SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
DanSmart
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

SRX firewall Webauth using client-groups

Options

‎07-12-2011 12:59 PM

We have used WebAuth with RADIUS on our Netscreen firewalls for years.  This allow us to limit access to sensitive areas of our network.  We have been trying to reproduce this in JUNOS-SRX.  Can someone offer some guidance?

 

=== Code ===

 

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set access profile WEB-AUTH authentication-order radius

set access profile WEB-AUTH client AutoAuthGroup client-group AUTO-GROUPS

deactivate access profile WEB-AUTH client AutoAuthGroup

set access profile WEB-AUTH client VideoAuthGroup client-group VIDEO-GROUPS

set access profile WEB-AUTH client VoiceAuthGroup client-group VOICE-GROUPS

set access profile WEB-AUTH client WEDAuthGroup client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group VIDEO-GROUPS

set access profile WEB-AUTH session-options client-group VOICE-GROUPS

set access profile WEB-AUTH session-options client-idle-timeout 240

set access profile WEB-AUTH session-options client-session-timeout 4320

set access profile WEB-AUTH radius-server 10.150.x.x port 1812

set access profile WEB-AUTH radius-server 10.150.x.x secret 

set access profile WEB-AUTH radius-server 10.150.x.x timeout 5

set access profile WEB-AUTH radius-server 10.150.x.x retry 2

set access profile WEB-AUTH radius-server 10.150.x.x source-address 172.26.104.253

set access firewall-authentication web-authentication default-profile WEB-AUTH

set access firewall-authentication web-authentication banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."

 

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

-=Dan=-
Message 1 of 2 (624 Views)
 
Reply
DanSmart
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

Re: SRX firewall Webauth using client-groups

Options

‎07-12-2011 03:45 PM

OK, More details...

 

We want to have different uses get different access between zones, based on users or groups learned from RADIUS VSAs.  RADIUS sends the correct level.  

 

Here's how its done in ScreenOS

 

===== Code =====

 

sset auth-server "JAXRADIUS" id 2
set auth-server "JAXRADIUS" server-name "10.150.x.x"
set auth-server "JAXRADIUS" account-type auth xauth 
set auth-server "JAXRADIUS" forced-timeout 1440
set auth-server "JAXRADIUS" radius port 1812
set interface "ethernet0/0" webauth 
set interface "ethernet0/0" webauth-ip 172.22.150.252
set webauth server "JAXRADIUS"
set webauth banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."
set user "Autoauth" uid 6
set user "Autoauth" type auth
set user "Autoauth" hash-password ""
set user "Autoauth" "enable"
set user "Videoauth" uid 2
set user "Videoauth" type auth
set user "Videoauth" hash-password ""
set user "Videoauth" "enable"
set user "Voiceauth" uid 3
set user "Voiceauth" type auth
set user "Voiceauth" hash-password ""
set user "Voiceauth" "enable"
set policy id 5 from "Untrust" to "Production"  "BHM NSO" "Any" "ANY" permit webauth user "Autoauth" log 
set policy id 5
exit
set policy id 9 from "Untrust" to "Video"  "BHM NSO" "Any" "ANY" permit webauth user "Videoauth" log 
set policy id 9
exit


-=Dan=-
Message 2 of 2 (610 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.