You can use the Firewall to limit users permissions.
There are two methods.
Pass through and Web Authentication.
Pass-Through.
This only works on
1. Telnet
2. FTP
3. HTTP
[edit access] #all the Firewall stuff is under ACCESS
user@srx# show
firewall-authentication {
pass-through { # pass-through in this case
default-profile PROFILE ; #here you tell it which profile to use to auth users
telnet { # remember telnet,FTP, http
banner { # banner
success "Login successful!"; #success, fail
}
}
}
}
[edit access]
profile PROFILE { #this is the profile name - we use this above
client John_davis_the_third { # this is the username
firewall-user { #this is the type a firewall user
password encrypted-password; ## SECRET-DATA #this is the password
}
Now you apply this to a policy.
At the end of the policy we have the THEN.
so
then {
permit {
firewall-authentication {
pass-through {
client-match John_davis_the_third;
So to state again.
Pass-through.
Set up the default profile and banner
Set up the profile which includes the users
Set up the Firewall-authentication at the end of the policy.
__________
OK.
Web Access.
This is a nice idea. You keep the IP of the SRX as a favorite.
You open the webpage. Login and then you can get permission to go outside.
So
2. Enable HTTP on the SRX - set system services web-management http;
3. Create a user, - we will reuse John_davis_the_third.
4. Set up a silly banner.
[edit access firewall-authentication]
web-authentication {
default-profile profile-name;
banner {
success "Login successful";
5. apply it as an ACTION on a policy.
then {
permit {
firewall-authentication {
web-authentication {
client-match client-name;
A last side option is
then {
permit {
firewall-authentication {
pass-through {
client-match client-name;
web-redirect;
Web-redirect basically will take an HTTP session and open a new webpage.
I got this to work in the lab if you want to try it out.
This comment has been removed by the author.
ReplyDelete