JNCIS-SEC [ Firewall User Authentication ]

With firewall authentication,  users can be restricted. If a user tries to access a network resource, they will be asked for username/password.  Authentication methods are;

* local password database
* RADIUS
* LDAP
* SecurID

There are two types of user authentication available

* Pass-through authentication: Users are authenticated when they try to access a network resource
* Web authentication: Users first should authenticate themselves connecting into the Junos device.

Pass-through Authentication

1) create a profile

[edit access]
root@host# show
profile 3rdfloor {
    client john {
        firewall-user {
            password “$9$g14UHf5F/A0z3cyeK8LUji”; ## SECRET-DATA
        }
    }
}
2) associate this profile with an authentication type
[edit access firewall-authentication]
root@host# show
pass-through {
    default-profile 3rdfloor;
    telnet {
        banner {
            success “Heyy, it worked”;
            fail “Hmm, try once again”;
        }
    }
}
3) Apply pass-through authentication to policy as action
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            firewall-authentication {
                pass-through {
                    client-match john;
                }
            }
        }
        count;
    }
}

Web Authentication

If a user needs to access a remote resource,  first SRX device must be accessed to get access.  For example an interface IP of SRX must be accessed via HTTP and user/password must be provided.
Because http access into the security device isn’t allowed by default, first enable this as follows;

[edit system services]
root@host# show 
ssh;
telnet;
xnm-clear-text;
web-management {
    http;
}
then enable authentication on the interface
[edit interfaces ge-0/0/8 unit 0]
root@host# show
family inet {
    address 10.200.2.200/24 {
        web-authentication http;
    }
}
The rest of the configuration is more or less the same like pass-through authentication
1) Create profile first (you can also use the same profile used in pass-through)
[edit access]
root@host# show
profile 4rdfloor {
    client alice {
        firewall-user {
            password “$9$1YdESeLxdgoGvWoGDif5IEcyvWX7-w24”; ## SECRET-DATA
        }
    }
}
2) Associate access profile with authentication type

[edit access firewall-authentication web-authentication]
root@host# show 
default-profile 4rdfloor;
banner {
    success “heyy, it worked”;
}
3) Apply web authentication
[edit security policies from-zone trust to-zone untrust]
root@host# show
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            firewall-authentication {
                web-authentication {
                    client-match alice;
                }
            }
        }
        count;
    }
}

Client Groups

One handy feature of assigning multiple users into one policy is using client groups. Here is how to do it;

[edit access profile 3rdfloor]
root@host# show 
client bob {
    client-group engineering;
    firewall-user {
        password “$9$MxeL7VgoGqmTwYmTz3tpWLxNwY4aZjk.”; ## SECRET-DATA
    }
}
client jack {
    client-group engineering;
    firewall-user {
        password “$9$fQ390BEevLApvLxNY25QFnApO1RSlK”; ## SECRET-DATA
    }
}
client john {
    client-group engineering;
    firewall-user {
        password “$9$g14UHf5F/A0z3cyeK8LUji”; ## SECRET-DATA
    }
}
As it can be seen, client group engineering is created under profile 3rdfloor.   You can assign this to a policy just like a regular client-match statement. Instead of username just put “engineering” that is it. One user can also be assigned to multiple groups.
***One thing to note is that firewall authentication is based on the source IP address, which means one authentication is successful, all the sessions from the sme source IP address aren’t subject to any authentication within the idle timeout period. This idle timeout is configured as below. Default is 10 minutes. If the client is idle during this period, he must re-authenticate himself.
[edit access profile 3rdfloor]
root@host# show
session-options {
    client-idle-timeout 20;
}

Different Authentication sources in Access Profiles

[edit access profile 3rdfloor]
root@host# show
authentication-order [ ldap password ];
ldap-options {
    base-distinguished-name example.com;
    search {
        search-filter cn=admin;
    }
}
ldap-server {
    192.168.1.2;
}
External servers can also be configured e.g ldap .  Important thing to pay attention is
     a) There can be only one external authentication server along with local password authentication
     b) If the ldap server or radius server is unreachable, local password database is also consulted
     c) If external authentication fails, local password database isn’t consulted and access denied.

Several Commands

Authentication table:
root@host> show security firewall-authentication users
Firewall authentication data:
  Total users in table: 0
History:
root@host> show security firewall-authentication history
History of firewall authentication data:
  Authentications: 0

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “JNCIS-SEC [ Firewall User Authentication ]”

  1. Nice post, but I did similar setup for passthrough and I find after creating a user, the user doesnt show up with “show security firewall-authentication history” command and so cannot login, what could be wrong, see my configs below:

    set version 12.1X46-D25.7
    set system root-authentication encrypted-password “$1$ywgux336$RfXLfArkojeoJccXjhaqo0”
    set system name-server 41.217.204.165
    set system name-server 8.8.8.8
    set system services web-management http interface ge-0/0/1.0
    set interfaces ge-0/0/0 unit 0 family inet address 10.73.73.247/24
    set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24 preferred
    set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.2/24 web-authentication http
    set routing-options static route 0.0.0.0/0 next-hop 10.73.73.3
    set security policies from-zone USER to-zone WEBSERVER policy USERWEB match source-address any
    set security policies from-zone USER to-zone WEBSERVER policy USERWEB match destination-address any
    set security policies from-zone USER to-zone WEBSERVER policy USERWEB match application any
    set security policies from-zone USER to-zone WEBSERVER policy USERWEB then permit firewall-authentication pass-through access-profile Server-Access
    set security policies from-zone USER to-zone WEBSERVER policy USERWEB then permit firewall-authentication pass-through web-redirect
    set security policies from-zone USER to-zone WEBSERVER policy USER-WEB match source-address any
    set security policies from-zone USER to-zone WEBSERVER policy USER-WEB match destination-address any
    set security policies from-zone USER to-zone WEBSERVER policy USER-WEB match application any
    set security policies from-zone USER to-zone WEBSERVER policy USER-WEB then permit
    set security policies from-zone WEBSERVER to-zone USER policy WEBUSER match source-address any
    set security policies from-zone WEBSERVER to-zone USER policy WEBUSER match destination-address any
    set security policies from-zone WEBSERVER to-zone USER policy WEBUSER match application any
    set security policies from-zone WEBSERVER to-zone USER policy WEBUSER then permit
    set security policies from-zone USER to-zone USER policy USER-USER match source-address any
    set security policies from-zone USER to-zone USER policy USER-USER match destination-address any
    set security policies from-zone USER to-zone USER policy USER-USER match application any
    set security policies from-zone USER to-zone USER policy USER-USER then permit
    set security zones security-zone WEBSERVER host-inbound-traffic system-services all
    set security zones security-zone WEBSERVER host-inbound-traffic protocols all
    set security zones security-zone WEBSERVER interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone WEBSERVER interfaces ge-0/0/0.0 host-inbound-traffic protocols all
    set security zones security-zone USER host-inbound-traffic system-services all
    set security zones security-zone USER host-inbound-traffic protocols all
    set security zones security-zone USER interfaces ge-0/0/1.0 host-inbound-traffic system-services all
    set security zones security-zone USER interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    set access profile Server-Access client admin firewall-user password “$9$Hq.53nCO1hfTORhclegoaUk.”
    set access profile Server-Access client user firewall-user password “$9$Ec3hlM8LNbYoxNmT39OBxNdVwg”
    set access firewall-authentication pass-through default-profile Server-Access
    set access firewall-authentication pass-through http banner success “Login Successfully!”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading