Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Authentication Methods For SRX Firewall Users

Learn how to configure pass-through and captive portal authentication.

Example: Configure Pass-Through Authentication

This example shows how to configure pass-through authentication to authenticate firewall users. A firewall user is a network user who must provide a username and password when initiating a connection across the firewall.

Pass-through authentication allows SRX Series administrators to restrict users who attempt to access a resource in another zone using FTP, Telnet, HTTP, or HTTPS. If the traffic matches a security policy whose action is pass-through authentication, the user is required to provide login information.

For HTTPS, to ensure security the HTTPS default certificate key size is 2048 bits. If you do not specify a certificate size, the default size is assumed.

Requirements

Before you begin, define firewall users. See Firewall User Authentication Overview.

This example uses the following hardware and software components:

  • SRX Series Firewall

  • Firewall user’s system

  • Packet destination system

Overview

The pass-through authentication process is triggered when a client, referred to as a firewall user, attempts to initiate an FTP, a Telnet, or an HTTP session to access a resource in another zone. The SRX Series firewall acts as a proxy for an FTP, a Telnet, an HTTP, or an HTTPS server so that it can authenticate the firewall user before allowing the user access to the actual FTP, Telnet, or HTTP server behind the firewall.

If traffic generated from a connection request sent by a firewall user matches a security policy rule bidirectionally and that rule specifies pass-through firewall authentication as the action of its then clause, the SRX Series Firewall requires the firewall user to authenticate to a Junos OS proxy server.

If the authentication is successful, subsequent traffic from the same source IP address is automatically allowed to pass through the SRX Series Firewall if the traffic matches the security policy tuples.

Figure 1 shows the topology used in this example.

Figure 1: Configuring Pass-Through Firewall Authentication Configuring Pass-Through Firewall Authentication
Note:

Although the topology shows use of an external server, it is not covered in the configuration. It is outside the scope of this example.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure pass-through authentication:

  1. Configure two interfaces and assign IP addresses to them.

    Note:

    For this example, it is optional to assign two addresses to the interfaces.

  2. Create the FWAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner for Telnet sessions.

  3. Configure security zones.

    Note:

    For this example, it is optional to configure a second interface for a security zone.

  4. Assign security policy P1 to the security zones.

  5. Use Telnet to authenticate the FWClient1 firewall user to host2.

Results

From configuration mode, confirm your configuration by entering these commands.

  • show interfaces

  • show access

  • show security zones

  • show security policies

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, the output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table

Purpose

Display firewall authentication user history and verify the number of firewall users who successfully authenticated and the number of firewall users who failed to log in.

Action

From operational mode, enter these show commands:

Example: Configure HTTPS Traffic to Trigger Pass-Through Authentication

This example shows how to configure HTTPS traffic to trigger pass-through authentication. HTTPS is more secure than HTTP, so it has become more popular and is more widely used.

Requirements

This example uses the following hardware and software components:

  • SRX Series Firewall

  • Two PCs running Linux and Open SSL. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.

  • Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX Virtual Firewall, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.

Note:

Starting in Junos OS Release 12.1X44-D10 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on SRX5400, SRX5600, and SRX5800 devices.

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, HTTPS-based authentication is introduced on vSRX Virtual Firewall, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.

Before you begin:

An SRX Series Firewall has to decode HTTPS traffic to trigger pass-through authentication. Then, SSL termination proxy creates and installs a private key file and a certification file. The following list describes the steps to create and install a private key file and a certification key file.

Note:

If you have an official .crt file and .key file, then you can directly upload and install the files on the SRX Series Firewall. If you do not have a .crt file and .key file, follow the procedure to create and install the files. Instructions specified in Step 1 and Step 2 must be run on a PC with Linux and OpenSSL installed. Instructions specified in Step 3 and Step 4 must be run in operational mode.

To create and install a private key file and a certification file:

  1. On a PC create the .key file.

  2. On a PC, create the .crt file.

  3. Upload the .key and .crt files to an SRX Series Firewall, and install the files on the device using the following command from operational mode:

Overview

Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series Firewall.

HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

In this example, HTTPS traffic is used to trigger pass-through authentication because HTTPS is more secure than HTTP. For HTTPS traffic to trigger pass-through authentication you must first configure the SSL termination profile.

Figure 2 shows an example of pass-through authentication using HTTPS traffic. In this example, a host or a user from an untrust zone tries to access resources on the trust zone. The SRX Series Firewall uses HTTPS to collect the username and password information. Subsequent traffic from the host or user is allowed or denied based on the result of this authentication.

Figure 2: Pass-Through Authentication Using HTTPS TrafficPass-Through Authentication Using HTTPS Traffic

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure HTTPS traffic to trigger pass-through authentication:

  1. Configure interfaces and assign IP addresses.

  2. Configure security policies to permit firewall authenticated traffic from zone trust to zone untrust.

  3. Specify a policy action to take when a packet matches the criteria.

  4. Configure security zones and assign interfaces.

  5. Configure application services for zones.

  6. Create an access profile and configure the client as a firewall user and set the password.

  7. Configure the type of firewall and the default profile name where the authentication settings are defined.

  8. Configure the SSL termination profile and enter a local certificate identifier name.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security policies, show security zones, show access, and show services ssl termination commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify that the configuration is correct.

Action

From operational mode, enter the show security firewall-authentication users command for identifier 1.

Meaning

The show security firewall-authentication users command displays the firewall authentication user information for the specified identifier. If the output displays Pass-through using HTTPS in the Authentication method field and Success in the Authentication state field, then your configuration is correct.

Example: Configure Captive Portal Authentication

This example shows how to enable Captive Portal authentication and set up a policy that allows access to a user when traffic encounters a policy that has Captive Portal authentication enabled.

Requirements

Before you begin:

Overview

To enable Web authentication, you must specify the IP address of the device hosting the HTTP session. These settings are used if the firewall user accessing a protected resource wants to be authenticated by directly accessing the webserver or by Web authentication. The following instructions show how to set up a policy that allows access to the FWClient1 user when traffic encounters a policy that has Web authentication enabled (Policy-W). (See Figure 3.) In this example, FWClient1 has already authenticated through the Web authentication login page.

The FWClient1 firewall user does the following to get authenticated:

  1. Points the browser to the Web authentication IP (198.51.100.63/24) to get authenticated first

  2. Starts traffic to access resources specified by the policy-W policy

Figure 3: Web Authentication ExampleWeb Authentication Example

When you configure the device as described in these instructions and the user successfully authenticates, the screen illustrated in Figure 4 appears.

Figure 4: Web Authentication Success BannerWeb Authentication Success Banner

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure Web authentication:

  1. Configure two interfaces and assign IP addresses to them.

    Note:

    For this example, it is optional to assign two addresses to the interfaces.

  2. Create the WEBAUTH access profile for the FWClient1 user, specify the user’s password, and define a success banner.

  3. Configure security zones.

    Note:

    For this example, it is optional to configure a second interface for a security zone.

  4. Assign security policy P1 to the security zones.

  5. Activate the HTTP process (daemon) on your device.

Results

From configuration mode, confirm your configuration by entering these commands:

  • show interfaces

  • show access

  • show security zones

  • show security policies

  • show system services

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table

Purpose

Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

From operational mode, enter these show commands:

Example: Configure HTTPS Traffic to Trigger Captive Portal Authentication

This example shows how to configure HTTPS traffic to trigger Captive Portal authentication. HTTPS is widely used for Captive Portal authentication because it is more secure than HTTP.

Requirements

Before you begin:

This example uses the following hardware and software components:

  • SRX Series Firewall

  • Two PCs with Linux and Open SSL installed. One PC acts as a client and another as an HTTPS server. The two PCs are used to create key files and to send traffic.

  • Junos OS Release 12.1X44-D10 or later for SRX5400, SRX5600, and SRX5800 devices and Junos OS Release 15.1X49-D40 or later for vSRX Virtual Firewall, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550M, and SRX1500 Services Gateways.

An SRX Series Firewall has to decode the HTTPS traffic to trigger Web authentication. The following list describes the steps to create and install a private key file and a certification key file.

Note:

If you have an official .crt file and .key file, then you can directly upload and install the files on the SRX Series Firewall. If you do not have a .crt file and .key file, then follow the procedure to create and install the files. Instructions specified in Step 1 and Step 2 must be run on a PC which has Linux and OpenSSL installed. Instructions specified in Step 3 and Step 4 must be run in operational mode.

  1. From the PC, create the .key file.

  2. From the PC, create the .crt file.

  3. From the SRX Series Firewall, upload the .key and .crt files and install the files on the device using the following command:

Overview

Firewall authentication initiates a secure connection to be established across two devices. A network user must provide a username and password for authentication when initiating a connection across the firewall. Firewall authentication supports HTTPS traffic for pass-through authentication. HTTPS can secure HTTP firewall authentication traffic between users and the SRX Series Firewall.

HTTPS is the secure version of HTTP, the protocol over which data is sent between the user and the device that the user is connected to. All communications between the user and the connected devices are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

In this example, HTTPS traffic is used to trigger Web authentication because HTTPS is more secure than HTTP.

The user uses HTTPS to access an IP address on the device that is enabled for Web authentication. In this scenario, the user does not use HTTPS to access the IP address of the protected resource. The user is prompted for a username and password, which are verified by the device. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the results of this Web authentication.

Figure 5 shows an example of Web authentication using HTTPS traffic.

Figure 5: Web Authentication Using HTTPS TrafficWeb Authentication Using HTTPS Traffic

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure HTTPS traffic to trigger Web authentication:

  1. Enable Web-management support to HTTPS traffic.

  2. Configure interfaces and assign IP addresses. Enable Web authentication at ge-0/0/0 interface.

  3. Configure security policies to permit firewall authenticated traffic from zone trust to zone untrust.

  4. Create an access profile, configure the client as a firewall user, and set the password.

  5. Configure the type of firewall authentication settings.

  6. Specify a policy action to take when a packet matches the criteria.

Results

From configuration mode, confirm your configuration by entering the show system services, show interfaces, show security policies, and show access commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify that the configuration is correct.

Action

From operational mode, enter the show security firewall-authentication users identifier identifier command.

Sample Output
Meaning

The show security firewall-authentication users identifier identifier command displays the firewall authentication user information using the identifier ID of the user. If the authentication method parameter displays Web authentication and the authentication state parameter displays success in your output then your configuration is correct.

Configure Captive Portal for Unauthenticated Browsers

Learn how to configure captive portal for unauthenticated browsers.

Here are some examples of how you can configure security policies to use the auth-only-browser and auth-user-agent firewall authentication features.

For Pass-Through Authentication

Configures a security policy for pass-through authentication that uses the auth-only-browser parameter.

Configures a security policy for pass-through authentication that uses the auth-user-agent parameter without auth-only-browser.

Configures a security policy for pass-through authentication that uses the auth-only-browser with the auth-user-agent parameter.

For User Firewall Authentication

Configures a security policy for user-firewall authentication that uses the auth-only-browser parameter.

Configures a security policy for user-firewall authentication that uses the auth-user-agent parameter without auth-only-browser.

Configures a security policy for user-firewall authentication that uses the auth-only-browser with the auth-user-agent parameter.

Example: Configure Unified Policy

Read this example to understand how to configure pass-through authentication and captive portal authentication in a unified policy to restrict or permit users to access network resources.

Overview

Firewall user authentication enables you to authenticate users before users can access network resources behind a firewall. When you've enabled firewall user authentication, a user must provide a username and password for authentication when initiating a connection across the firewall.

Starting in Junos OS Release 21.2R1, we support firewall user authentication with unified policies. Support is available for both pass-through authentication and captive portal authentication.

Topology

Figure 6 shows the topology used in this example.
Figure 6: Topology: Configuring Firewall User Authentication with Unified PolicyTopology: Configuring Firewall User Authentication with Unified Policy

As shown in the topology, firewall users in the untrust zone need to access an external server (IP address 10.1.2.1) in the trust zone. The user authenticates with the security device before accessing the server. The device queries a local database to determine the authentication result. After successful authentication, the security device allows subsequent traffic from the same source IP address until the user's session times out and closes.

In this example, you'll configure the following functionality on the SRX Series Firewall:

  1. Configure a user database that is local to the security device in an access profile. Add one or more clients within the profile, representing end users. The client-name represents the username. Enter the password for each user in plain-text format.

  2. Associate access profile with pass-through or Web firewall authentication methods. Set a customized banner for display to the end user.
  3. Configure security policy to allow or restrict traffic and apply firewall user authentication for the allowed traffic.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall or vSRX Virtual Firewall
  • Junos OS Release 21.2R1

Before You Begin:

Configuration of SRX Firewall Users with Traditional Policy and Unified Policy

In this example, we'll configure pass-through authentication with both the traditional security policy and the unified policy. The configuration includes setting up security zones and interfaces, creating access profiles, and defining security policies as shown in the following table:
Table 1: Security Policies Details
Scenarios Policies Workflow When User Initiates a Session Result
Authentication with traditional security policy and unknown user Policy P1
  • Match criteria: source-identity -unknown/unauthenticated users
  1. Device searches for the user source identity in the user identification table (UIT).
  2. Policy considers the user as an unauthenticated-user if the source identity not available.
  3. Policy intercepts HTTP or HTTPS traffic from the user and triggers a firewall authentication prompt.
  4. After successful authentication, the policy permits or rejects the traffic based on the configured policy rules.
  5. Device creates an authentication entry in the user identification table by including IP address and username.
Permits an unauthenticated user after a successful firewall user authentication.
Authentication with unified policy and an authenticated user Policy P2
  • Match criteria: source-identity - authenticated-users
  • dynamic-application - junos:GOOGLE
  1. Device retrieves user and role information from the user identification table (UIT) if available.
  2. Security policy classifies the user as an authenticated user.
  3. After successful authentication, the policy permits or rejects the traffic based on the configured policy rules.
Permits an authenticated user without firewall user authentication.
Authentication with unified policy Policy P3
  • dynamic-application -junos:YAHOO
  1. Device searches the authentication profile PROFILE-1 to determine authentication result.
  2. After successful authentication, the policy permits or rejects the traffic based on the configured policy rules.
Permits traffic with firewall user authentication.

To redirect the traffic from an unauthenticated-user to a UAC captive portal for authentication, see Example: Configuring a User Role Firewall on an SRX Series Device.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file. Remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

  1. Configure interfaces.

  2. Create security zones and assign the interfaces.

  3. Set up access profile and add user details.

    We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned these users to client-group GROUP-1.

  4. Configure authentication methods and assign the access profile.

  5. Configure an SSL termination profile.

  6. Configure a security policy to permit unauthenticated users with firewall user authentication.

  7. Configure a security policy to permit authenticated users without firewall user authentication.

  8. Configure a security policy to permit the traffic with firewall user authentication.

  9. Add an entry to a local authentication table. Note that each entry must include an IP address.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit ][edit][edit]

[edit]

If you are done configuring the feature on your device, enter commit from configuration mode.

Verifying Firewall User Authentication Is Working

To verify that the firewall user authentication is working, open a Web browser on the client machine. Access the server by entering the server IP address 10.1.2.1. The system prompts for the login and password details as shown in Figure 7.

Figure 7: Pass-Through Authentication PromptPass-Through Authentication Prompt

After successfully entering the credentials, you can access the server.

Configuration of Pass-Through Authentication with Unified Policy

In this example, we'll configure pass-through authentication with a unified policy. The configuration includes setting up security zones and interfaces, creating access profiles, and defining a unified policy. In the unified policy, we define the match criteria dynamic application as any.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

  1. Configure interfaces.

  2. Define security zones and assign interfaces.

  3. Set up access profile and add user details.

    We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned the users to client-group GROUP-1.

  4. Configure authentication methods and assign the access profile.

  5. Configure an SSL termination profile.

  6. Configure a security policy with dynamic application as any.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

[edit]

[edit]

[edit]

If you are done configuring the feature on your device, enter commit from configuration mode.

Verifying Pass-Through Authentication Is Working

To verify that firewall user authentication is working, open a Web browser on the client machine. Access the server by entering server IP address 10.1.2.1. The system prompts for login and password details as shown in Figure 8.

Figure 8: Pass-Through Authentication PromptPass-Through Authentication Prompt

After successfully entering the credentials, you can access the server.

Configuration of Captive Portal Authentication with Unified Policy

In this example, we'll configure Captive Portal authentication with a unified policy. The configuration includes setting up security zones and interfaces, creating access profiles, and defining a unified policy. For Captive Portal authentication, we'll define a success banner for HTTP sessions.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewall, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

  1. Create interfaces.

    Use a secondary IP address for the Web authentication. In this example, we're using 10.1.1.253/24 for web authentication. Note that the secondary IP address must use the same subnet as primary IP address.

  2. Create security zones and assign interfaces.

  3. Enable the interface for the Web authentication.
  4. Set up access profile and add user details.

    We've added two users CLIENT-1 and CLIENT-2 with passwords and assigned the users to client-group GROUP-1.

  5. Configure Web authentication properties

  6. Create a security policy with dynamic-application.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]

[edit]

[edit]

[edit]

[edit]

If you are done configuring the feature on your device, enter commit from configuration mode.

Verifying Web Authentication Is Working

To verify that Web authentication is working, open a Web browser on the client machine. First, access the security device using a Web browser. Use the IP address 10.1.1.253 which we've configured for Web authentication. The device prompts for a username and password as shown in Figure 9.

Figure 9: Web Authentication PromptWeb Authentication Prompt

After successful authentication, the system displays the configured banner as shown in Figure 10, and you can get access to the server.

Figure 10: Web Authentication BannerWeb Authentication Banner

Verification

Monitoring Firewall Users

Purpose

Display firewall authentication user history to verify the firewall users details.

Action

From operational mode, enter these show commands:

Meaning

Command output provides details such as logged in users, authentication method used, profile applied, login attempts and so on.

Verifying Security Policy Utilization Details

Purpose

Display the utility rate of security policies according to the number of hits received.

Action

From operational mode, enter these show commands:

Meaning

Command output provides details on the security policies applied on the traffic.

Example: Configure External Authentication Servers

This example shows how to configure a device for external authentication.

Requirements

Before you begin, create an authentication user group.

Overview

You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, an LDAP, or a SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy provokes an authentication check.

This example shows how access profile Profile-1 is configured for external authentication. Two RADIUS servers and one LDAP server are configured in the access profile. However, the order of authentication specifies RADIUS server only, so if the RADIUS server authentication fails, then the firewall user fails to authenticate. The local database is not accessed.

Note:

If the firewall clients are authenticated by the RADIUS server, then the group-membership VSA returned by the RADIUS server should contain alpha, beta, or gamma client groups in the RADIUS server configuration or in the access profile, Profile-1. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a device for external authentication:

  1. Specify the RADIUS server for external authentication order.

  2. Configure Client1-4 firewall users and assign the Client-1 firewall user and Client-2 firewall user to client groups.

  3. Configure client groups in the session options.

  4. Configure the IP address for the LDAP server and server options.

  5. Configure the IP addresses for the two RADIUS servers.

Results

From configuration mode, confirm your configuration by entering the show access profile Profile-1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Example: Configure Client Groups

This example shows how to configure a local user for client groups in a profile.

Requirements

Before you begin, create an access profile.

Overview

A client group is a list of groups to which the client belongs. As with client-idle timeout, a client group is used only if the external authentication server does not return a value in its response (for example, LDAP servers do not return such information).

This example shows how to configure a local user called Client-1 for client groups G1, G2, and G3 in a profile called Managers. Within this example, client groups are configured for a client. If a client group is not defined for the client, then the client group under the access profile session-options hierarchy is used.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a local user for client groups in a profile:

  1. Configure the firewall user profile Managers, and assign client groups to it.

  2. Configure client groups in the session options.

Results

Confirm your configuration by entering the show access profile Managers command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Example: Customize Banner

This example shows how to customize the banner text that appears in the browser.

Requirements

Before you begin, create an access profile.

Overview

A banner is a message that appears on a monitor in different places depending on the type of login. This example shows how to change the banner that appears in the browser to indicate that a user has successfully authenticated after successfully logging in through Web authentication. The new message is “Web authentication is successful.” If the authentication fails, then the new message reads “Authentication failed.”

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To customize the banner text that appears in the browser:

  1. Specify the banner text for failed pass-through authentication through FTP.

  2. Specify the banner text for successful Web authentication.

Results

From configuration mode, confirm your configuration by entering the show access firewall-authentication command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Example: Configure Mutual-TLS (mTLS) Authentication

Learn how to configure mutual-TLS (mTLS) authentication.

Use this example to configure and verify mutual-Transport Layer Security (mTLS) authentication on your firewall. In this example, we use firewall to refer to a Juniper Networks® SRX Series Firewall or a Juniper Networks® vSRX Virtual Firewall (vSRX3.0). With this configuration, an user can authenticate without a password. User authentication happens through validation of the client/server certificates with the help of a public-private key pair.

To configure mTLS as shown in this example, an administrator must generate the following certificates:

  • CA certificate—Run the CA certificate on your firewall and client browser.

  • Server certificate—Generate a server certificate on your firewall by using the domain1.com mTLS server. Sign the server certificate with a CA certificate configured on your firewall.

  • Client certificate—Generate a client certificate on your client browser and sign the client certificate with a CA certificate configured on your firewall.

Tip:
Table 2: Estimated Timers

Reading Time

Less than an hour.

Configuration Time

Less than an hour.

Example Prerequisites

Table 3: Requirements

Hardware requirements

Juniper Networks® SRX Series Firewall or Juniper Networks® vSRX Virtual Firewall (vSRX3.0)

Software requirements

Junos OS Release 23.4R1 or later

Before You Begin

Table 4: Let's Get Started

Benefits

With mTLS authentication, you can:

  • Ensure passwordless login for secure connection between a user and a server.

  • Provide an additional layer of security for users who log in to an organization's network or applications.

  • Verify the connection between the firewall and any user device that does not follow a login process.

  • Ensure API requests come from legitimate users and block any malicious API requests.

Know more

Identity Aware Firewall

Learn more

Firewall User Authentication

Functional Overview

This section provides a summary of the configuration components in this example.

Table 5: Configuration and Verification Details

Technologies used

To establish the mTLS authentication, you must configure:

  • Security zone—Configure two security zones to segregate the traffic.

    • untrust

    • trust

  • Security policy—Configure the security policies p1 and p2 to permit unauthenticated and authenticated users, respectively. Use these policies to select and move data traffic from the untrust zone to the trust zone.

  • Access profile—Configure the access profile profile1 and add user1 details. Assign the user to the client groups group1 and group2.

  • mTLS profile—Configure the mTLS profile ma2 to authenticate the client and the server.

Primary verification tasks

Verify mTLS authentication.

Topology Overview

In this example, a client connects to a server through a firewall. In mTLS authentication, the client and the server verify each other's certificate by exchanging information over an encrypted TLS connection.

The firewall redirects unauthenticated clients to domain1.com upon connection to the server. This process avoids certificate errors because the CA certificate and server certificate for domain1.com are pre-installed on the firewall. The CA certificate is pre-installed on the client's browser.

Use mTLS authentication to bypass manual entry of user credentials for captive portal authentication. Ensure a valid user is configured against the Lightweight Directory Access Protocol (LDAP) profile to retrieve user information and authorization from Active Directory. When firewall authentication is applied in the policy, JIMS configuration is required.

Table 6: Devices, Roles, and Functions Used in This Configuration

Hostname

Role

Function

Client

Service requester

Initiates session with server through the SRX Series Firewall.

SRX Series Firewall

Firewall

Encrypts and decrypts packets for the client.

Server

Server

Responds to a client's request.

Active Directory

Identity source

Active Directory as Identity Source defines the integration of SRX Series Firewall, vSRX Virtual Firewall, Juniper Networks® cSRX Container Firewall, or Juniper Networks® NFX Series Network Services Platform with Microsoft Windows Active Directory. For more information, see Active Directory as Identity Source.

JIMS

Windows service application

Juniper® Identity Management Service (JIMS) is a Windows service application designed to collect and manage user, device, and group information from Active Directory domains. For more information, see JIMS with SRX Series Firewall.

Topology Illustration

Figure 11: Mutual-TLS (mTLS) Authentication Mutual-TLS (mTLS) Authentication

Step-By-Step Configuration on Device-Under-Test (DUT)

Note:

For complete sample configurations on the DUT, see:

  1. Configure the required interfaces.

  2. Configure the security zones and assign interfaces to the zones.

  3. Configure an access profile.

  4. Configure a security policy to permit unauthenticated users with firewall user authentication.

  5. Configure a security policy to permit authenticated users without firewall user authentication.

  6. Configure a ca-profile.

  7. Configure an mTLS profile.

  8. Configure web-management to start mTLS on the firewall on which you run the domain1.com server certificate.

  9. (Optional) Configure a certificate revocation list (CRL) for certificate validation. mTLS supports CRL validation of the incoming certificate. See Certificate Revocation.

Appendix 1: set Commands on All Devices

Generate Key Certificates for Client and Server

Verification

This section provides a list of show commands that you can use to verify the feature in this example.

Verify mTLS authentication

Purpose

Verify the mTLS Authentication.

Action

From operational mode, enter the show services user-identification debug-counters | match MTLS command to view the status of the mTLS authentication.

Meaning

The sample output confirms:

  • You have successfully configured mTLS authentication.

  • The user firewall has successfully processed mTLS authentication.