Junos : Firewall Authentication Part 2

Pass-through firewall user authentication occurs when the client is trying to access a destination on another zone using FTP, Telnet, or HTTP. After authenticating successfully, the firewall acts as a proxy for an FTP, Telnet, or HTTP server so that it can first authenticate the user before allowing access to the actual FTP, Telnet, or HTTP server behind the firewall

Configuring Pass-Through Firewall Authentication

To configure the device for pass-through firewall authentication as shown in above, follow these steps:

1. Create IP addresses for the interfaces on the device.

   user@host# set interfaces ge-0/0/1

   user@host# set unit 0 family inet address 20.20.20.1/24

   user@host# set unit 0 family inet address 20.20.20.2/24

   user@host# set interfaces ge-5/0/0

   user@host# set unit 0 family inet address 30.30.30.1/24

   user@host# set unit 0 family inet address 30.30.30.2/24

2. Create an access profile, FWAUTH, for FWClient1 and specify a password, pwd.

   user@host# set access profile FWAUTH client FWClient1 firewall-user password pwd

3. Add the FWAUTH profile for pass-through firewall authentication and define a success banner for Telnet sessions.

   user@host# set access firewall-authentication pass-through default-profile FWAUTH

   user@host# set access firewall-authentication pass-through telnet banner success "WELCOME TO JUNIPER TELNET SESSION"

4. Create security zones.

   user@host# set security zones security-zone UT-ZONE host-inbound-traffic system-services all

   user@host# set security zones security-zone UT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic protocols all

   user@host# set security zones security-zone T-ZONE host-inbound-traffic system-services all

   user@host# set security zones security-zone T-ZONE interfaces fe-5/0/0.0 host-inbound-traffic protocols all

5. Assign a security policy, policy1, to the zones.

   user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match source-address any

   user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match destination-address any

   user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 match application junos-telnet

   user@host# set security policies from-zone UT-ZONE to-zone T-ZONE policy policy1 then permit firewall-authentication pass-through client-match FWclient1

6. Use Telnet to autheticate firewall user, FWClient1, to host2.

   regress@FWClient1# run telnet 30.30.30.2

   Trying 30.30.30.2...

   Connected to 30.30.30.2.

   Escape character is '^]'.

   Firewall User Authentication

   Username: FWClient1

   Password:***

   WELCOME TO JUNIPER TELNET SESION

   Host1 (ttyp0)

   login: regress

   Password:

   --- JUNOS 8.5R1.1 built 2007-10-12 13:30:18 UTC

   %

7. If you are finished configuring the device, commit the configuration.