SRX Services Gateway
Highlighted
SRX Services Gateway

Pass-through Authentication with web-redirect

‎11-28-2013 04:41 AM

Hello,

 

I configure pass-through authentication with web-redirect, but its not worked.

all documents talking that the web-redirect is the same of the web-authentication but its more flexible, because its redirect the user to the web authentication page instead of open manually new web page and use secondary IP.

 

when i tested the below configuration by open web page nothing happened, and the history command give me "authentication failed"

 

# set system services web-management http

 

#set security zones security-zone ***** host-inbound-traffic system-services all

 

# set access profile Server-Access client user firewall-user password "$9$l62KX-wYoDjq24Tzn6AtWLX"
# set access profile Server-Access session-options client-group Server-Access-Group
# set access firewall-authentication pass-through default-profile Server-Access
# set access firewall-authentication pass-through http banner success "Login Successfully!"

 

# set security policies from-zone ***** to-zone ***** policy TTTT then permit firewall-authentication pass-through client-match Server-Access-Group
# set security policies from-zone ***** to-zone ***** policy TTTT then permit firewall-authentication pass-through web-redirect

 

So, anybody know how the web-redirect worked ???or try it before ???

 

Mahmoud

JNCIS-SEC

7 REPLIES 7
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Mahmoud Baroudi
‎08-26-2015 01:27 AM

Re: Pass-through Authentication with web-redirect

‎11-30-2013 06:43 AM
  1. Pass-through authentication along with web-redirect option is used in situations when user must be authenticated through web and it is also a requirement  that user must not be in knowledge of device IP and also to reduce burden on user by separately accessing device for  web-authentication.
  2. As per exhibit nothing is wrong with configuration , except that you have not shown configuration for interface through which user initial request is being received on device, Please ensues that on that particular interface web-authentication http is enabled.

 

 

 

Please mark this as accepted solution if it works for you

A Kudos is a good way of appreciation

 

Kashif Nawaz

JNCIP-Sec, JNCIS-Ent,JNCIS-Sec,JNCIA-JUNOS

 

 

 

 

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation



Kashif Nawaz


JNCIE-Sec #170, JNCIE-SP#2492

JNCSP Ent/ Sec
https://packet-expert.org
Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎12-02-2013 12:13 AM

Hi Kashif,

 

Thank you for reply ...

 

When i configure the web-authentcation under the primay IP address its give me error messege after i try to commit the changes, as its appear below:

 

# set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.1/24 web-authentication http    
# commit check
[edit interfaces ge-0/0/15 unit 0 family]
  'inet'
    Web-authentication address 192.168.1.1/24 is not within the subnet of any address on this interface
error: configuration check-out failed

 

-----

 

So, i try to configure it under secondary IP address like the standards web-authentication and that worked :).

 

set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.1/24 preferred
set interfaces ge-0/0/15 unit 0 family inet address 192.168.1.2/24 web-authentication http

 

Many thanks for your apprecited help 😉

 

Mahmoud Baroudi

JNCIS Sec

Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎04-29-2015 12:00 AM

Hi, Guys 

 

I cannot test this web-redirect functionality successfully in my VSRX, I have no idea what was wrong with my config, further, no too many useful info can be seen on this topic on the internet. 

 

BTW: I am using Junos [12.1X47-D10.4], firefly-perimeter

 

 

Topology: 

 

          

host-------------------inside---SRX----outside---------------------remote host 

    192.168.100/24                                     10.10.10/24

 

 

 

My basic config is like: 

 

lab@SRX-A-48# show access
profile authen-pass {
client user-1 {
firewall-user {
password "$9$n.aA6A0B1hyrv0OX7Vb2g"; ## SECRET-DATA
}
}
}
firewall-authentication {
pass-through {
default-profile authen-pass;
telnet {
banner {
login login-telnet;
success success-telnet;
}
}
}
}

[edit]
lab@SRX-A-48# show system services
ftp;
ssh;
telnet;
web-management {
http;
}

[edit]
lab@SRX-A-48# show interfaces ge-0/0/1
unit 0 {
family inet {
address 192.168.100.2/24 {
preferred;
}
address 192.168.100.100/24 {
web-authentication http;
}
}
}

[edit]
lab@SRX-A-48# show security policies
from-zone inside to-zone outside {
policy permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
pass-through {
client-match user-1;
web-redirect;
}
}
}
}
}
}

 

When I try to access my remote host through http from inside zone, it always timeout without an expect results. 

Thanks all in advance! 

 

Regards 

 

Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎07-27-2015 08:55 AM
Hi paulzh, The same thing in vSRX 12.1x47-d20. I think, it's a bug.
Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎08-18-2015 02:38 AM

I'm using SRX240 with web-atentication since a year. Software version: [11.4R10.3]

I have tried to upgrade to 12.1X46-D35.1

Then the web auth ip is redirected to the srx Device Manager page. All this authenticating feature gets bug?

Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎09-03-2015 12:27 AM

This pass-through, web-redirect authentication failure is a bug and its been fixed in latest version. I have tested in it 12.1X47-D25 and it works as expected.

 

Please check it.

 

Reference PR link : https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1071159

 

Thanks,

SHKM

 

 

Highlighted
SRX Services Gateway

Re: Pass-through Authentication with web-redirect

‎09-03-2015 06:21 AM

I am not sure about the exact version, but pass-through web-redirect will not work in vsrx and its been confirmed by a PR, i hope it works on physical device though or if above PR is also related to Physical box as well.

 

Regards

Rakesh M

https://r2079.wordpress.com

Feedback