Professional Documents
Culture Documents
JNCIS SEC PPT - Firewall Authentication - Coruse 10.a
JNCIS SEC PPT - Firewall Authentication - Coruse 10.a
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-2
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-3
Firewall User Authentication Overview
Pass-through authentication:
•Triggered by Telnet, FTP, and HTTP traffic
•User attempts to access the network resource directly
•Junos security device intercepts traffic and prompts for
username and password
•If authentication is successful, subsequent traffic from the
same source IP address is allowed
Web authentication:
•User first connects directly to Junos security device using
HTTP
•Software prompts user for username and password
•If authentication is successful, subsequent traffic from the
same source IP address is allowed
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-5
Authentication Server Support
Local:
•Authentication and authorization
RADIUS: Local
Database
•Authentication and authorization
LDAP:
•Authentication only
SecurID:
•Authentication only
LDAP SBR SecurID
Server Server
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-6
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-8
Pass-Through Authentication
Packet buffered
1 Telnet to
Let me initiate 10.1.1.1
Session lookup: no session match
a Telnet
session Policy check performed
2 Username ??
Password ??
10.1.1.1
Username *
3 Password *
Host
4 Login successful!
Packet
5 forwarded
user@host> telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.
Firewall User Authentication
Username: user Custom Banner
Password: XXX
Login successful!
host (ttyp1)
login:
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-9
Pass-Through Configuration (1 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-10
Pass-Through Configuration (2 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-11
Pass-Through Configuration (3 of 3)
Configure policy action with firewall authentication:
[edit security policies]
user@host# show
from-zone zone-name to-zone zone-name {
policy permit-all {
match {
source-address address-book-entry;
destination-address address-book-entry;
application application-name;
}
then {
permit {
firewall-authentication {
pass-through {
client-match client-name;
}
}
}
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-12
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-13
Web Authentication
I need to 1 HTTP to
access 10.1.2.2 Session lookup: no session match
10.1.1.1 host-inbound traffic check
I will HTTP to
10.1.2.2 10.1.2.2
2 Username ??
Password ??
10.1.1.1
Username *
3 Password *
Host
4 Login Successful!
5 Client initiates
session to 10.1.1.1
User prompted
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-14
Web Authentication Configuration (1 of 4)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-15
Web Authentication Configuration (2 of 4)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-17
Web Authentication Configuration (4 of 4)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-18
Web Redirect
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-19
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-20
Client Groups
User 3 Group:
Group B
Group C
User 1 User 2 User 3
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-21
Configuring Client Groups (1 of 2)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-22
Configuring Client Groups (2 of 2)
Reference a group within a security policy:
[edit security policies]
user@host# show
from-zone trust to-zone trust {
policy web-auth {
match {
source-address any;
destination-address engineering;
application junos-telnet;
}
then {
permit {
firewall-authentication {
pass-through {
client-match Group-A;
}
}
}
}
}
}
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-23
Check Your Knowledge
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-24
Using Default Client Groups
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-25
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-26
Using External Authentication Servers
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-27
Agenda: Firewall User Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-28
Verifying Firewall Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-29
Summary
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-30
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-31
Lab 3: Configuring Firewall Authentication
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 5-32
Worldwide Education Services