Example: Configuring Web Authentication

This example shows how to enable Web authentication and set up a policy that allows access to a user when traffic encounters a policy that has Web authentication enabled.

Requirements

Before you begin:

Overview

To enable Web authentication, you must specify the IP address of the device hosting the HTTP session. These settings are used if the firewall user accessing a protected resource wants to be authenticated by directly accessing the webserver or Web authentication. The following instructions show how to set up a policy that allows access to the FWClient1 user when traffic encounters a policy that has Web authentication enabled (Policy-W). (See Figure 33.) In this example, FWClient1 has already authenticated through the Web authentication login page.

The FWClient1 firewall user does the following to get authenticated:

  1. Points the browser to the Web authentication IP (20.20.20.1) to get authenticated first
  2. Starts traffic to access resources specified by the policy-W policy

Figure 33: Web Authentication Example

Image webauth_prepol_chk.gif

When you configure the device as described in these instructions and the user successfully authenticates, the screen illustrated in Figure 34 appears.

Figure 34: Web Authentication Success Banner

Image Firewall_Web_Auth.gif

Configuration

CLI Quick Configuration

To quickly configure Web authentication as illustrated in Figure 33, copy the following commands and paste them into the CLI:


[edit]


set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24 web-authentication http


set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.2/24


set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.1/24


set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.2/24


set access profile WEBAUTH client FWClient1 firewall-user password “$9$kq5Ftu1cSe”


set access firewall-authentication web-authentication default-profile WEBAUTH


set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"


set security zones security-zone UT-ZONE host-inbound-traffic system-services all


set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all


set security zones security-zone T-ZONE host-inbound-traffic system-services all


set security zones security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all


set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any


set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any


set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 match application any


set security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWclient1


set system services web-management http interface ge-0/0/0.0

Step-by-Step Procedure

The following example requires you to navigate levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure pass-through authentication:

  1. Configure two interfaces and assign IP addresses to them.

    Note: For this example, it is optional to assign two addresses to the interfaces.


    [edit]


    user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24 web-authentication http


    user@host# set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.2/24


    user@host# set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.1/24


    user@host# set interfaces fe-5/0/0 unit 0 family inet address 30.30.30.2/24
  2. Create the WEBAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner.

    [edit access]


    user@host# set profile WEBAUTH client FWClient1 firewall-user password “$9$kq5Ftu1cSe”


    user@host# set firewall-authentication web-authentication default-profile WEBAUTH


    user@host# set firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
  3. Configure security zones.

    Note: For this example, it is optional to configure a second interface for a security zone.


    [edit security zones]


    user@host# set security-zone UT-ZONE host-inbound-traffic system-services all


    user@host# set security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all


    user@host# set security-zone T-ZONE host-inbound-traffic system-services all


    user@host# set security-zone T-ZONE interfaces ge-5/0/0.0 host-inbound-traffic protocols all
  4. Assign security policy P1 to the security zones.

    [edit security policies]


    set from-zone UT-ZONE to-zone T-ZONE policy P1 match source-address any


    set from-zone UT-ZONE to-zone T-ZONE policy P1 match destination-address any


    set from-zone UT-ZONE to-zone T-ZONE policy P1 match application any


    set from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication web-authentication client-match FWclient1
  5. Activate the HTTP daemon on your device.

    [edit]


    user@host# set system services web-management http interface ge-0/0/0.0

Results

Confirm your configuration by entering these commands from configuration mode:

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).


user@host# show interfaces
...
}
ge-0/0/1.1 {
    unit 0 {
        family inet {
            address 20.20.20.1/24 {
                web-authentication http;
            }
            address 20.20.20.2/24;
        }
    }
}
fe-5/0/0 {
    unit 0 {
        family inet {
            address 30.30.30.1/24;
            address 30.30.30.2/24;
        }
    }
}
...


user@host# show access
profile WEBAUTH { 
    client FWClient1 {
        firewall-user {
            password "$9$XHhxVYGDkf5F"; ## SECRET-DATA
        }
    }
}
firewall-authentication { 
    web-authentication {
        default-profile WEBAUTH;
        banner {
            success "WEB AUTH LOGIN SUCCESS";
        }
    }
}


user@host# show security zones
...
}
security-zone UT-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}
security-zone T-ZONE { 
    host-inbound-traffic {
       system-services {
            all;
        }
    }
    interfaces {
        ge-5/0/0.0 {
            host-inbound-traffic {
                protocols {
                    all;
                }
            }
        }
    }
}


user@host# show security policies
...
from-zone UT-ZONE to-zone T-ZONE {
    policy P1 {
       match {
            source-address any;
            destination-address any;
            application any;
       }
       then {
            permit {
                firewall-authentication {
                    web-authentication {
                        client-match FWclient1;
                    }
                }
            }
       }
    }
}

user@host# show system services
...
web-management {
    http {
        interface g-0/0/0.0;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication

Purpose

Display firewall authentication user history. Verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

Enter the show security firewall-authentication history command from operational mode. For more information, see the JUNOS Software CLI Reference.


user@host> show security firewall-authentication history
History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
1 99.99.99.1 2007-10-12 21:24:02 0:00:24 Failed troy
2 99.99.99.1 2007-10-12 21:24:48 0:00:22 Success voyager
user@host>  show security firewall-authentication history identifier 1
Username: troy
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Access start date: 2007-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Policy name: lnx2-telnet-lnx1
Source zone: dl2
Destination zone: dl1
Access profile: wonder
Bytes sent by this user: 0
Bytes received by this user: 2660
Client-groups: Sunnyvale Bangalore
user@host>  show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
3 99.99.99.1     dl2   dl1   wonder   1 Failed TechPubs
user@host>  show security firewall-authentication users identifier 3
Username: TechPubs
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Age: 1
Access time remaining: 9
Source zone: dl2
Destination zone: dl1
Policy name: lnx2-telnet-lnx1
Access profile: wonder
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521

Monitoring Users and IP Addresses in the Authentication Table

Purpose

Verify a list of users and IP addresses that are currently authenticated by the device in the authentication table.

Action

Enter these show commands from operational mode.


user@host> show security firewall-authentication users


user@host> show security firewall-authentication users identifier num


user@host> show security firewall-authentication users address ipaddress

where:

Related Topics