Junos OS

Hi all,

I'm trying to use web-authentication to allow authenticated users to poke a hole through the firewall to permit remote desktop to their workstation. This all seems quite simple in the configuratin guide, but I'm running into a problem that might either be a really weird misconfiguration or a bug.

A user can authenticate correctly, but the IP number that gets the "hole" is backwards from what the user actually is sitting on. An example below for a test user that has authenticated from address 192.168.4.22:

> show security firewall-authentication users
Firewall authentication data:
  Total users in table: 1
          Id Source Ip       Src zone Dst zone Profile    Age Status   User
           4 22.4.168.192     N/A      N/A      webauth-     4 Success  test

Of course, traffic from the authenticated user isn't permitted through, either. The configuration is pretty basic, a policy between the zones in question that allows authenticated traffic:

policy auth-rdp {
    match {
        source-address any;
        destination-address any;
        application ms-rdp;
    }
    then {
        permit {
            firewall-authentication {
                web-authentication;
            }
        }
    }
}

and an access policy that just contains a static test user for now:

access {

     profile webauth-access {
        client test {
            firewall-user {
                password "$9$ZPGkPF39pOR/ClM8LVbmfT3Cu"; ## SECRET-DATA
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile webauth-access;
        }
    }
}

This is on JUNOS Software Release [9.2R1.10] Enhanced Services on a J6350. Is there someone out there that recognizes this and knows of a solution of some kind?

Best regards,

Jakob

Jakob,

this is an interesting and pretty easy scenario, however I'll try this in my lab tomorrow... will get back to you soon.

as you mentioned you are getting authentication and I can see the entry is present under FWauth table, I hope you already enabled webauth on particular interface, where this source-ip is authenticating.

can you also give me the output of following operational command, run some debug commands and past logs,

operational command:

show network-access requests statistics

please enable following traceoptions,

- set security firewall-authentication traceoptions flag all

- set access firewall-authentication traceoptions flag all

- set system processes general-authentication-service  traceoptions flag all

once you enable above traceoptions, do commit and open two more telnet sessions on device, on shell prompt:

first windown, run

- tail -f /var/log/fwauthd

 
second window, run 

- tail -f /var/log/authd

then perform authentication, you can see real-time loging on both windows, please paste both logs here.

thanks

Raheel Anwar

Jakob,

please ignore my previous request, i know the problem NOW.

this is a bug, and its been fixed in 9.2R3 or 9.3 latest.

thanks

Raheel Anwar

i cant find the application ms-rdp ? or junos rdp.....i am using "tcp any"  to allow RDP....

I don't think there is one by default at the moment, just create it:

configure
set applications applications rdp protocol tcp
set applications applications rdp destination-port 3389
commit