Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Authentication for Tenant Systems

The firewall authentication feature is introduced for tenant systems in Junos OS Release 18.3R1 on the Juniper SRX Series Firewalls to enable you to restrict or permit users individually or in groups. The authentication requests are initiated based on destination addresses defined in the policies.

Understanding Tenant System Firewall Authentication

A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall.

Firewall authentication is a policy-based authentication method, which requires user to initiate an authentication request through HTTP, FTP or Telnet traffic.

Junos OS enables administrators to restrict and permit firewall users to access protected resources behind a firewall based on their source IP address and other credentials.

The primary administrator configures the following:

  • maximum and reserved number of firewall authentication sessions in the tenant system.

  • access profile using the profile configuration command at the [edit access] hierarchy which is available to all the tenant systems.

Access profiles allows to:

  • Storing usernames and passwords of users or point to external authentication servers where such information is stored.

  • Including the order of authentication methods, LDAP or RADIUS server options, and session options.

  • Associating with a security policy in the tenant system.

After defining the firewall users, create a policy that requires the users to authenticate through one of the authentication modes defined in the Table 1

Table 1: Firewall Authentication Options

Authentication Options

Description

Supported Protocols

Supported Backend

Web Authentication

Users use HTTP to connect to an IP address on the device that is enabled for Web authentication and are prompted for the username and password. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the result of this authentication.

HTTP

HTTPS

Local

LDAP

RADIUS

SecurId

Pass-through

Inline authentication with a host or a user from one zone tries to access resources on another zone. The device uses the supported protocols to collect username and password information, and subsequent traffic from the user or host is allowed or denied based on the result of this authentication.

HTTP

HTTPS

TELNET

FTP

Local

LDAP

RADIUS

SecurId

Web Redirect

Automatically redirect client to WebAuth page for authentication (http or https)

HTTP

HTTPS

Local

LDAP

RADIUS

SecurId

Integrated User Firewall

SRX Series devices uses WMI client (WMIC) requests to the AD to get IP address-to-user mapping information in Security event logs.

none

Active Directory

User-Firewall

Same as pass-through but user information is passed to USERID process to go in Auth Table

HTTP

HTTPS

Local

LDAP

RADIUS

SecurId

The tenant system administrator configures the following properties for firewall authentication in the tenant system:

  • Security policy that specifies firewall authentication for matching traffic. Firewall authentication is specified with the firewall-authentication configuration statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] hierarchy level. In an access profile, users or user groups can be allowed access by the policy can optionally be specified with the client-match configuration statement. If no users or user groups are specified, any user who is successfully authenticated is allowed access.

  • The type of authentication (pass-through or Web authentication), default access profile, and success banner for the FTP, Telnet, or HTTP session. These properties are configured with the firewall-authentication configuration statement at the [edit access] hierarchy.

    Host inbound traffic. Protocols, services, or both are allowed to access the tenant system. The types of traffic are configured with the host-inbound-trafficconfiguration statement at the [edit security zones security-zone zone-name] or [edit security zones security-zone zone-name interfaces interface-name] hierarchy.

Configuring Firewall Authentication for a Tenant System

This example shows how to send different firewall authentication traffic from the client to server across one tenant system using the three authentication modes pass-through, pass-through with web-redirect, and web authentication.

Requirements

This example uses the following hardware and software components:

  • an SRX4100 device

  • Junos OS Release 18.3R1 and later

  • Telnet or HTTP

  • External authentication servers are RADIUS, LDAP, and SecurID

Ensure to have the following configured to send firewall authentication traffic from client to server:

  • Configure security zones for a tenant system

  • Configure interfaces created by the primary administrator

Overview

When a firewall user attempts to initiate a Telnet, HTTP, or HTTPS session to access a resource in another zone, the SRX Series firewall acts a proxy to authenticate the firewall users before allowing the users to access the Telnet, HTTP, or HTTPS servers behind the firewall.

In this example, you can configure a tenant system and bind the security policy to it. When the traffic from is sent from client to server as referred in Figure 1, the users are authenticated based on the authentication process defined in the security policy.

Note:

The primary administrator is responsible for creating tenants and assigning the system resources such as routing-instances, interfaces in routing-instances and security-profile to tenant system.

Table 2: Firewall Configuration for the Tenant System

Feature

Name

Description

security-profile

tn1_pf

Name of the security profile. This profile specifies the resources to allocate to a tenant system to which the security profile is bound.

interfaces

xe-0/0/1

xe-0/0/2

Name of the interfaces. The interfaces provide traffic connectivity.

access profile

local_pf

radius_pf

securid_pf

Name of the access profiles. These profiles are used to define the users and passwords and to obtain authorization information about the user’s access right.

SSL termination profile

fwauthhttpspf

Name of the profile. This profile is used for SSL termination services.

routing-instances

vr1

Instance type as virtual routing instance.

security policies

p7

Name of the policy. This policy is used to configure pass-through firewall-authentication using fwauthhttpspf SSL termination profile.

p1

Name of the policy. This policy is used to configure pass-through firewall-authentication using local_pf access profile.

p4

Name of the policy. This policy is used to configure pass-through web-redirect firewall-authentication using radius_pf.

p3

Name of the policy. This policy is used to configure web-authentication firewall-authentication.

Topology

Figure 1 shows the topology used in this configuration example. The tenant shown in this topology is an SRX Series Firewall partitioned to multiple tenants. The external servers supported are RADIUS, LDAP, and SecurID. The communication from the client to the tenant happens over xe-0/0/1 interface and from the tenant to the server happens over xe-0/0/2 interface.

Figure 1: Topology for Tenant System Topology for Tenant System

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring access profiles and firewall authentication

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Configure a security profile tn1_pf and bind it to the tenant system.

  2. Create a tenant system tn1 and bind the security profile tn1_pf to the tenant system.

  3. Define the access profile used for SSL termination services for HTTPS traffic to trigger pass-through authentication.

  4. Configure interfaces and assign IP addresses. Enable web authentication at xe-0/0/1 interface.

  5. Configure routing instances and add interfaces to it.

Step-by-Step Procedure

The primary administrator is responsible for configuring access profiles in the tenant system. To configure access profiles:

  1. Create the access profiles to be used for firewall authentication. Access profiles defines clients as firewall users and the passwords that provide them access for firewall authentication. When unauthenticated traffic is permitted for firewall authentication, the user is authenticated based on the access profile configured in this command.

  2. Create an access profile to configure the RADIUS server.

  3. Create an access profile to configure SecurID as the server to be used for external authentication.

Step-by-Step Procedure

Configure different security policies that permit HTTP, HTTPS, and Telnet traffic between zones using pass-through (direct and web-redirect) and web authentication modes in a tenant system.

  1. Configure policy p1 for pass-through authentication for Telnet traffic.

  2. Configure policy p7 for pass-through authentication for HTTPS traffic.

  3. Configure policy p4 for pass through authentication using web-redirect for HTTP traffic.

  4. Configure policy p3 for web authentication for HTTP traffic.

  5. Configure zones and assign interfaces to each zone in a tenant system.

  6. Define a success banner for Telnet sessions. Configure firewall authentication pass-through and web authentication banner for applications in a tenant system.

Results

From configuration mode, confirm your configuration by entering the show system security-profile, show interfaces, show access, show tenants, and show services ssl termination commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commitfrom configuration mode.

Verification

Verifying Firewall User Authentication and Monitoring Users and IP Addresses in the Authentication Table

Purpose

The administrator for tenant system can use the show security firewall-authentication users or show security firewall-authentication history commands to view the information about firewall users and history for the tenant system. The administrator for the tenant system can use the same commands to view information for all tenant systems.

Action

From operational mode, enter the following show commands:

Meaning

The output displays the authenticated firewall users and the firewall authentication history of the users for the tenant system

Understanding Integrated User Firewall Support in a Tenant System

Tenant system supports the user firewall authentication in shared and active mode.

Starting in Junos OS Release 19.1R1, user firewall authentication is supported on tenant systems using a shared model. In this model, the primary logical system shares the user firewall configuration and authentication entries with the tenant system. The primary logical system shares the authentication data with the tenant system, which is collected from the Local authentication, Active Directory (AD) authentication, firewall authenticationft, Juniper Identity Management Service (JIMS), and ClearPass authentication.

In the shared model, user firewall related configuration is configured under the primary logical system, such as authentication source, authentication source priority, authentication entries timeout, and IP query or individual query and so on. The user firewall provides user information service for an application on the SRX Series Firewall, such as policy and logging. Traffic from a tenant system queries the authentication tables from the primary logical system.

The authentication tables are managed by a primary logical system. The tenant systems share the authentication tables. Traffic from the primary logical system and the tenant systems query the same authentication table. Tenant systems enable the use of the source-identity in security policy.

For example, if the primary logical system is configured with employee and the tenant system is configured with the source-identity manager, then the reference group of this authentication entry includes employee and manager. This reference group contains the same authentication entries from primary logical system and tenant system.

Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode. In this model, the tenant system extracts the authentication entries from the root level. The primary logical system is configured to the JIMS server based on the logical system and tenant system name. In active mode the SRX Series Firewall actively queries the authenticaton entries received from the JIMS server through HTTPs protocol. To reduce the data exchange, firewall filters are applied.

The user firewall uses the tenant system name as a diffrentiator and is consistent between the JIMS server and SRX Series Firewall. The JIMS server sends the diffrentiator which is included in the authentication entry. The authentication entries are distributed into the root logical system, when the diffrentiator is set as default for the primary logical system.

The user firewall support In-service software upgrade (ISSU) for tenant systems, as user firewall changes the internal database table format from Junos OS Release 19.2R1 onwards. Prior to Junos OS Release 19.2R1, the ISSU is not supported for tenant systems.

Starting in Junos OS Release 20.2R1, logical systems and tenant systems support user firewall authentication with Unified Access Control (UAC).

Limitation of Using User Firewall Authentication in Tenant Systems

Using user firewall authentication on tenant systems has the following limitation:

  • The IP addresses under different tenant systems must not overlap. If the address overlap, then the authentication entry is changed when different users log in under different tenant systems.

Limitation of using User Firewall Authentication in customized model on Tenant Systems

Using user firewall authentication in customized model on tenant systems has the following limitation:

  • The JIMS server configurations to be configured under the root logical systems.

  • The tenant system name should be consistent and unique between the JIMS server and the SRX Series Firewall.

Example: Configuring Integrated User Firewall Identification Management for a Tenant System

This example shows how to configure the SRX Series Firewall's advanced query feature for obtaining user identity information from the Juniper Identity Management Service (JIMS) and the security policy to match the source identity for a tenant system. In the primary logical system, user firewall is configured with JIMS, and then the primary logical system manages all of authentication entries coming from JIMS. In this example, the primary logical systems shares the authentication entries with the tenant systems.

Requirements

This example uses the following hardware and software components:

  • SRX1500 devices operating in chassis clustering

  • JIMS server

  • Junos OS Release 19.1 R1

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on the primary logical system, policy p1 with source-identity "group1" of dc0 domain on tenant system TN1, policy p1 with source-identity "group1" of dc0 domain on tenant system TN2, and send traffic from and through tenant system TN1 to tenant system TN2. You can view the authentication entries on primary logical system and tenant systems (TN1 and TN2) even after rebooting the primary node.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring user firewall identification management

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure user firewall identification management:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

  2. Create tenant systems.

  3. Configure a security policy TN1_policy1 with source-identity group1 on the tenant system TN1 that permits traffic from TN1_trust to TN1_trust.

  4. Configure a security policy TN1_policy2 that permits traffic from TN1_trust to TN1_untrust.

  5. Configure a security policy TN1_policy3 that permits traffic from TN1_untrust to TN1_trust.

  6. Configure security zone and assign interfaces to each zone.

  7. Configure a security policy TN2_policy1 with source-identity group1 that permits traffic from TN2_untrust to TN2_untrust on TN2.

  8. Configure security zones and assign interfaces to each zone on TN2.

  9. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.

  10. Configure security policies and zones on the primary logical system.

  11. Configure security zones and assign interfaces to each zone on primary logical system.

Results

From configuration mode, confirm your configuration by entering the show services user-identification identity-management show chassis cluster command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying chassis cluster status and authentication entries

Purpose

To verify authentication entries in a tenant system.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source identity-management tenant TN1 command.

Meaning

The output displays the authentication entries that are shared from the primary logical system to the tenant system.

Verifying chassis cluster status

Purpose

Verify chassis cluster status after rebooting the primary node.

Action

To verify the configuration is working properly, enter the show chassis cluster status command.

Meaning

The output displays user identification management session existing on TN1 and TN2 after rebooting the primary node.

Example: Configure Integrated User Firewall in Customized Model for Tenant System

This example shows how to configure the integrated user firewall by using a customized model through the Juniper Identity Management Service (JIMS) server with active mode for a tenant system. The primary logical systems does not share the authentication entries with the tenant systems. The SRX Series Firewall queries the authentication entries received from the JIMS server through HTTPs protocol in active mode.

In this example following configurations are performed:

  • Active JIMS Server Configuration

  • Tenant System IP Query Configuration

  • Tenant System Authentication Entry Configuration

  • Tenant System Security Policy Configuration

Requirements

This example uses the following hardware and software components:

  • JIMS server version 2.0

  • Junos OS Release 19.3R1

Before you begin, be sure you have following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPs requests.

  • The client ID from the JIMS server for active query server.

  • The client secret from the JIMS server for active query server.

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on the primary logical system, policy p2 with source-identity group1 on tenant system TSYS1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring Integrated User Firewall in Customized Model:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Integrated User Firewall in Customized Model:

  1. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.

  2. Configure the IP query delay time for TSYS1.

  3. Configure the authentication entry attributes for TSYS1.

  4. Configure the security policy p2 that permits traffic from-zone untrust to-zone trust for TSYS1.

Results

From configuration mode, confirm your configuration by entering the show services user-identification logical-domain-identity-management and show tenants TSYS1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying the User Identification Identity Management status

Purpose

Verify the user identification status for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management status command.

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show status on the Juniper Identity Management Service servers.

Verifying the User Identification Identity Management status counters

Purpose

Verify the user identification counters for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management counters command.

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show counters on the Juniper Identity Management Service servers.

Verifying the User Identification Authentication Table

Purpose

Verify the user identity information authentication table entries for the specified authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source all tenant TSYS1 command.

Meaning

The output displays the entire content of the specified authentication source’s authentication table, or a specific domain, group, or user based on the user name. Display the identity information for a user based on the IP address of the user’s device.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.3R1
Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode.
19.1R1
Starting in Junos OS Release 19.1R1, user firewall authentication is supported on tenant systems using a shared model. In this model, the primary logical system shares the user firewall configuration and authentication entries with the tenant system. The primary logical system shares the authentication data with the tenant system, which is collected from the Local authentication, Active Directory (AD) authentication, firewall authenticationft, Juniper Identity Management Service (JIMS), and ClearPass authentication.