SRX Services Gateway
Reply
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

SRX firewall Webauth using client-groups

We have used WebAuth with RADIUS on our Netscreen firewalls for years.  This allow us to limit access to sensitive areas of our network.  We have been trying to reproduce this in JUNOS-SRX.  Can someone offer some guidance?

 

=== Code ===

 

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set access profile WEB-AUTH authentication-order radius

set access profile WEB-AUTH client AutoAuthGroup client-group AUTO-GROUPS

deactivate access profile WEB-AUTH client AutoAuthGroup

set access profile WEB-AUTH client VideoAuthGroup client-group VIDEO-GROUPS

set access profile WEB-AUTH client VoiceAuthGroup client-group VOICE-GROUPS

set access profile WEB-AUTH client WEDAuthGroup client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group VIDEO-GROUPS

set access profile WEB-AUTH session-options client-group VOICE-GROUPS

set access profile WEB-AUTH session-options client-idle-timeout 240

set access profile WEB-AUTH session-options client-session-timeout 4320

set access profile WEB-AUTH radius-server 10.150.x.x port 1812

set access profile WEB-AUTH radius-server 10.150.x.x secret 

set access profile WEB-AUTH radius-server 10.150.x.x timeout 5

set access profile WEB-AUTH radius-server 10.150.x.x retry 2

set access profile WEB-AUTH radius-server 10.150.x.x source-address 172.26.104.253

set access firewall-authentication web-authentication default-profile WEB-AUTH

set access firewall-authentication web-authentication banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."

 

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

-=Dan=-
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

Re: SRX firewall Webauth using client-groups

OK, More details...

 

We want to have different uses get different access between zones, based on users or groups learned from RADIUS VSAs.  RADIUS sends the correct level.  

 

Here's how its done in ScreenOS

 

===== Code =====

 

sset auth-server "JAXRADIUS" id 2
set auth-server "JAXRADIUS" server-name "10.150.x.x"
set auth-server "JAXRADIUS" account-type auth xauth 
set auth-server "JAXRADIUS" forced-timeout 1440
set auth-server "JAXRADIUS" radius port 1812
set interface "ethernet0/0" webauth 
set interface "ethernet0/0" webauth-ip 172.22.150.252
set webauth server "JAXRADIUS"
set webauth banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."
set user "Autoauth" uid 6
set user "Autoauth" type auth
set user "Autoauth" hash-password ""
set user "Autoauth" "enable"
set user "Videoauth" uid 2
set user "Videoauth" type auth
set user "Videoauth" hash-password ""
set user "Videoauth" "enable"
set user "Voiceauth" uid 3
set user "Voiceauth" type auth
set user "Voiceauth" hash-password ""
set user "Voiceauth" "enable"
set policy id 5 from "Untrust" to "Production"  "BHM NSO" "Any" "ANY" permit webauth user "Autoauth" log 
set policy id 5
exit
set policy id 9 from "Untrust" to "Video"  "BHM NSO" "Any" "ANY" permit webauth user "Videoauth" log 
set policy id 9
exit


-=Dan=-
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.