Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Captive Portal for Web Authentication and Firewall User Authentication

SUMMARY Learn how to configure captive portal for Web authentication and firewall user authentication using J-Web.

Overview

What Is Captive Portal?

Captive portal is a method of authenticating devices that need to connect to a network. On an SRX Series Firewalls, you can enable captive portal to redirect Web browser requests to a login page that prompts you to enter your username and password. After successful authentication, you can proceed with the original page request and subsequent network access.

What Is Web Authentication?

With a Web authentication method, you point a browser to an IP address on a device that is enabled for Web authentication. This action initiates an HTTPS session on the IP address that hosts the Web authentication feature on the device. The device then prompts you to enter your username and password, and the result is cached on the device. When the traffic later encounters a Web authentication policy, your access is allowed or denied based on the previous Web authentication results.

You can use other authentication methods as well, but we will not cover those methods in this document. However, we describe each of those methods in brief:

  • Pass-through authentication—Pass-through user authentication is a form of active authentication. In this method, the device prompts you to enter a username and password. If authentication validates your identity, you are allowed to pass through the firewall and access the requested resources.

  • Pass-through with web-redirect—When using this authentication method for HTTPS client requests, you can use the web-redirect feature to direct your requests to the device's internal webserver. The webserver sends a redirect HTTPS response to the client system, directing it to reconnect to the webserver for user authentication. The interface that the client’s request arrives at is the interface on which the redirect response is sent.

What Is Firewall User Authentication?

A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict or to permit firewall users’ access to protected resources (in different zones) behind a firewall based on their source IP address and other credentials. After defining the firewall users, you can create a policy that requires the users to authenticate using one of the three authentication methods (Web, pass-through, or pass-through with web-redirect).

Workflow

Scope

Here’s a sample topology (see Figure 1), which comprises:

  • A firewall user’s device that acts as a client.

  • An SRX Series Firewall that has access to the Internet.

  • A network device that acts as an HTTPS server.

Figure 1: Sample Topology Sample Topology

In this sample topology, you’ll use J-Web on the SRX Series Firewall to do the following tasks:

Note:

The values used to configure the sample topology are only examples.

Step

Action

1

Create a logical interface on ge-0/0/3, assign it the IP address 203.0.113.35, and enable Web authentication.

Note:

In this example, the firewall user system IP address is 203.0.113.12, which is in the same subnet as 203.0.113.0/24.

Create a logical interface on ge-0/0/2 and assign it the IP address 192.0.2.1.

Note:

In this example, the HTTPS server IP address is 192.0.2.1.

2

Create an access profile (FWAUTH) and define local authentication services.

3

Configure Web authentication settings to display the successful login message.

4

Create an untrust (UT_ZONE) and a trust (T_ZONE) zones and assign the ge-0/0/3 and ge-0/0/2 interfaces, respectively.

5

Configure captive portal for Web authentication and firewall user authentication in the security policy rules (FWAUTH-RULE).

6

Verify that the configured values work for a firewall user:

  • For Web authentication, you’ll successfully authenticate using https://203.0.113.35.

  • For firewall user authentication, you’ll successfully authenticate using https://203.0.113.35 and then get redirected to https://192.0.2.1 for accessing the HTTPS server.

Before You Begin

  • The values used to configure the sample topology are only examples. You can change any details necessary to match your network configuration.

  • Ensure that the SRX Series Firewall you use in this example runs Junos OS Release 21.4R1 or later.

  • Ensure that your device has the required certificates installed to allow authentication. In this example, we'll use cert1, a self-signed certificate.

Step 1: Create a Logical Interface and Enable Web Authentication

In this step, you’ll do the following tasks:

  • For the ge-0/0/3 interface on the SRX Series Firewall:

    1. Create a logical interface for an untrust zone.

    2. Assign the IPv4 address 203.0.113.35 to the interface.

      Note:

      You’ll use the same IP address for enabling captive portal.

    3. Enable HTTPS on the interface for Web authentication.

  • For the ge-0/0/2 interface on the SRX Series Firewall:

    1. Create a logical interface for a trust zone.

    2. Assign the IPv4 address 192.0.2.1 to the interface.

You are here (in the J-Web UI): Network>Connectivity>Interfaces

To create a logical interface for an untrust zone and to enable Web authentication:

  1. Select ge-0/0/3 and then select Create>Logical Interface on the upper-right corner of the Interfaces page.

    The Add Logical Interface for ge-0/0/3.0 page appears.

    Note:

    You cannot configure captive portal on the fxp0 interface.

  2. Specify the following details:

    Field

    Action

    Logical unit number

    Type 0.

    Description

    Type UT_Zone Interface.

    VLAN ID

    This field is not editable.

    Multi tenancy type

    Select None from the list.

    Logical system

    This field is not editable.

    Zone

    Select None from the list.

    In a later step, we'll create an untrust zone (UT_ZONE) and assign the ge-0/0/3 interface to it. See Step 4: Create Security Zones and Assign Interfaces to the Zones.

    Protocol (family) - IPv4 Address

    IPv4 Address / DHCP

    Select the check box to enable the IPv4 Address/DHCP configuration.

    IPv4 Address

    Select IPv4 Address. Then, click + and enter the following details:

    • IPv4 Address—Type 203.0.113.35 for Web authentication.

      Note:

      The captive portal configuration uses the same IPv4 address.

    • Subnet—Select 24 using the up or down arrow.

    • Web Auth:

      1. Click Configure.

        The Web Authentication page appears.

      2. Select Enable Https dedicated to captive portal.

      3. Click OK to save changes.

  3. Click OK to save the changes.

    Good job! You’ve created a logical interface on ge-0/0/3 with IP address 203.0.113.35 (Web authentication enabled) for your system.

To create a logical interface for a trust zone:

  1. Select ge-0/0/2 and then select Create>Logical Interface on the upper-right corner of the Interfaces page.

    The Add Logical Interface for ge-0/0/2.0 page appears.

  2. Specify the following details:

    Field

    Action

    Logical unit number

    Type 0.

    Description

    Type T_Zone Interface.

    VLAN ID

    This field is not editable.

    Multi tenancy type

    Select None from the list.

    Logical system

    This field is not editable.

    Zone

    Select None from the list.

    In a later step, we'll create a trust zone (T_ZONE) and assign the ge-0/0/2 interface to it. See Step 4: Create Security Zones and Assign Interfaces to the Zones.

    VLAN ID

    This field is not editable.

    Protocol (family) - IPv4 Address

    IPv4 Address / DHCP

    Select the check box to enable the IPv4 Address/DHCP configuration.

    IPv4 Address

    1. Select IPv4 Address.

    2. Click +.

    3. IPv4 Address—Type 192.0.2.1 (HTTPS server).

    4. Subnet—Select 24 using the up or down arrow.

    5. Web Auth—Leave as is.

    6. ARP—Leave as is.

  3. Click OK to save the changes.

    Good job! You’ve created a logical interface on ge-0/0/2 with IP address 192.0.2.1 for the HTTPS server.

  4. Click Commit (at the right-side of the top banner) and select Commit configuration to commit the changes now.

    The successful-commit message appears.

    You can also choose to commit all configuration changes at once, at the end of Step 5: Enable Web or Firewall User Authentication for Captive Portal in the Security Policy.

Step 2: Create an Access Profile

Let’s create an access profile to define local authentication services. You will use this access profile in Web authentication settings and security policies.

You are here (in the J-Web UI): Security Services>Firewall Authentication>Access Profile

To create an access profile:

  1. Click the add icon (+) on the upper-right corner of the Access Profile page.

    The Create Access Profile page appears.

  2. Specify the following details:

    Field

    Action

    Name

    Type FWAUTH.

    Address Assignment

    (Optional) Select None from the list.

    You can select an address pool from the list. You can also add a new address pool by clicking Create Address Pool and providing the required values.

    Authentication

    Local

    1. Select Local to configure the local authentication services.

    2. Click + and enter the following details on the Create Local Authentication User page:

      1. Username—Type FWClient1. This is the username of the user requesting access.

      2. Password—Type $ABC123.

      3. XAUTH IP Address—Leave as is.

      4. Group—Leave as is.

      5. Click OK to save the changes.

    Authentication Order

    Order 1

    Select Local from the list.

    Order 2

    By default, None is selected. Leave as is.

  3. Click OK to save the changes.

    Good job! You’ve created the FWAUTH access profile.

  4. Click Commit (at the right-side of the top banner) and select Commit configuration to commit the changes now.

    The successful-commit message appears.

    You can also choose to commit all configuration changes at once, at the end of Step 5: Enable Web or Firewall User Authentication for Captive Portal in the Security Policy.

Step 3: Configure Web Authentication Settings

We’ll now assign the created access profile, define a successful-login message, and upload the logo image. You use this image for both Web authentication and captive portal.

You are here (in the J-Web UI): Security Services>Firewall Authentication>Authentication Settings

To configure Web authentication settings:

  1. Click Web Authentication Settings.
  2. Do the following:
    • Default Profile—Select FWAUTH from the list. The security policies use this profile to authenticate users.

    • Success—Type Authentication Success as the message to be displayed for users who log in successfully.

  3. (Optional) To upload a customized logo:
    1. Click Logo Image Upload.

    2. Click Browse for uploading a logo file.

    3. Select a logo image and then click OK.

      Note:

      For a good logo, the image must be in the .gif format and the resolution must be 172x65.

    4. Click Sync to apply the logo.

      The uploaded image will now appear on the captive portal login page or the Web authentication login page.

  4. Click Save on the upper-right corner of the Authentication Settings page to save the changes.

    Congratulations! You've successfully saved your Web authentication settings.

  5. Click Commit (at the right-side of the top banner) and select Commit configuration to commit the changes now.

    The successful-commit message appears.

    You can also choose to commit all configuration changes at once, at the end of Step 5: Enable Web or Firewall User Authentication for Captive Portal in the Security Policy.

Step 4: Create Security Zones and Assign Interfaces to the Zones

You create a security zone to define one or more network segments that regulate inbound and outbound traffic through policies.

We’ll now separately create:

  • An untrust zone (UT_ZONE) and assign the ge-0/0/3 interface to it.

  • A trust zone (T_ZONE) and assign the ge-0/0/2 interface to it.

You are here (in the J-Web UI): Security Policies & Objects>Zones/Screens

To create UT_ZONE (untrust zone) and T_ZONE (trust zone) and to assign the defined interfaces to the zones:

  1. Click the add icon (+) on the upper-right corner of the Zone List page.

    The Add Zone page appears.

  2. Specify the following details:

    Field

    Action

    Main

    Zone name

    • Type UT_ZONE for an untrust zone.

    • Type T_ZONE for a trust zone.

    Zone description

    • Type untrust zone for UT_ZONE.

    • Type trust zone for T_ZONE.

    Zone type

    Select Security.

    Application Tracking

    Leave as is.

    Source Identity Log

    Leave as is.

    Traffic Control Options

    Leave as is.

    Interfaces

    • For UT_ZONE, select ge-0/0/3.0 from the Available column and click the right arrow to move it to the Selected column.

    • For T_ZONE, select ge-0/0/2.0 from the Available column and click the right arrow to move it to the Selected column.

    Field

    Action (Sample Value)

    Host Inbound Traffic - Zone

    Leave as is.

    Host Inbound Traffic - Interface

    Selected Interfaces

    • For UT_ZONE, select ge-0/0/3.0.

    • For T_ZONE, select ge-0/0/2.0.

    Available Services

    Select all from the Available Services column and click the right arrow to move it to the Selected column.

    Available Protocols

    Select all from the Available Protocols column and click the right arrow to move it to the Selected column.

  3. Click OK to save the changes.

    Good job! You have assigned the ge-0/0/3 interface to UT_ZONE and ge-0/0/2 to T_ZONE.

  4. Click Commit (at the right-side of the top banner) and select Commit configuration to commit the changes now.

    The successful-commit message appears.

    You can also choose to commit all configuration changes at once, at the end of Step 5: Enable Web or Firewall User Authentication for Captive Portal in the Security Policy.

Step 5: Enable Web or Firewall User Authentication for Captive Portal in the Security Policy

We’ll now enable captive portal in the security policy rules to redirect a client HTTPS request to the internal HTTPS server of the device.

You are here (in the J-Web UI): Security Policies & Objects>Security Policies

To configure security policy rule for captive portal:

  1. Click the add icon (+) on the upper-right corner of the Security Policies page.

    The inline editable fields appear.

  2. Specify the following details:

    Field

    Action

    Rule Name

    Name

    Type FWAUTH-RULE.

    Description

    Type Test rule.

    Source Zone

    +

    Click + to add a source zone.

    The Select Sources page appears.

    Select Sources

    Specify the following details:

    1. Zone—Select UT_ZONE from the list to which you want the rule to be associated.

    2. Addresses—By default, Any is selected. Leave as is.

    3. Source identity:

      • For Web authentication, select None.

      • For firewall user authentication, select Specific. Then select unauthenticated and unknown from the Available column and click the right arrow to move these values to the Selected column.

    4. Source identity feed—Select None.

    5. Click OK to save the changes.

    Destination Zone

    +

    Click + to add a destination zone.

    The Select Destination page appears.

    Select Destination

    Specify the following details:

    1. Zone—Select T_ZONE from the list to which you want the rule to be associated.

    2. Addresses—By default, Any is selected. Leave as is.

    3. Dynamic applications—Select None.

      Note:

      You cannot configure dynamic applications with Web authentication.

    4. Services—Select Any.

    5. URL category—Select None.

    6. Destination identity feed—Select None.

    7. Click OK to save the changes.

    Action

    Select Permit.

    Advanced Services

    Leave as is.

    Rule Options

    +

    Click + to select rule options.

    The Select Rule Options page appears.

    Logging

    Leave as is.

    Authentication

    Note:

    Use this configuration for Web authentication only.

    Specify the following details:

    • Push auth entry to JIMS—By default, this option is disabled. Leave as is.

    • Type—Select Web-authentication from the list.

    • Client name—Type FWClient1.

    • Click OK to save the changes.

    Authentication

    Note:

    Use this configuration for firewall user authentication only.

    Specify the following details:

    • Push auth entry to JIMS—By default, this option is disabled. Leave as is.

    • Type—Select User-firewall from the list.

    • Access profile—Select FWAUTH from the list.

    • Domain—Leave as is.

    • Web redirect (http)—By default, this option is disabled. Leave as is.

    • Captive Portal—Enable to redirect a client HTTPS request to the webserver for user authentication.

      • Interface—Select ge-0/0/3.0 (203.0.113.35/24) from the list for the webserver where the client HTTPS request is redirected. This is the same interface that you configured while enabling Web authentication.

      • IP address—Type 203.0.113.35 for the webserver where the client HTTPS request is redirected. This is the same IPv4 address that you configured while enabling Web authentication on the ge-0/0/3 Interface.

    • SSL Termination Profile—Select SSL_termination (cert1) from the list for SSL termination support service. Acting as an SSL proxy server, the SRX Series Firewall uses the SSL termination process to terminate the client's SSL session.

    • Auth only browser—By default, this option is disabled. Leave as is.

    • User agents—Leave as is.

    • Click OK to save the changes.

  3. Click the tick icon on the right-side of the row after you're done with the configuration.
    Note:

    Slide the horizontal bar backward if the inline tick and cancel icons are not available when creating a new rule.

  4. Click Save on the upper-right corner of the Security Policies page to save changes.
  5. Click Commit (at the right side of the top banner) and select Commit configuration.

    The successful-commit message appears.

    Congratulations! You've successfully committed your configuration changes. You are all set with the Web or firewall user authentication policy.

Step 6: Verify the Web Authentication and User Authentication Configuration

Purpose

The final step! Let’s see whether your configuration works for a firewall user:

Action

To verify the Web authentication configuration:

  1. Type https://203.0.113.35 in your Web browser.

    The Firewall Authentication login page appears.

  2. Type the following credentials, and then click Log In.

    • Username—FWClient1

    • Password—$ABC123

    Congratulations! You are successfully authenticated. You can also see the success message Authentication Success that you configured.

  3. Click Close.

To verify firewall user authentication:

  1. Type https://192.0.2.1 in your Web browser.

    You are redirected to https://203.0.113.35 for Web authentication.

  2. Type the following credentials, and then click Log In.

    • Username—FWClient1

    • Password—$ABC123

    Congratulations! You are successfully authenticated. Soon, you’ll be redirected to https://192.0.2.1, and you’ll be able to access the HTTPS server.

What's Next

To keep going, visit the J-Web for SRX Series Documentation page in the Juniper TechLibrary.