ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

WebAuth doesn't work from untrust zone to trust zone

04.28.08   |  
‎04-28-2008 06:51 AM

hi, I  want to authenticate a client from untrust zone to acces a server in a trust zone. Webauth doesn't work!!

 

The only way to secure an authentication (ciphered) is to use webauth.  Why Run Authentication don't use https or ssh? When Juniper will add the use of ssh or https in the run authentication ?

 

Run authentication with telnet, ftp or http is stupid. The login/password are not ciphered.

8 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.28.08   |  
‎04-28-2008 07:19 AM

Hi,

 

Try to use the SSL WebAuth mecanism. There is a checkbox in your interface Menu ( SSL Only ) in order to do what you want. So authentication will be encrypted.

 

Hope this could help.

 

 

Sylvain 

ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.29.08   |  
‎04-29-2008 03:10 AM

Hi,

 

Why webauth is not working from untrust to trust?? Tell me what steps u took for configuring webauth? I vl guide u if i can to resolve the issue.

 

Actually inline authentication (run time authentication) works for only telnet, ftp and http traffic. If u want to use inline authentication for other traffic like https, ssh etc. Do one thing make a service group, add all ur desired services (https, ssh) AND one or all three services (ftp, http, telnet) also in that service group. Use this service group in policy from untrust to trust. Now u can use inline authentication for https, ssh etc.

 

Please let me know this solves ur problem?

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

[ Edited ]
04.29.08   |  
‎04-29-2008 06:35 AM

Hi,

 

I know the run time authentication solution with telnet and ssh in the same policy. But in this case, it's mandatory that you run telnet session to the target server to authenticate on the firewall. After that, you can run a ssh session to the target server.

My problem is that the login credentials are sent clear when you run the telnet session !!!

 

For Webauth, I made lot of tests and I conclude that the webauth doesn't work when a webauth IP is added on an interface in a zone from untrust-vr.

  

example:

client(1.1.1.1/16)   ---WAN--->  2.2.2.200/24 (untrust-vr)| FW |(trust-vr) 192.168.0.200/24    ---LAN---> server(192.168.0.1/24) 

 

                                                webauth IP is 2.2.2.100

 

Message Edited by gdelmas on 04-29-2008 06:53 AM
ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.29.08   |  
‎04-29-2008 06:54 AM

Hi,

 

I m sure webauth should work from untrsut to trust. What configurations step u follow?

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.29.08   |  
‎04-29-2008 07:06 AM

OK, I explain not very well!! The webauth works because access is granted. But!! the accesss to the target server (behind the firewall) doesn't work. My policy is well configured between the 2 zones and activated for webauth. So I don't understand!!

 

I tested a webauth IP on an interface (in trust-vr) and I applied a policy between 2 zones (in trust-vr) and it works very well. 

 

 

ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.29.08   |  
‎04-29-2008 12:53 PM

Hi Gdelmas,

 

Did you set the following :

- Route from Untrust VR to Trust VR in order to access to your ressource

- MIP ( or VIP ) in order to access to your server  from the internet ( i suppose your traffic comes from the web )

 

 

ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.30.08   |  
‎04-30-2008 02:20 AM

Hi sylvain,

 

My firewall is well configured. At this time, my client PC  can access to the target server without authentication.it doesn't works only when i want to make authentication on the firewall.

 

I think Netscreen prevent a webauth from an untrust-vr interface. The only way to authenticate is to use VPN client to site but Netscreen remote VPN is not free

Smiley Sad

 

Do someone knows a free VPN client able to work with Netscreen ?

ScreenOS Firewalls (NOT SRX)

Re: WebAuth doesn't work from untrust zone to trust zone

04.30.08   |  
‎04-30-2008 03:06 AM

Hi,

 

For free vpn connection check it http://kb.juniper.net/KB9529. I hope it solve ur problemSmiley Happy

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!