Junos for Security Platforms

Chapter 5: Firewall User

Authentication

© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
 Chapter Objectives

 After successfully completing this chapter, you will be

able to:
•Describe the purpose of firewall user authentication
•Implement pass-through authentication
•Implement Web authentication
•Implement firewall user client groups
•Monitor firewall user authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-2
 Agenda: Firewall User Authentication

Firewall User Authentication Overview

 Pass-Through Authentication
 Web Authentication
 Client Groups
 Using External Authentication Servers
 Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-3
 Firewall User Authentication Overview

 Method to restrict or permit network user access to

protected resources between security zones
HR Mgmt
A Zone Zone
D
Host A
Authentication
Server

User must provide

username and password
when initiating a new C
connection Public
Zone B
Network
Resource
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-4
 Firewall User Authentication Types

 Pass-through authentication:
•Triggered by Telnet, FTP, and HTTP traffic
•User attempts to access the network resource directly
•Junos security device intercepts traffic and prompts for
username and password
•If authentication is successful, subsequent traffic from the
same source IP address is allowed
 Web authentication:
•User first connects directly to Junos security device using
HTTP
•Software prompts user for username and password
•If authentication is successful, subsequent traffic from the
same source IP address is allowed
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-5
 Authentication Server Support

 Local:
•Authentication and authorization
 RADIUS: Local
Database
•Authentication and authorization
 LDAP:
•Authentication only
 SecurID:
•Authentication only
LDAP SBR SecurID
Server Server

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-6
 Agenda: Firewall User Authentication

 Firewall User Authentication Overview

Pass-Through Authentication
 Web Authentication
 Client Groups
 Using External Authentication Servers
 Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-8
 Pass-Through Authentication
Packet buffered
1 Telnet to
Let me initiate 10.1.1.1
Session lookup: no session match
a Telnet
session Policy check performed
2 Username ??
Password ??
10.1.1.1

Username *
3 Password *
Host

4 Login successful!
Packet
5 forwarded
user@host> telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.
Firewall User Authentication
Username: user Custom Banner
Password: XXX
Login successful!

host (ttyp1)

login:

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-9
 Pass-Through Configuration (1 of 3)

 Create access profile:

[edit access]
user@host# show
profile profile-name {
client client-name {
firewall-user {
password encrypted-password; ## SECRET-DATA
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-10
 Pass-Through Configuration (2 of 3)

 Associate access profile with pass-through

authentication and add banner:
[edit access firewall-authentication]
user@host# set pass-through telnet banner ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
fail The message that will be displayed after failed user login
login The message that will be displayed before login
success The message that will be displayed on successful login
[edit access firewall-authentication]
user@host# set pass-through telnet banner success "Login successful!"
user@host# show
pass-through {
default-profile profile-name;
telnet {
banner {
success "Login successful!";
}
...

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-11
 Pass-Through Configuration (3 of 3)
 Configure policy action with firewall authentication:
[edit security policies]
user@host# show
from-zone zone-name to-zone zone-name {
policy permit-all {
match {
source-address address-book-entry;
destination-address address-book-entry;
application application-name;
}
then {
permit {
firewall-authentication {
pass-through {
client-match client-name;
}
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-12
 Agenda: Firewall User Authentication

 Firewall User Authentication Overview

 Pass-Through Authentication
Web Authentication
 Client Groups
 Using External Authentication Servers
 Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-13
 Web Authentication
I need to 1 HTTP to
access 10.1.2.2 Session lookup: no session match
10.1.1.1 host-inbound traffic check
I will HTTP to
10.1.2.2 10.1.2.2
2 Username ??
Password ??
10.1.1.1

Username *
3 Password *
Host

4 Login Successful!

5 Client initiates
session to 10.1.1.1

User prompted

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-14
 Web Authentication Configuration (1 of 4)

 Enable HTTP service on the Junos security device

•Also enables Web management of the device
•Ensure host-inbound-traffic allows HTTP

[edit system services]

user@host# show
ftp;
ssh;
telnet;
web-management {
http;
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-15
 Web Authentication Configuration (2 of 4)

 Enable Web authentication on interface

•Use secondary address
•Must be in same subnet
[edit interfaces]
user@host# show
ge-0/0/0 {
unit 0 {
family inet {
address 10.210.14.171/28 {
preferred;
}
address 10.210.14.168/28 {
web-authentication http;
}
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-16
 Web Authentication Configuration (3 of 4)

 Create access profile:

[edit access]
user@host# show
profile profile-name {
client client-name {
firewall-user {
password encrypted-password; ## SECRET-DATA
}
}
}

 Associate access profile with Web authentication and

add banner:
[edit access firewall-authentication]
user@host# show
web-authentication {
default-profile profile-name;
banner {
success "Login successful!";
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-17
 Web Authentication Configuration (4 of 4)

 Configure policy action with firewall authentication:

[edit security policies]
user@host# show
from-zone zone-name to-zone zone-name {
policy permit-all {
match {
source-address any;
destination-address any;
application junos-telnet;
}
then {
permit {
firewall-authentication {
web-authentication {
client-match client-name;
}
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-18
 Web Redirect

 Use pass-through authentication but redirect users to

Web authentication using an HTTP redirect response
•Works like Web authentication but user need not know
address of the Junos security device
•User is redirected to same interface
• Interface and system must be enabled for Web authentication
then {
permit {
firewall-authentication {
pass-through {
client-match client-name;
web-redirect;
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-19
 Agenda: Firewall User Authentication

 Firewall User Authentication Overview

 Pass-Through Authentication
 Web Authentication
Client Groups
 Using External Authentication Servers
 Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-20
 Client Groups

 A client group is a list of groups to which a client belongs

•Create user groups or client groups to manage a number of
firewall users
Group A Group B Group C
User 1 Client Group:
Group A
Group B

User 2 Client Group:

Group A
Group C

User 3 Group:
Group B
Group C
User 1 User 2 User 3

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-21
 Configuring Client Groups (1 of 2)

 Associate a user with a number of client groups:

[edit access]
user@host# show
profile users {
client user1 {
client-group [ Group-A Group-B ];
firewall-user {
password "$9$tZExpBEcSeMWxEhVwg4ZG"; ## SECRET-DATA
}
}
client user2 {
client-group [ Group-A Group-C ];
firewall-user {
password "$9$LdqX-wY2aGUH2gFn9A0O"; ## SECRET-DATA
}
}
client user3 {
client-group [ Group-B Group-C ];
firewall-user {
password "$9$jsi.5Qz6CA0n6WLx-ws"; ## SECRET-DATA
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-22
 Configuring Client Groups (2 of 2)
 Reference a group within a security policy:
[edit security policies]
user@host# show
from-zone trust to-zone trust {
policy web-auth {
match {
source-address any;
destination-address engineering;
application junos-telnet;
}
then {
permit {
firewall-authentication {
pass-through {
client-match Group-A;
}
}
}
}
}
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-23
 Check Your Knowledge

 Referencing the previous two slides, which users have

telnet access to the engineering network resource?
 What happens if user1, user2, and user3 have the
same source address because of source NAT?

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-24
 Using Default Client Groups

 A default client group associates all users within a

profile to a client group
[edit access]
user@host# show
profile profile-name {
session-options {
client-group [ group-name1 group-name2 ];
}
}

•Only relevant to clients that are not configured with a client

group at the client level

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-25
 Agenda: Firewall User Authentication

 Firewall User Authentication Overview

 Pass-Through Authentication
 Web Authentication
 Client Groups
Using External Authentication Servers
 Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-26
 Using External Authentication Servers

 Configure external authentication servers under the

access profile
•Use the authentication-order configuration
statement to specify method and order
•You can specify only one external authentication method
[edit access profile profile-name]
user@host# show
authentication-order [ radius password ];
radius-server {
ip-address secret radius-secret; ## SECRET-DATA
}

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-27
 Agenda: Firewall User Authentication

 Firewall User Authentication Overview

 Pass-Through Authentication
 Web Authentication
 Client Groups
 Using External Authentication Servers
Verifying Firewall User Authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-28
 Verifying Firewall Authentication

 To view the current authentication table:

user@host> show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
2 10.100.0.2 HR Public test 0 Failed lab

 To view the authentication history:

user@host> show security firewall-authentication history
History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
1 10.100.0.2 2010-05-31 09:57:28 0:03:46 Success test
2 10.100.0.2 2010-05-31 10:01:25 0:11:01 Failed lab

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-29
 Summary

 In this chapter, we:

•Described the purpose of firewall user authentication
•Learned how to implement pass-through authentication
•Learned how to implement Web authentication
•Learned how to implement firewall user client groups
•Discussed monitoring of firewall user authentication

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-30
 Review Questions

1. Which external authentication methods have support

for firewall user authentication?
2. Explain the difference between Web authentication
and pass-through authentication.
3. What is a client group?
4. How do you view a history of firewall authentication
attempts?

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-31
 Lab 3: Configuring Firewall Authentication

 Implement and monitor pass-through and Web

authentication.

© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-32
Worldwide Education Services