SRX Services Gateway
Highlighted
SRX Services Gateway

SRX firewall Webauth using client-groups

‎07-12-2011 12:59 PM

We have used WebAuth with RADIUS on our Netscreen firewalls for years.  This allow us to limit access to sensitive areas of our network.  We have been trying to reproduce this in JUNOS-SRX.  Can someone offer some guidance?

 

=== Code ===

 

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set access profile WEB-AUTH authentication-order radius

set access profile WEB-AUTH client AutoAuthGroup client-group AUTO-GROUPS

deactivate access profile WEB-AUTH client AutoAuthGroup

set access profile WEB-AUTH client VideoAuthGroup client-group VIDEO-GROUPS

set access profile WEB-AUTH client VoiceAuthGroup client-group VOICE-GROUPS

set access profile WEB-AUTH client WEDAuthGroup client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group AUTO-GROUPS

set access profile WEB-AUTH session-options client-group VIDEO-GROUPS

set access profile WEB-AUTH session-options client-group VOICE-GROUPS

set access profile WEB-AUTH session-options client-idle-timeout 240

set access profile WEB-AUTH session-options client-session-timeout 4320

set access profile WEB-AUTH radius-server 10.150.x.x port 1812

set access profile WEB-AUTH radius-server 10.150.x.x secret 

set access profile WEB-AUTH radius-server 10.150.x.x timeout 5

set access profile WEB-AUTH radius-server 10.150.x.x retry 2

set access profile WEB-AUTH radius-server 10.150.x.x source-address 172.26.104.253

set access firewall-authentication web-authentication default-profile WEB-AUTH

set access firewall-authentication web-authentication banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."

 

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone ADMIN to-zone AUTOMATION policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

set security policies from-zone ADMIN to-zone VOICE policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT match application any

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone ADMIN to-zone VIDEO policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone AUTOMATION to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match AUTO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VIDEO-GROUPS

set security policies from-zone VIDEO to-zone ADMIN policy WEB-AUTH-PERMIT then log session-init

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match source-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match destination-address any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT match application any

set security policies from-zone VOICE to-zone ADMIN policy WEB-AUTH-PERMIT then permit firewall-authentication web-authentication client-match VOICE-GROUPS

-=Dan=-
11 REPLIES 11
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎07-12-2011 03:45 PM

OK, More details...

 

We want to have different uses get different access between zones, based on users or groups learned from RADIUS VSAs.  RADIUS sends the correct level.  

 

Here's how its done in ScreenOS

 

===== Code =====

 

sset auth-server "JAXRADIUS" id 2
set auth-server "JAXRADIUS" server-name "10.150.x.x"
set auth-server "JAXRADIUS" account-type auth xauth 
set auth-server "JAXRADIUS" forced-timeout 1440
set auth-server "JAXRADIUS" radius port 1812
set interface "ethernet0/0" webauth 
set interface "ethernet0/0" webauth-ip 172.22.150.252
set webauth server "JAXRADIUS"
set webauth banner success "You have been successfully authenticated.<br>You are only allowed to access resources for which you have received explicit authorization."
set user "Autoauth" uid 6
set user "Autoauth" type auth
set user "Autoauth" hash-password ""
set user "Autoauth" "enable"
set user "Videoauth" uid 2
set user "Videoauth" type auth
set user "Videoauth" hash-password ""
set user "Videoauth" "enable"
set user "Voiceauth" uid 3
set user "Voiceauth" type auth
set user "Voiceauth" hash-password ""
set user "Voiceauth" "enable"
set policy id 5 from "Untrust" to "Production"  "BHM NSO" "Any" "ANY" permit webauth user "Autoauth" log 
set policy id 5
exit
set policy id 9 from "Untrust" to "Video"  "BHM NSO" "Any" "ANY" permit webauth user "Videoauth" log 
set policy id 9
exit

-=Dan=-
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

[ Edited ]
‎08-03-2018 06:04 AM

Hi All,

 

I am looking for the same solution in my srx5800 with soft 15.1x49-d140, I would like to add just few user to some group and then add this gorup as client match on policy level.  My hope is that all user will have access to 1 policy and just few to second with client match function. Unfortunately i tested it and is not working on my side. Did somone manage to achieve it? 

 

aaa needs to mentioned that i am using profile with ldap search. So authentication is working etc, policy is working without client-group match but wiith, is not. So it is not possible to just create a cleint ( name = login  in ldap) which would be authenticated against ldap without firewall-user and password ?  

Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-05-2018 05:38 AM

Hello, Kzet

I believe you are looking for Integrated User Firewall feature:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/userfw-ad-overview.html 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-06-2018 12:31 AM

No, Integrated requires more effort to established it plus it is almost impossible in big enviroement where lots of domain controllers exist, lots of event logs.. so srx will have to know which event log ask and so forth.. I decided to use simple authentication basing on LDAP queries, just to confirm that user belongs to company, authentication by domain password. Problem which i have is that i need just to distungish admins from "normal"users and i cannot find a manner to put in policy something what could allowe me to grant an access to even local users  (via web-auth) while the second policy will grant an access to all ( admin inclusivly) - ldap 

Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-06-2018 02:43 AM

Just did a " workarround" but still thinking if it could be done in different way. Any sugesstion? 

 

ps.workarround - created another profile with firewall-user and local password, added second firewall authentication - pass through .

Security polices :

1. For user access - src any, dst x/24, zone untrust to trust , application any , firewall authentication pass-thtough  web-redirect-to-https ssl-termination-profile  (user are being authenticated thanks to ldap)

2. For admin - src any ,dst any, zone untrust to trust, aplication any , firewall-authentication web-authentication (admin swill know ip address of web auth + local password)

 

Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-06-2018 08:50 AM

Im glad you find that workaround. As of now using simple LDAP authentication doesnt allow you to distinguish between different groups of users. I will expect this support in the future as it has been implemented in other features like Dynamic VPN where the SRX differentiates the users based on the user-to-group mapping received from the LDAP server:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=kb30927&actp=METADATA

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-08-2018 04:44 AM

@

 

I cannot find clear document where LDAPs is being configured for user authentication. COuld you tell mewhere i can find it? I would be gratefull for configuration example, how to uploud certificate, where connect it, how to configure it under [acccess profile] level etc. I jsut find som information about tls over 389 but i would like to established 686 with ssl 

Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-08-2018 04:54 PM

kzet,

 

As far as I know, the SRX only supports LDAP with StartTLS for those purposes:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32406&cat=SRX_SERIES&actp=LIST

 

Note that  LDAP with StartTLS works on regular LDAP port TCP 389. LDAP with StartTLS will start the communication in clear text and will eventually negotiate a TLS channel to protect the data so you will get the secure channel you are looking for.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-08-2018 04:59 PM

kzet,

 

Find an example of firewall-authentication on this post:

 

https://forums.juniper.net/t5/SRX-Services-Gateway/Firewall-authentication-pass-through-with-LDAP-on...

 

You will see the access profile using LDAP and then the security-policy referencing this access profile.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

‎08-10-2018 02:44 AM

ok, but on all guides there is "no-tls-certificate-check" used, i would like to use certificate anyway , How it shoould be configured? Under ldpad-server i cannot find appropiate commands to achieve it. I have pub cert from ldap, if my understading is coorrect, i should just load it to fw and in profile somhow tell to fw to use it,  Could yuou type here step by step how it should be done? 

Highlighted
SRX Services Gateway

Re: SRX firewall Webauth using client-groups

[ Edited ]
‎08-10-2018 11:20 AM

Kzet,

 

I think you need to create a CA profile on the SRX and then upload the server certificate as a CA certificate and link it to the CA profile you just created:

 

+Create CA profile:

 

user@host> set security pki ca-profile CA_PROFILE ca-identity [NAME]

user@host> set security pki ca-profile CA_PROFILE ca-identity [NAME] revocation-check disable

 

+Load the CA cert and link it to the CA profile:

 

[edit]
user@host> request security pki ca-certificate load ca-profile CA_PROFILE filename /var/tmp/[FILE].cert

https://www.juniper.net/documentation/en_US/junos/topics/example/certificate-ca-local-manual-loading...

 

Kzet I think we better create a new post for this LDAP topic so that it can be mark as Resolved later on. Please let me know.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback