04-28-2008 06:51 AM
hi, I want to authenticate a client from untrust zone to acces a server in a trust zone. Webauth doesn't work!!
The only way to secure an authentication (ciphered) is to use webauth. Why Run Authentication don't use https or ssh? When Juniper will add the use of ssh or https in the run authentication ?
Run authentication with telnet, ftp or http is stupid. The login/password are not ciphered.
04-28-2008 07:19 AM
Try to use the SSL WebAuth mecanism. There is a checkbox in your interface Menu ( SSL Only ) in order to do what you want. So authentication will be encrypted.
Hope this could help.
04-29-2008 03:10 AM
Why webauth is not working from untrust to trust?? Tell me what steps u took for configuring webauth? I vl guide u if i can to resolve the issue.
Actually inline authentication (run time authentication) works for only telnet, ftp and http traffic. If u want to use inline authentication for other traffic like https, ssh etc. Do one thing make a service group, add all ur desired services (https, ssh) AND one or all three services (ftp, http, telnet) also in that service group. Use this service group in policy from untrust to trust. Now u can use inline authentication for https, ssh etc.
Please let me know this solves ur problem?
04-29-2008 06:35 AM - edited 04-29-2008 06:53 AM
I know the run time authentication solution with telnet and ssh in the same policy. But in this case, it's mandatory that you run telnet session to the target server to authenticate on the firewall. After that, you can run a ssh session to the target server.
My problem is that the login credentials are sent clear when you run the telnet session !!!
For Webauth, I made lot of tests and I conclude that the webauth doesn't work when a webauth IP is added on an interface in a zone from untrust-vr.
client(126.96.36.199/16) ---WAN---> 188.8.131.52/24 (untrust-vr)| FW |(trust-vr) 192.168.0.200/24 ---LAN---> server(192.168.0.1/24)
webauth IP is 184.108.40.206
04-29-2008 06:54 AM
I m sure webauth should work from untrsut to trust. What configurations step u follow?
04-29-2008 07:06 AM
OK, I explain not very well!! The webauth works because access is granted. But!! the accesss to the target server (behind the firewall) doesn't work. My policy is well configured between the 2 zones and activated for webauth. So I don't understand!!
I tested a webauth IP on an interface (in trust-vr) and I applied a policy between 2 zones (in trust-vr) and it works very well.
04-29-2008 12:53 PM
Did you set the following :
- Route from Untrust VR to Trust VR in order to access to your ressource
- MIP ( or VIP ) in order to access to your server from the internet ( i suppose your traffic comes from the web )
04-30-2008 02:20 AM
My firewall is well configured. At this time, my client PC can access to the target server without authentication.it doesn't works only when i want to make authentication on the firewall.
I think Netscreen prevent a webauth from an untrust-vr interface. The only way to authenticate is to use VPN client to site but Netscreen remote VPN is not free
Do someone knows a free VPN client able to work with Netscreen ?
04-30-2008 03:06 AM
For free vpn connection check it http://kb.juniper.net/KB9529. I hope it solve ur problem