Example: Configuring Pass-Through Authentication

This example shows how to configure pass-through authentication for a firewall.

Requirements

Before you begin:

Define firewall users. See Firewall User Authentication Overview.

Overview

Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, a Telnet, or an HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall. Figure 31 shows the topology used in this example.

Figure 31: Configuring Pass-Through Firewall Authentication

Image auth-passthrough.gif

Configuration

CLI Quick Configuration

To quickly configure pass-through authentication, copy the following commands and paste them into the CLI:

[edit]

set interfaces ge-0/0/1 unit 0 family inet address
20.20.20.1/24

set interfaces ge-0/0/1 unit 0 family inet address
20.20.20.2/24

set interfaces ge-5/0/0 unit 0 family inet address
30.30.30.1/24

set interfaces ge-5/0/0 unit 0 family inet address
30.30.30.2/24

set access profile FWAUTH client FWClient1 firewall-user
password pwd “$9$kq5Ftu1cSe”

set access firewall-authentication pass-through
default-profile FWAUTH

set access firewall-authentication pass-through
telnet banner success "WELCOME TO JUNIPER TELNET SESSION"

set security zones security-zone UT-ZONE host-inbound-traffic
system-services all

set security zones security-zone UT-ZONE interfaces
ge-0/0/1.0 host-inbound-traffic protocols all

set security zones security-zone T-ZONE host-inbound-traffic
system-services all

set security zones security-zone T-ZONE interfaces
ge-5/0/0.0 host-inbound-traffic protocols all

set security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match source-address any

set security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match destination-address any

set security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 match application junos-telnet

set security policies from-zone UT-ZONE to-zone
T-ZONE policy P1 then permit firewall-authentication pass-through
client-match FWclient1

Step-by-Step Procedure

The following example requires you to navigate levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure pass-through authentication:

Configure two interfaces and assign IP addresses to them.
Note: For this example, it is optional to assign two addresses to the interfaces.

[edit]

user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24

user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.2/24

user@host# set interfaces ge-5/0/0 unit 0 family inet address 30.30.30.1/24

user@host# set interfaces ge-5/0/0 unit 0 family inet address 30.30.30.2/24
Create the FWAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner for Telnet sessions.

[edit access]

user@host# set profile FWAUTH client FWClient1 firewall-user password “$9$kq5Ftu1cSe”

user@host# set firewall-authentication pass-through default-profile FWAUTH

user@host# set firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"
Configure security zones.
Note: For this example, it is optional to configure a second interface for a security zone.

[edit security zones]

user@host# set security-zone UT-ZONE host-inbound-traffic system-services all

user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all

user@host# set security-zone T-ZONE host-inbound-traffic system-services all

user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
Assign security policy P1 to the security zones.

[edit security policies]

set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any

set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any

set from-zone UT-ZONE to-zone T-ZONE policy P1 match application junos-telnet

set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication pass-through client-match FWclient1
Use Telnet to authenticate the FWClient1 firewall user to host2.

regress@FWClient1# run telnet 30.30.30.2 Trying 30.30.30.2... Connected to 30.30.30.2. Escape character is '^]'. Firewall User Authentication Username: FWClient1 Password:*** WELCOME TO JUNIPER TELNET SESSION Host1 (ttyp0) login: regress Password: --- JUNOS 10.1R1.1 built 2009-10-12 13:30:18 UTC %

Results

Confirm your configuration by entering these commands from configuration mode:

show interfaces
show access
show security zones
show security policies

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

user@host# show interfaces

...
}
ge-0/0/1.1 {
    unit 0 {
        family inet {
            address 20.20.20.1/24;
            address 20.20.20.2/24;
        }
    }
}
ge-5/0/0 {
    unit 0 {
        family inet {
            address 30.30.30.1/24;
            address 30.30.30.2/24;
        }
    }
}
...

user@host# show access

profile FWAUTH { 
    client FWClient1 {
        firewall-user {
            password "$9$XHhxVYGDkf5F"; ## SECRET-DATA
        }
    }
}
firewall-authentication { 
    pass-through {
        default-profile FWAUTH;
        telnet {
            banner {
                success "WELCOME TO JUNIPER TELNET SESSION";
            }
        }
    }
}

user@host# show security zones

...
}
security-zone UT-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}
security-zone T-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-5/0/0.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}

user@host# show security policies

...
from-zone UT-ZONE to-zone T-ZONE {
    policy P1 {
       match {
            source-address any;
            destination-address any;
            application junos-telnet;
       }
       then {
            permit {
                firewall-authentication {
                    pass-through {
                        client-match FWclient1;
                    }
                }
            }
       }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication

Purpose

Display firewall authentication user history. Verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

Enter the show security firewall-authentication history command from operational mode. For more information, see the JUNOS Software CLI Reference.

user@host> show security firewall-authentication
history

History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
1 99.99.99.1 2007-10-12 21:24:02 0:00:24 Failed troy
2 99.99.99.1 2007-10-12 21:24:48 0:00:22 Success voyager
user@host>  show security firewall-authentication history identifier 1
Username: troy
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Access start date: 2007-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Policy name: lnx2-telnet-lnx1
Source zone: dl2
Destination zone: dl1
Access profile: wonder
Bytes sent by this user: 0
Bytes received by this user: 2660
Client-groups: Sunnyvale Bangalore
user@host>  show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
3 99.99.99.1     dl2   dl1   wonder   1 Failed TechPubs
user@host>  show security firewall-authentication users identifier 3
Username: TechPubs
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Age: 1
Access time remaining: 9
Source zone: dl2
Destination zone: dl1
Policy name: lnx2-telnet-lnx1
Access profile: wonder
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521

Monitoring Users and IP Addresses in the Authentication Table

Purpose

Verify a list of users and IP addresses that are currently authenticated by the device in the authentication table.

Action

Enter these show commands from operational mode.

user@host> show security firewall-authentication
users

user@host> show security firewall-authentication
users identifier num

user@host> show security firewall-authentication
users address ipaddress

where:

users—Shows the list of users and IP addresses currently authenticated by JUNOS Software.
identifier—Shows more details on a specific row.
address—Shows more details on a specific IP address.

Example: Configuring Pass-Through Authentication

Requirements

Overview

Configuration

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Firewall User Authentication

Purpose

Action

Monitoring Users and IP Addresses in the Authentication Table

Purpose

Action

Related Topics