So the idea above is
PC 192.168.0.100 is blocked from getting out to the server.
In order to be able to get to the server.
1. PC 192.168.0.100 will open a web page to the "web authentication" http IP. of 192.168.0.2
2. PC 192.168.0.100 will get a web page from the SRX . The web page looks like this.
3. The user types in his user and password.
Now the gate is open.
4. PC 192.168.0.100 can have access to the WAN interface and the server in the internet.
First.
Let's configure the LAN interface.
Set system services web-management http # turns on web management
set interface fe-0/0/0 unit 0 family inet address 192.168.0.2/24 web-authentication http
this set up a secondary IP on the fe-0/0/0 interface and set the type as web-authentication http
set interface fe-0/0/0 unit 0 family inet address 192.168.0.1/24 preferred
this sets up the main IP on the fe-0/0/0 Juniper calls it the "preferred" . This IP when you type it in the URL will allow you to manage the SRX using the portal.
Ok, so we have two entities configured on the interface.
preferred
web-authentication http
Now we can put the interface into a zone.
set security zone security-zone LAN interface fe-0/0/0 host-inbound-traffic system-services http
don't forget to add the host-inbound-traffic to the interface.
now we can set up a policy to allow LAN to go to WAN and invoke the "web-authentication" check.
set security policy from zone LAN to zone WAN policy allow_lan_wan_traffic_web_auth
now we can use the match.
match
source-address 192.168.0.0/24
destination-address any
application any
then
permit {
firewall-authentication {
web-authentication {
client-match admin;
so basically.
We match the traffic from the LAN towards the WAN I used any application.
The traffic will be permitted into the firewall-authentication of the type web-authentication
the last part is the client-match we used before.
which is the list of users that are allowed access.
root# show access
profile test-profile {
client admin {
firewall-user {
password secret_password_:)
So the main things to carry away are.
The passthrough authentication works for
http, ftp, telnet
the Web Authentication works for everything you want. It is simply used to allow the policy permit
to work. I used application any.
So in my example, you can set up a policy that if you want to ping for example. Then you must first authenticate to the web-authentication portal.
Alright,
last one for the exam.
You can add "web-redirect". This basically intercepts web requests and sends them to the
web-authentication portal.
permit {
firewall-authentication {
web-authentication {
client-match metacortex;
web-redirect;
simply add the command at the end. web-redirect
No comments:
Post a Comment