ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Webauth with RSA fails for a particular subnet

Hi all,

 

This is the summary.

 

1)I have a server in the DMZ and I have a MIP defined for it on the Untrust

2)I have a access policy created for this and the policy has webauth which uses.

3)When I access this from any subnet other than the one of the Untrust Interface, it works.

4)When I access it from the same subnet as the Untrust interface it fails.

5)The access works fine without webauth.

6)The debug says this

 

ipid = 28538(6f7a), @1d5aa914
  packet passed sanity check.
  ethernet0/2:161.101.150.102/1549->161.101.150.9/3389,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 161.101.150.102->10.10.10.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 3.route 10.10.10.2->10.10.10.2, to ethernet0/1
  routed (x_dst_ip 10.10.10.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/1
  policy search from zone 1-> zone 3
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 161.101.150.9, port 3389, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 50/1/0x2d
  Permitted by policy 50
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/1
  no loop on ifp ethernet0/1.
  session application type 0, name None, nas_id 0, timeout 1800sec
  Drop non-syn/tcp/tel/ftp/web pak in auth check
  log this session (pid=50)
policy id (50)
  packet dropped, denied by policy
  packet dropped, auth failed

 

Checked everything..Nothing left to try. Is there a solution for this

 

Distinguished Expert
Posts: 1,118
Registered: ‎01-10-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

When you debug a session from another subnet do you also see this in the output: "Drop non-syn/tcp/tel/ftp/web pak in auth check" ?

 

I can't place this message. Give me the feeling traffic to the auth server fails because of routing problem or something.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Actually the msg means that the packet was dropped and the posb reasons are;

-not syn packet

-not tcp packet

-not telnet packet

-not ftp packet

-not web packet

 

Have you configured a WebAuth IP address for this policy id 50?

 

The webauth IP address should be in the same subnet  as the physical interface of the incoming traffic.:

set interface ethernet1 ip 10.1.1.25/24

set interface ethernet1 webauth-ip 10.1.1.50

set interface ethernet1 webauth

 

In order for the Webauth to work, the user needs to acess the WebAuth IP and enter the user name and password to get access before actually running the traffic.

 

Most people also dont do webauth from untrust zone. Its usually something thats done to allow users from internal say trust zone to authenticate before getting access to other resources in other zones. What are you trying to achieve with the webauth?

 

See this guide for webauth:

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/ce_v9.pdf 

Chapt 4 Page 52

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Hi all, 

 

Thanks for the response. I dont see any Drop Packets log in Debug when I am succesfully able to login. It is only from that subnet That I face problem.

 

I have enabled webauth for the policy 50. The web auth IP is in the Untrust interface. I also checked the possibility of a malformed sync packet and tried to unset the TCP-syn-check. Still no success. The external Auth servers are RSA servers. I checked on the server side and it is authenticating without any problems.

 

Any suggestions?

Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

What I am trying to achieve is :

 

A user in untrust wants to rdp into a server in DMZ. I want to place user strong authentication on this rule so that nobody else can use it. I cant place a specific source address in the Firewall Source address as he uses different PCs to RDP to this Server. But the access seems to failing only for this PC 161.101.150.102.

 

 

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Stupid qn but,d id you navigate to the web-auth IP to authnticate first?
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Yes, I did. I get authenticated succesfully and then i go ahead and RDP in to the server.
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

[ Edited ]

Ok, I finally got some time to test this.

I think you can not set the webauth IP same as the interface IP. I got an error trying to configure it:

 

ssg5-isdn-wlan-> set interface "ethernet0/0" webauth-ip X.X.X.X

WebAuth ip cannot be same as interface ip

 

Could you check the config to see if its correctly configured?

 

If you havent authenticated properly, I found that the err is different:

   not authorized, drop webauth pak
policy id (4)
  packet dropped, denied by policy
  packet dropped, auth failed

 

The correct config should look like this:

set interface "ethernet0/0" webauth
set interface "ethernet0/0" webauth-ip X.X.X.1 (X is not same IP as interface IP but in the same Subnet)

set policy id 4 from "Untrust" to "DMZ"  "Any-IPv4" "MIP(X.X.X.2)" "HTTP" permit webauth

 

The service in the policy can be whatever you want to permit.

 (1) You will need to go to  the X.X.X.1 to authenticate

 

If you have authenticated successfully, you will see this in the auth table:

 

ssg5-isdn-wlan-> get auth tab
Total users in table:     1
  Successful:     1, Failed:     0
  Pending   :     0, Others:     0
  Infranet users :     0
Col T: D = Default, W = WebAuth, I = Infranet, A = Auth server in policy
  id src             user       group    age status   server  T srczone  dstzone
1    X.X.X.X   test1               1   Success  Local   W N/A      N/A   

 

(2) After authenticating succesfully, you can go the actual service from the same PC.

 

Try this out and see if it works. So my gues is that in your case, the service is not correct in the policy maybe.

So, I did some more conf changes and it works well for RDP see the conf:

 

ssg5-isdn-wlan-> get conf | i RDP
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set policy id 4 from "Untrust" to "DMZ"  "Any-IPv4" "MIP(X.X.X.2)" "RDP" permit webauth

 

 

Message Edited by WL on 03-19-2009 11:57 AM
Message Edited by WL on 03-19-2009 12:00 PM
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Thanks a lot for your effort and time. I really appreciate it.

 

But the Webauth IP(.18) is not the same as interface IP(.253). Also as I said in the first post, I am able to authenticate from a different subnet and access RDP but it is only from that Subnet I face problem.

 

Do you have any other suggestion?

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Can you do a snoop at the same time as the debug flow basic?

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

4846418.0: ethernet0/2(i) len=62:001c2338dbc1->0010dbff2060/0800
              161.101.150.102 -> 161.101.150.9/6
              vhl=45, tos=00, id=28538, frag=4000, ttl=128 tlen=48
              tcpSmiley Tongueorts 1549->3389, seq=2915633343, ack=0, flag=7002/SYN
              00 10 db ff 20 60 00 1c 23 38 db c1 08 00 45 00     .....`..#8....E.
              00 30 6f 7a 40 00 80 06 1c 13 a1 65 96 66 a1 65     .0oz@......e.f.e
              96 09 06 0d 0d 3d ad c9 08 bf 00 00 00 00 70 02     .....=........p.
              ff ff 4a 12 00 00 02 04 05 b4 01 01 04 02           ..J........... 

****** 4846418.0: <Untrust/ethernet0/2> packet received [48]******
  ipid = 28538(6f7a), @1d5aa914
  packet passed sanity check.
  ethernet0/2:161.101.150.102/1549->161.101.150.9/3389,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 161.101.150.102->10.10.10.2) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 3.route 10.10.10.2->10.10.10.2, to ethernet0/1
  routed (x_dst_ip 10.10.10.2) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/1
  policy search from zone 1-> zone 3
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 161.101.150.9, port 3389, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 50/1/0x2d
  Permitted by policy 50
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet0/1
  no loop on ifp ethernet0/1.
  session application type 0, name None, nas_id 0, timeout 1800sec
  Drop non-syn/tcp/tel/ftp/web pak in auth check
  log this session (pid=50)
policy id (50)
  packet dropped, denied by policy
  packet dropped, auth failed

 

Please see the snoop output as well

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

Hmm, so for this user, looks like the authentication did not pass successfully.

 

Can you check the auth table for this user?

EG: get auth table

 

If its authenticated properly but the page is not loading then there may be some issue. But if the authentication failed then the following will help to find out why there was an issue with the auth. Run "debug auth all" or "debug auth basic" together with the "debug flow basic".

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 35
Registered: ‎02-03-2009
0 Kudos

Re: Webauth with RSA fails for a particular subnet

I checked the Auth table and found that the user is authenticating Succesfully. neverthelesss I did s debug auth and found no problems. JTAC also is completely baffled. Wretched things have tried everything. Me too have tried everything.

 

Thanks for all your feedback. are there any other suggestions?

Highlighted
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Webauth with RSA fails for a particular subnet

hmm only thing i can think of is if there is another entry in the auth table already for that user?
****pls click the button " Accept as Solution" if my post helped to solve your problem****