Never go to bed mad. Stay up and fight!
Policy Based Authentication / Authentication Proxy in Juniper Firewalls
One of the feature that you can achieve using rules in policies on a Juniper Firewall is conditional pass through of traffic. What I mean by that is, to first authenticate the user and if you want that user to access what he is trying then, allow/disallow the traffic; More as an example;
set policy id 1 from Trust to Untrust any any HTTP permit log
The above command would allow any user from the Trust zone to access HTTP resources on the Untrust side of the firewall. Now say I want to allow only one user ; In that case I can setup an authentication prior to allowing that connection in the same *ONE* line policy as below; For the example I’m going to use a ‘user’ created locally on the firewall, however integration to external authentication server is very well supported in Juniper Firewalls.
set user <username> password <password>
set user <username> enable
set policy id 1 from Trust to Untrust any any HTTP permit auth user <username> log
The above 3 lines does the job for you. So as you know, multiple services/multiple users can go in there on a single rule. Only after the authentication, the user is allowed to access the resource. One of the very simplified approach!
The following is a working example screen-shot of a telnet session by double authentication (one on the firewall and the other on the actual telnet server).
A Telnet Session using Policy Based Authentication (Red box displays the first level of auth done at firewall, Blue box displays the actual telnet authentication)
The relevant firewall configuration used for this is as below;
1: set user rsivanandan password password
2: set user rsivanandan enable
3:
4: set policy id 1 from "Trust" to "Untrust" "Any" "Any" "TELNET" permit auth server "Local" user "rsivanandan" log
Advantage of having this? I’ve seen environment where in a same username is used by different persons in the organization to login and access data. Here, we have only one authentication method and there is no way of finding out who actually logged in. If Policy Based Authentication is implemented, then controlled access can be done, as well if the username/password is integrated in the firewall policy (think of External User Database).
Then we know who accessed the data last – ACCOUNTABILITY
Technorati Tags: Juniper Firewalls,Policy Based Authentication
| Print article | This entry was posted by rsivanandan on July 17, 2008 at 8:21 pm, and is filed under Juniper. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 1 year ago
hey i read every juniper post on your blog, and i would like to commend you on taking the time to put together all this material.
i did have a question about policy based auth. i have been using it for a while in different areas on my network with local users on the relevant device. i have attempted on several occasions to use one of our redhat ds LDAP servers to store the usernames and passwords.but have never succesfully got this working. do you have any pointers on getting this setup?
about 1 year ago
hmmm. You know what I never tried it
Am real busy as of now and will update some time once I try it out.
Cheers,
Rajesh