Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authentication and Access Control

  • User Firewall and JIMS integration (cSRX)—Starting in Junos OS Release 23.4R1, cSRX supports User Firewall active directory and Juniper® Identity Management Service (JIMS) integration.

    The cSRX instances can now create, manage, and refine firewall rules based on user identity rather than IP address and query JIMS.

    JIMS then communicates with Active Directory to retrieve the username-to-group mapping information. The cRSX instances use the username-to-group mapping information to identify the group to which each user belongs and then enforces appropriate security policy decisions.

    [See Authentication and Integrated User Firewalls User GuideJuniper Identity Management Service User Guide].

  • Dynamic filter IPv6 support—Starting in Junos OS Release 23.4R1, you can install filters having destination IPv6 as a match condition. Both IPv4 and IPv6 match conditions can be specified within the same filter.

    [See User Access and Authentication Administration Guide for Junos OS .]

  • Support for VLAN group on EX series switches (EX Series)—Starting in Junos OS Release 23.4R1, you can configure VLAN group on EX series switches. The 802.1X VLAN group maps a single WLAN to a single VLAN or multiple VLANs. In this feature, the VLAN group name is added within the Tunnel-Private-Group-ID (defined as RADIUS attribute type 81, RFC 2868) and sent in the RADIUS response instead of a regular VLAN ID or VLAN Name. It helps to reduce the number of broadcast domains and reduce the need for administrators to load balance your network.

    To configure VLAN groups, you can use the set vlans vlan-groups vlan_group_name vlan-id-listvlan-id-list configuration statement at the [edit vlans] hierarchy level.

    [See Configuring VLAN Groups on EX Series Switches.]

  • Support for micro and macro segmentation with GBP using Mist Access Assurance (EX4100, EX4400, and EX4650)—Starting in Junos OS Release 23.4R1, we support micro and macro segmentation in a VXLAN (Virtual extensible Local Area Network) architecture using Group Based Policy (GBP) through Juniper Mist Access Assurance. GBP tags are assigned dynamically to clients as part of RADIUS transaction by Mist Cloud NAC.

    [See 802.1X for Switches Overview.]

  • Control device access privileges with exact match configuration (ACX5448, ACX5448-M, ACX5448-D, ACX710, EX2300, EX2300-MP, EX2300-C, EX2300-VC, EX3400, EX3400-VC, EX4100-48MP, EX4100-H-12P, EX4100-H-12P-DC, EX4100-H-24P, EX4100-H-24P-DC, EX4100-H-24F, EX4100-H-24F-DC, EX4100-24MP, EX4100-48P, EX4100-48T, EX4100-24P, EX4100-24T, EX4100-F-48P, EX4100-F-24P, EX4100-F-48T, EX4100-F-24T, EX4100-F-12P, EX4100-F-12T, EX4300-MP, EX4300VC, EX4400-24MP, EX4400-24P, EX4400-24T, EX4400-24X, EX4400-48F, EX4400-48MP, EX4400-48P, EX4400-48T, EX4600-VC, EX4650, EX4650-48Y-VC, EX9204, EX9208, EX9214, MX204, MX240, MX304, MX480, MX960, MX10003, MX10004, MX10008, MX10016, MX2008, MX2010, MX2020, QFX10002-60C, QFX10002, QFX10008, and QFX10016)—Starting in Junos OS Release 23.4R1, you can configure access privileges for login classes by allowing or denying full hierarchy strings with the allow-configuration-exact-match and deny-configuration-exact-match configuration options. The exact match configuration enables you to set separate permissions for set, delete, activate, or deactivate operators for any hierarchy.

    The allow-configuration-exact-match and deny-configuration-exact-match configuration options support full hierarchy strings as well as wildcard characters and regular expressions.

    [See Understanding Exact Match Access Privileges for Login Classes.]

  • Support for firewall users log off, custom logo and banner (SRX Series Firewalls, vSRX3.0, NFX150, NFX250, and NFX350)—Starting in Junos OS Release 23.4R1, firewall users can log off using the logoff button displayed in captive portal after a successful login.

    SRX and NFX administrators can set custom logo for captive portal. SRX and NFX administrators can configure custom login-success, login-fail banner messages in captive-portal. You can configure logo option under set access firewall-authentication web-authentication hierarchy level for custom-logo. You can configure banner option under set access firewall-authentication web-authentication hierarchy level for banner messages.

    [See firewall-authentication.]

  • Support for client/server certificate validation using TLS protocol mutual authentication (SRX Series Firewalls, vSRX3.0, NFX150, NFX250, and NFX350)—Starting in Junos OS Release 23.4R1, a client can authenticate without password based on client/server certificate validation using Mutual-TLS authentication. You can configure mtls-profile option at the set security firewall-authentication hierarchy level.

    [See firewall-authentication (Security).]

  • Support for destination identity in firewall policy (SRX Series Firewalls, and vSRX3.0)—Starting in Junos OS Release 23.4R1, you can control network access based on destination identity in security policy. You can match the traffic based on destination identity information. You can configure destination-identity-context option at the set security policies from-zone zone-name to-zone zone-name match hierarchy level.

    You can configure identity-context-profile profile-name option at the set user-identification device-information hierarchy level. You can configure destination-identity-context-profile option at the set security policies from-zone zone-name to-zone zone-name match hierarchy level.

    [See user-identification (Services), match (Security Policies), identity-context-profile, destination-identity-context, and destination-identity-context-profile.]