ScreenOS Firewalls (NOT SRX)
Reply
Visitor
gdelmas
Posts: 4
Registered: ‎04-28-2008
0

WebAuth doesn't work from untrust zone to trust zone

hi, I  want to authenticate a client from untrust zone to acces a server in a trust zone. Webauth doesn't work!!

 

The only way to secure an authentication (ciphered) is to use webauth.  Why Run Authentication don't use https or ssh? When Juniper will add the use of ssh or https in the run authentication ?

 

Run authentication with telnet, ftp or http is stupid. The login/password are not ciphered.

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi,

 

Try to use the SSL WebAuth mecanism. There is a checkbox in your interface Menu ( SSL Only ) in order to do what you want. So authentication will be encrypted.

 

Hope this could help.

 

 

Sylvain 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi,

 

Why webauth is not working from untrust to trust?? Tell me what steps u took for configuring webauth? I vl guide u if i can to resolve the issue.

 

Actually inline authentication (run time authentication) works for only telnet, ftp and http traffic. If u want to use inline authentication for other traffic like https, ssh etc. Do one thing make a service group, add all ur desired services (https, ssh) AND one or all three services (ftp, http, telnet) also in that service group. Use this service group in policy from untrust to trust. Now u can use inline authentication for https, ssh etc.

 

Please let me know this solves ur problem?

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
gdelmas
Posts: 4
Registered: ‎04-28-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

[ Edited ]

Hi,

 

I know the run time authentication solution with telnet and ssh in the same policy. But in this case, it's mandatory that you run telnet session to the target server to authenticate on the firewall. After that, you can run a ssh session to the target server.

My problem is that the login credentials are sent clear when you run the telnet session !!!

 

For Webauth, I made lot of tests and I conclude that the webauth doesn't work when a webauth IP is added on an interface in a zone from untrust-vr.

  

example:

client(1.1.1.1/16)   ---WAN--->  2.2.2.200/24 (untrust-vr)| FW |(trust-vr) 192.168.0.200/24    ---LAN---> server(192.168.0.1/24) 

 

                                                webauth IP is 2.2.2.100

 

Message Edited by gdelmas on 04-29-2008 06:53 AM
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi,

 

I m sure webauth should work from untrsut to trust. What configurations step u follow?

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Visitor
gdelmas
Posts: 4
Registered: ‎04-28-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

OK, I explain not very well!! The webauth works because access is granted. But!! the accesss to the target server (behind the firewall) doesn't work. My policy is well configured between the 2 zones and activated for webauth. So I don't understand!!

 

I tested a webauth IP on an interface (in trust-vr) and I applied a policy between 2 zones (in trust-vr) and it works very well. 

 

 

Super Contributor
sylvain
Posts: 162
Registered: ‎12-20-2007
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi Gdelmas,

 

Did you set the following :

- Route from Untrust VR to Trust VR in order to access to your ressource

- MIP ( or VIP ) in order to access to your server  from the internet ( i suppose your traffic comes from the web )

 

 

Visitor
gdelmas
Posts: 4
Registered: ‎04-28-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi sylvain,

 

My firewall is well configured. At this time, my client PC  can access to the target server without authentication.it doesn't works only when i want to make authentication on the firewall.

 

I think Netscreen prevent a webauth from an untrust-vr interface. The only way to authenticate is to use VPN client to site but Netscreen remote VPN is not free

:smileysad:

 

Do someone knows a free VPN client able to work with Netscreen ?

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: WebAuth doesn't work from untrust zone to trust zone

Hi,

 

For free vpn connection check it http://kb.juniper.net/KB9529. I hope it solve ur problem:smileyhappy:

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.