Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring Integrated User Firewall

This example shows how to implement the integrated user firewall feature by configuring a Windows Active Directory domain, an LDAP base, unauthenticated users to be directed to captive portal, and a security policy based on a source identity.

Requirements

This example uses the following hardware and software components:

  • One SRX Series device
  • Junos OS Release 12.1X47D-10 or later for SRX Series devices

No special configuration beyond device initialization is required before configuring this feature.

Overview

In a typical scenario for the integrated user firewall feature, domain and non-domain users want to access the Internet through an SRX Series device. The SRX Series reads and analyzes the event log of the domain controllers configured in the domain. Thus, the SRX Series detects domain users on an Active Directory domain computer. It generates an authentication table as the Active Directory authentication source for the feature. The SRX Series enforces the policy to achieve user-based or group-based access control.

For any non-domain user or domain user on a non-domain computer, the network administrator specifies a captive portal to force the user to submit to firewall authentication (if the SRX Series supports captive portal for the traffic type). After the user enters his name and password and passes firewall authentication, the SRX Series gets firewall authentication user-to-group mapping information and can enforce user firewall policy control over the user accordingly.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set services user-identification active-directory-access domain example.net user-group-mapping ldap base DC=example,DC=netset services user-identification active-directory-access domain example.net user administrator password xxxxxset services user-identification active-directory-access domain example.net domain-controller ad1 address 192.0.2.15set access profile profile1 authentication-order ldapset access profile profile1 authentication-order passwordset access profile profile1 ldap-options base-distinguished-name DC=acme,DC=netset access profile profile1 ldap-options search search-filter cn=set access profile profile1 ldap-options search admin-search distinguished-name adminset access profile profile1 ldap-options search admin-search password "$9$8HqL-wJGikmfGU0BEhrl"set access profile profile1 ldap-server 192.0.2.3set security policies from-zone trust to-zone untrust policy p1 match source-address anyset security policies from-zone trust to-zone untrust policy p1 match destination-address anyset security policies from-zone trust to-zone untrust policy p1 match application anyset security policies from-zone trust to-zone untrust policy p1 match source-identity unauthenticated-userset security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication user-firewall access-profile profile1set security policies from-zone trust to-zone untrust policy p2 match source-address anyset security policies from-zone trust to-zone untrust policy p2 match destination-address anyset security policies from-zone trust to-zone untrust policy p2 match application anyset security policies from-zone trust to-zone untrust policy p2 match source-identity “example.net\galenrikka” set security policies from-zone trust to-zone untrust policy p2 then permit

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To establish a Windows Active Directory domain, to configure captive portal, and to configure another security policy, perform the steps in this section.

Once configured, when traffic arrives, the SRX Series consults the user firewall process, which in turn consults the Active Directory authentication source to determine whether the source is in its authentication table. If user firewall hits an authentication entry, the SRX Series checks the policy configured in Step 4 for further action. If user firewall does not hit any authentication entry, the SRX Series checks the policy configured in Step 3 to force the user to do captive portal.

  1. Configure the LDAP base distinguished name.
    [edit services user-identification]user@host# set active-directory-access domain example.net user-group-mapping ldap base DC=example,DC=net
  2. Configure a domain name, the username and password of the domain, and the name and IP address of the domain controller in the domain.
    [edit services user-identification]user@host# set active-directory-access domain example.net user administrator password xxxxxuser@host# set active-directory-access domain example.net domain-controller ad1 address 192.0.2.15
  3. Configure a policy for the source-identity “unauthenticated-user” and enable the firewall authentication captive portal.
    [edit access profile profile1]user@host# set authentication-order ldapuser@host# set authentication-order passworduser@host# set ldap-options base-distinguished-name DC=acme,DC=netuser@host# set ldap-options search search-filter cn=user@host# set ldap-options search admin-search distinguished-name adminuser@host# set ldap-options search admin-search password pw1593user@host# set ldap-server 192.0.2.3
    [edit security policies from-zone trust to-zone untrust policy p1]user@host# set match source-address anyuser@host# set match destination-address anyuser@host# set match application anyuser@host# set match source-identity unauthenticated-useruser@host# set then permit firewall-authentication user-firewall access-profile profile1
  4. Configure a second policy to enable a specific user.
    [edit security policies from-zone trust to-zone untrust policy p2]user@host# set match source-address anyuser@host# set match destination-address anyuser@host# set match application anyuser@host# set match source-identity “example.net\galenrikka”user@host# set then permit

    Note: When you specify a source identity in a policies statement, prepend the domain name and a backslash to the group name or username. Enclose the combination in quotation marks.

Results

From configuration mode, confirm your integrated user firewall configuration by entering the show services user-identification active-directory-access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show services user-identification active-directory-access
domain example.net {user {administrator;password "$9$nNcm6u1lK8LNbLx.5"; ## SECRET-DATA}domain-controller ad1 {address 192.0.2.15;}user-group-mapping {ldap {base DC=example,DC=net;}}}

From configuration mode, confirm your policy configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security policies
from-zone trust to-zone untrust {policy p1 {match {source-address any;destination-address any;application any;source-identity unauthenticated-user;}then {permit {firewall-authentication {user-firewall {access-profile profile1;}}}}}policy p2 {match {source-address any;destination-address any;application any;source-identity “example.net\galenrikka”;}then {permit;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Connectivity to a Domain Controller

Purpose

Verify that at least one domain controller is configured and connected.

Action

From operational mode, enter the show services user-identification active-directory-access domain-controller status command.

Meaning

The domain controller is shown to be connected or disconnected.

Verifying the LDAP Server

Purpose

Verify that the LDAP server is providing user-to-group mapping information.

Action

From operational mode, enter the show services user-identification active-directory-access user-group-mapping status command.

Meaning

The LDAP server address, port number, and status are displayed.

Verifying Authentication Table Entries

Purpose

See which groups users belong to and the users, groups, and IP addresses in a domain.

Action

From operational mode, enter the show services user-identification active-directory-access active-directory-authentication-table all command.

Meaning

The IP addresses, usernames, and groups are displayed for each domain.

Verifying IP-to-User Mapping

Purpose

Verify that the event log is being scanned.

Action

From operational mode, enter the show services user-identification active-directory-access statistics ip-user-mapping command.

Meaning

The counts of the queries and failed queries are displayed.

Verifying IP Probe Counts

Purpose

Verify that IP probes are occurring.

Action

From operational mode, enter the show services user-identification active-directory-access statistics ip-user-probe command.

Meaning

The counts of the IP probes and failed IP probes are displayed.

Verifying User-to-Group Mapping Queries

Purpose

Verify that user-to-group mappings are being queried.

Action

From operational mode, enter the show services user-identification active-directory-access statistics user-group-mapping command.

Meaning

The counts of the queries and failed queries are displayed.

 

Related Documentation

 

Published: 2014-05-13

Previous Page Next Page