Example: Configuring Local Users for Client Groups

This example shows how to configure a local user for client groups in a profile.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin:

Create an access profile called Managers.

Overview

A client group is a list of groups to which the client belongs. As with client-idle timeout, a client group is used only if the external authentication server does not return a value in its response (for example, LDAP servers do not return such information).

This example shows how to configure a local user called Client-1 for client groups G1, G2, and G3 in a profile called Managers. Within this example, client groups are configured for a client. If a client group is not defined for the client, then the client group under the access profile session-options hierarchy is used.

Configuration

CLI Quick Configuration

To quickly configure a local user for client groups in a profile, copy the following commands and paste them into the CLI:

Step-by-Step Procedure

The following example requires you to navigate levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure a local user for client groups in a profile:

1. Configure the Client-1 firewall user and assign the it to client groups G1, G2, and G3.
   
   

   [edit access profile Managers]

   
   
   

   user@host# set client Client-1 client-group G1

   
   
   

   user@host# set client Client-1 client-group G2

   
   
   

   user@host# set client Client-1 client-group G3

   
   
   

   user@host# client Client-1 firewall-user password “$9$db8Fgxg64e”
2. Configure client groups in the session options.
   
   

   [edit access profile Managers]

   
   
   

   user@host# set session-options client-group G1

   
   
   

   user@host# set session-options client-group G2

   
   
   

   user@host# set session-options client-group G3

Results

Confirm your configuration by entering the show access profile Managers command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

client Client-1 {
    client-group [ G1 G2 G3 ];
    firewall-user {
        password "$9$jpimT9A0REyn6yl"; ## SECRET-DATA
    }
}
session-options {
    client-group [ G1 G2 G3 ];
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying Firewall User Authentication
• Monitoring Users and IP Addresses in the Authentication Table

Verifying Firewall User Authentication

Purpose

Display firewall authentication user history. Verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

Enter the show security firewall-authentication history command from operational mode. For more information, see the JUNOS Software CLI Reference.

History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
1 99.99.99.1 2007-10-12 21:24:02 0:00:24 Failed troy
2 99.99.99.1 2007-10-12 21:24:48 0:00:22 Success voyager
user@host>  show security firewall-authentication history identifier 1
Username: troy
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Access start date: 2007-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Policy name: lnx2-telnet-lnx1
Source zone: dl2
Destination zone: dl1
Access profile: wonder
Bytes sent by this user: 0
Bytes received by this user: 2660
Client-groups: Sunnyvale Bangalore
user@host>  show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
3 99.99.99.1     dl2   dl1   wonder   1 Failed TechPubs
user@host>  show security firewall-authentication users identifier 3
Username: TechPubs
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Age: 1
Access time remaining: 9
Source zone: dl2
Destination zone: dl1
Policy name: lnx2-telnet-lnx1
Access profile: wonder
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521

Monitoring Users and IP Addresses in the Authentication Table

Purpose

Verify a list of users and IP addresses that are currently authenticated by the device in the authentication table.

Action

Enter these show commands from operational mode.

where:

• users—Shows the list of users and IP addresses currently authenticated by JUNOS Software.
• identifier—Shows more details on a specific row.
• address—Shows more details on a specific IP address.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Client Groups for Firewall Authentication