.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set system services web-management https pki-local-certificate device set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.18/24 set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.115/24 web-authentication https set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.5/24 set security policies from-zone trust to-zone untrust policy p1 match source-address any set security policies from-zone trust to-zone untrust policy p1 match destination-address any set security policies from-zone trust to-zone untrust policy p1 match application any set security policies from-zone trust to-zone untrust policy p1 then permit set access profile local_pf client user1 firewall-user password user1 set access firewall-authentication web-authentication default-profile local_pf set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication web-authentication
Procedure
Step-by-Step Procedure
To configure HTTPS traffic to trigger Web authentication:
Enable Web-management support to HTTPS traffic.
[edit system services] user@host# set web-management https pki-local-certificate device
Configure interfaces and assign IP addresses. Enable Web authentication at ge-0/0/0 interface.
[edit interfaces] user@host# set ge-0/0/0 unit 0 family inet address 203.0.113.18/24 set ge-0/0/0 unit 0 family inet address 203.0.113.115/24 web-authentication https user@host# set ge-0/0/1 unit 0 family inet address 192.0.2.5/24
Configure security policies to permit firewall authenticated traffic from zone trust to zone untrust.
[edit security policies] user@host# set from-zone trust to-zone untrust policy p1 match source-address any destination-address any application any user@host# set security policies from-zone trust to-zone untrust policy p1 then permit
Create an access profile, configure the client as a firewall user, and set the password.
[edit access] user@host# set profile local_pf client user1 firewall-user password user1
Configure the type of firewall authentication settings.
[edit access] user@host# set firewall-authentication web-authentication default-profile local_pf
Specify a policy action to take when a packet matches the criteria.
[edit security policies] user@host# set from-zone trust to-zone untrust policy p1 then permit firewall-authentication web-authentication
Results
From configuration mode, confirm your configuration
by entering the show system services, show interfaces, show security policies, and show access commands.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show system services
web-management {
https {
pki-local-certificate device;
}
}
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 203.0.113.115/24 {
web-authentication https;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.0.2.5/24;
}
}
}
user@host# show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
web-authentication;
}
}
}
}
}
user@host# show access
profile local_pf {
client user1 {
firewall-user {
password "user1";
}
}
}
firewall-authentication {
web-authentication {
default-profile local_pf;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Configuration
Purpose
Verify that the configuration is correct.
Action
From operational mode, enter the show security
firewall-authentication users identifier identifier command.
Sample Output
user@host> show security firewall-authentication users identifier 1
Username: user1
Source IP: 203.1.113.102
Authentication state: Success
Authentication method: Web-authentication
Age: 0
Access time remaining: 10
Lsys: root-logical-system
Source zone: N/A
Destination zone: N/A
Access profile: local_pf
Bytes sent by this user: 0
Bytes received by this user: 0
Meaning
The show security firewall-authentication users
identifier identifier command displays
the firewall authentication user information using the identifier
ID of the user. If the authentication method parameter displays Web
authentication and the authentication state parameter displays success
in your output then your configuration is correct.