SRX

Hello,

I configure pass-through authentication with web-redirect, but its not worked.

all documents talking that the web-redirect is the same of the web-authentication but its more flexible, because its redirect the user to the web authentication page instead of open manually new web page and use secondary IP.

when i tested the below configuration by open web page nothing happened, and the history command give me "authentication failed"

# set system services web-management http

#set security zones security-zone ***** host-inbound-traffic system-services all

# set access profile Server-Access client user firewall-user password "$9$l62KX-wYoDjq24Tzn6AtWLX"
# set access profile Server-Access session-options client-group Server-Access-Group
# set access firewall-authentication pass-through default-profile Server-Access
# set access firewall-authentication pass-through http banner success "Login Successfully!"

# set security policies from-zone ***** to-zone ***** policy TTTT then permit firewall-authentication pass-through client-match Server-Access-Group
# set security policies from-zone ***** to-zone ***** policy TTTT then permit firewall-authentication pass-through web-redirect

So, anybody know how the web-redirect worked ???or try it before ???

Mahmoud

JNCIS-SEC

1. Pass-through authentication along with web-redirect option is used in situations when user must be authenticated through web and it is also a requirement  that user must not be in knowledge of device IP and also to reduce burden on user by separately accessing device for  web-authentication.
2. As per exhibit nothing is wrong with configuration , except that you have not shown configuration for interface through which user initial request is being received on device, Please ensues that on that particular interface web-authentication http is enabled.

Please mark this as accepted solution if it works for you

A Kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec, JNCIS-Ent,JNCIS-Sec,JNCIA-JUNOS

Hi Kashif,

Thank you for reply ...

When i configure the web-authentcation under the primay IP address its give me error messege after i try to commit the changes, as its appear below:

# set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.1/24 web-authentication http    
# commit check
[edit interfaces ge-0/0/15 unit 0 family]
  'inet'
    Web-authentication address 192.168.1.1/24 is not within the subnet of any address on this interface
error: configuration check-out failed

-----

So, i try to configure it under secondary IP address like the standards web-authentication and that worked :).

set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.1/24 preferred
set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.2/24 web-authentication http

Many thanks for your apprecited help 😉

Mahmoud Baroudi

JNCIS Sec

Hi, Guys 

I cannot test this web-redirect functionality successfully in my VSRX, I have no idea what was wrong with my config, further, no too many useful info can be seen on this topic on the internet. 

BTW: I am using Junos [12.1X47-D10.4], firefly-perimeter

Topology: 

host-------------------inside---SRX----outside---------------------remote host 

    192.168.100/24                                     10.10.10/24

My basic config is like: 

lab@SRX-A-48# show access
profile authen-pass {
client user-1 {
firewall-user {
password "$9$n.aA6A0B1hyrv0OX7Vb2g"; ## SECRET-DATA
}
}
}
firewall-authentication {
pass-through {
default-profile authen-pass;
telnet {
banner {
login login-telnet;
success success-telnet;
}
}
}
}

[edit]
lab@SRX-A-48# show system services
ftp;
ssh;
telnet;
web-management {
http;
}

[edit]
lab@SRX-A-48# show interfaces ge-0/0/1
unit 0 {
family inet {
address 192.168.100.2/24 {
preferred;
}
address 192.168.100.100/24 {
web-authentication http;
}
}
}

[edit]
lab@SRX-A-48# show security policies
from-zone inside to-zone outside {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
client-match user-1;
web-redirect;
}
}
}
}
}
}

When I try to access my remote host through http from inside zone, it always timeout without an expect results. 

Thanks all in advance! 

Regards 

I'm using SRX240 with web-atentication since a year. Software version: [11.4R10.3]

I have tried to upgrade to 12.1X46-D35.1

Then the web auth ip is redirected to the srx Device Manager page. All this authenticating feature gets bug?

This pass-through, web-redirect authentication failure is a bug and its been fixed in latest version. I have tested in it 12.1X47-D25 and it works as expected.

Please check it.

Reference PR link : https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1071159

Thanks,

SHKM

I am not sure about the exact version, but pass-through web-redirect will not work in vsrx and its been confirmed by a PR, i hope it works on physical device though or if above PR is also related to Physical box as well.

Regards

Rakesh M

https://r2079.wordpress.com