Understanding Pass-Through Authentication

With pass-through user authentication, when a user attempts to initiate an HTTP, an FTP, or a Telnet connection request that has a policy requiring authentication, the device intercepts the request and prompts the user to enter a username and password. Before granting permission, the device validates the username and password by checking them against those stored in the local database or on an external authentication server, as shown in Figure 30.

The steps in Figure 30 are as follows:

1. A client user sends an FTP, an HTTP, or a Telnet packet to 1.2.2.2.
2. The device intercepts the packet, notes that its policy requires authentication from either the local database or an external authentication server, and buffers the packet.
3. The device prompts the user for login information through FTP, HTTP, or Telnet.
4. The user replies with a username and password.
5. The device either checks for an authentication user account on its local database or it sends the login information to the external authentication server as specified in the policy.
6. Finding a valid match (or receiving notice of such a match from the external authentication server), the device informs the user that the login has been successful.
7. The device forwards the packet from its buffer to its destination IP address 1.2.2.2.

After the device authenticates a user at a particular source IP address, it subsequently permits traffic—as specified in the policy requiring authentication through pass through—from any other user at that same address. This might be the case if the user originates traffic from behind a NAT device that changes all original source addresses to a single translated address.

Note: The pass-through user authentication method is recommended in situations when security has a higher priority than convenience. This authentication method applies only to the session and child sessions matching the policy that triggered it. You can apply this method on Internet-facing links, if used with caution.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Firewall User Authentication Overview
• Understanding Web Authentication
• Example: Configuring Pass-Through Authentication