auth-only-browser
Syntax
auth-only-browser <auth-user-agent [user-agent] >; auth-only-browser;
Hierarchy Level
[edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication pass-through] [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication user-firewall]
Description
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic. This feature allows you to ensure that unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic.
It can happen that non-browser HTTP/HTTPS services running in the background can trigger captive portal authentication, creating a race condition that suppresses presentation of the captive portal interface to the HTTP/HTTPS browser user.
When auth-only-browser is configured, non-browser HTTP traffic is dropped to allow for captive portal to be presented to unauthenticated users who request access using a browser.
Options
auth-user-agent user-agent | Allow the SRX Series device to use the user-agent strings that you specify to verify that the browser traffic is HTTP/HTTPS traffic. Firewall authentication checks the strings against the User-Agent field in the browser header. You can specify only one value for this parameter. It must not contain spaces and it does not need to be enclosed in parenthesis. For example, auth-user-agent might specify Opera1 as one of its values. You can use the auth-user-agent parameter alone for pass-through or user-firewall authentication or in conjunction with auth-only-browser. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X49-D90.