Configure Captive Portal for Unauthenticated Browsers
Generally, an SRX Series Firewall redirects an unauthenticated user to the captive portal for authentication. While redirecting to the captive portal, the background process such as Microsoft updates triggers the captive portal before it triggers HTTP/HTTPS browser-based user’s access, which makes the browser to display “401 Unauthorized” page without presenting authentication portal. The auth-only-browser and auth-user-agent parameters give you control to handle HTTP/HTTPS traffic.
Understanding SRX Series Assured Captive Portal Support for Unauthenticated Browser Users
When an unauthenticated user requests access to an SRX Series protected resource using an HTTP/HTTPS browser, the SRX Series Firewall presents the user with a captive portal interface to allow the user to authenticate. Normally, this process occurs without interference. However, prior to introduction of this feature, HTTP/HTTPS-based workstation services running in the background, such as Microsoft updates and control checks, could trigger captive portal authentication before the HTTP/HTTPS browser-based user’s access request did. The situation posed a race condition. If a background process triggered captive portal first, the SRX Series Firewall presented it with a “401 Unauthorized” page. The service discarded the page without informing the browser, and the browser user was never presented with the authentication portal. The SRX Series Firewall did not support simultaneous authentication from the same source (IP address) on different SPUs.
Starting with Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1, the SRX Series Firewall supports simultaneous HTTP/HTTPS pass-through authentication across multiple SPUs, including support for web-redirect authentication. If an HTTP/HTTPS packet arrives while the SPU is querying the CP, the SRX Series Firewall queues the packet to be handled later.
Additionally, the following two parameters are made available to give you greater control over how HTTP/HTTPS traffic is handled.
auth-only-browser—Authenticate only browser traffic. If you specify this parameter, the SRX Series Firewall distinguishes HTTP/HTTPS browser traffic from other HTTP/HTTPS traffic. The SRX Series Firewall does not respond to non-browser traffic. You can use the auth-user-agent parameter in conjunction with this control to further ensure that the HTTP traffic is from a browser.
auth-user-agent—Authenticate HTTP/HTTPS traffic based on the User-Agent field in the HTTP/HTTPS browser header. You can specify one user-agent value per configuration. The SRX Series Firewall checks the user-agent value that you specify against the User-Agent field in the HTTP/HTTPS browser header for a match to determine if the traffic is HTTP/HTTPS browser-based.
You can use this parameter with the auth-only-browser parameter or alone for both pass-through and user-firewall firewall-authentication.
You can specify only one string as a value for auth-user-agent. It must not include spaces and you do not need to enclose the string in quotation marks.
Note:Starting with Junos OS 17.4R1, you can assign IPv6 addresses in addition to IPv4 addresses when you configure source addresses. To configure IPv6 source address, issue
anyorany-IPv6command at [edit security policies from-zone trust to-zone untrust policy policy-name match source-address] hierarchy level.
Here are some examples of how to configure security policies to use the auth-only-browser and auth-user-agent firewall authentication features.
For Pass-Through Authentication
Configures a security policy for pass-through authentication that uses the auth-only-browser parameter.
user@host# set security policies from-zone trust to-zone untrust policy p1 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p1 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p1 match application any user@host# set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication pass-through auth-only-browser access-profile my-access-profile1t
Configures a security policy for pass-through authentication that uses the auth-user-agent parameter without auth-only-browser.
user@host# set security policies from-zone trust to-zone untrust policy p2 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p2 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p2 match application any user@host# set security policies from-zone trust to-zone untrust policy p2 then permit firewall-authentication pass-through auth-user-agent Opera1 access-profile my-access-profile2
Configures a security policy for pass-through authentication that uses the auth-only-browser with the auth-user-agent parameter.
user@host# set security policies from-zone trust to-zone untrust policy p3 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p3 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p3 match application any user@host# set security policies from-zone trust to-zone untrust policy p3 then permit firewall-authentication pass-through auth-only-browser auth-user-agent Opera1 my-access-profile3
For User Firewall Authentication
Configures a security policy for user-firewall authentication that uses the auth-only-browser parameter.
user@host# set security policies from-zone trust to-zone untrust policy p4 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p4 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p4 match application any user@host# set security policies from-zone trust to-zone untrust policy p4 then permit firewall-authentication user-firewall auth-only-browser access-profile my-access-profile4t
Configures a security policy for user-firewall authentication that uses the auth-user-agent parameter without auth-only-browser.
user@host# set security policies from-zone trust to-zone untrust policy p5 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p5 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p5 match application any user@host# set security policies from-zone trust to-zone untrust policy p5 then permit firewall-authentication user-firewall auth-user-agent Opera1 access-profile my-access-profile5
Configures a security policy for user-firewall authentication that uses the auth-only-browser with the auth-user-agent parameter.
user@host# set security policies from-zone trust to-zone untrust policy p6 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p6 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p6 match application any user@host# set security policies from-zone trust to-zone untrust policy p6 then permit firewall-authentication user-firewall auth-only-browser auth-user-agent Opera1 access-profile my-access-profile6
See Also
Understanding the Forced Timeout Setting Assigned to Active Directory Authentication Entries for Users Authenticated Through Captive Portal
This topic covers the effect of the firewall authentication forced timeout setting as it applies to active directory authentication entries for users who authenticate through captive portal.
When a user authenticates through captive portal, an authentication table entry is generated for that user based on the information that the SRX Series Firewall obtains from the firewall authentication module. At that point, the default traffic-based authentication timeout logic is applied to the entry.
As an administrator, it is important for you to have control over how long non-domain users who authenticate through captive portal remain authenticated. The firewall authentication forced timeout feature gives you that control. Use of it ensures that non-domain users do not remain authenticated indefinitely. For example, assume that the flow of traffic is continuous to and from the device of a non-domain user authenticated through captive portal. Given the behavior of the default traffic-based authentication timeout, the non-domain user would remain authenticated indefinitely.
When the firewall authentication forced timeout value is configured, it is used in conjunction with the traffic-based timeout logic.
Here is how timeout settings, including firewall authentication forced timeout, affect active directory authentication entries for users authenticated through captive portal. In all of the following instances, an authentication entry was generated for a user based on firewall authentication information after the user authenticated through captive portal.
The firewall authentication forced timeout is set for 3 hours.
Traffic continues to be received and generated by a device associated with an authentication entry for a user. After 3 hours the authentication entry expires, although at that time there are sessions anchored in Packet Forwarding Engine for the authentication entry.
If set, the firewall authentication forced timeout has no effect.
An authentication entry does not have sessions anchored to it. It expires after the time set for the authentication entry timeout, for example, 30 minutes.
The firewall authentication forced timeout configuration is deleted.
Firewall authentication forced timeout has no effect on new authentication entries. Firewall authentication forced timeout remains enforced for existing authentication entries to which it applied before it was deleted. That is, for those authentication entries, the original forced timeout setting remains in effect.
The firewall authentication forced timeout configuration setting is changed.
The new tine-out setting is applied to new incoming authentication entries. Existing entries keep the original, former setting.
The firewall authentication forced timeout is set to 0, disabling it.
If the firewall authentication forced timeout is set to a new value, that value is assigned to all incoming authentication entries. There is no firewall authentication forced timeout setting for existing authentication entries.
The firewall authentication forced timeout value is not configured.
The SRX Series Firewall generates an authentication entry for a user. The default traffic-based timeout logic is applied to the authentication entry.
The active directory timeout value is configured for 50 minutes. A traffic-based timeout of 50 minutes is applied to an authentication entry.
The active directory timeout is not configured. The default traffic-based timeout of 30 minutes is applied to an authentication entry.