SRX

Expand all | Collapse all

Configuer bespoke Ports

Jump to Best Answer
  • 1.  Configuer bespoke Ports

     
    Posted 02-16-2018 09:10

    Hi,

     

    I have configured a security policy that works as I expect it to by denying ping to the RADIUS server from anywhere other than one particular interface.

    I also need to set the said policy with access to UDP1812, 1813 and 1814. I utilised Juniper documentation to create this and apply to a policy but it is not working.

     

    Here is the configuration I configured:

     

    set applications application RADIUS term radius protocol udp
    set applications application RADIUS term radius source-port 1812-1814
    set applications application RADIUS term radius destination-port 1812-1814

     

    I then applied that to the policies as shown below:

     

    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match source-address thw-lns-01
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match destination-address thw-radius-01
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match application junos-ntp
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match application junos-pingv6
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match application junos-ping
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve match application RADIUS
    set security policies from-zone Customer-Network to-zone NineGroup-DMZ policy Steve then permit
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match source-address thw-radius-01
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match destination-address thw-lns-01
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match application junos-ntp
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match application junos-pingv6
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match application junos-ping
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 match application RADIUS
    set security policies from-zone NineGroup-DMZ to-zone Customer-Network policy Steve1 then permit

    set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match source-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match destination-address any
    set security policies from-zone Customer-Network to-zone Customer-Network policy Steve match application any
    set security policies from-zone Customer-Network to-zone Customer-Network policy Steve then permit
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match source-address thw-lns-01
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match destination-address thw-radius-01
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match application junos-ntp
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match application junos-pingv6
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match application junos-ping
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 match application RADIUS
    set security policies from-zone NineGroup-DMZ to-zone NineGroup-DMZ policy Steve1 then permit

     

    Am I configuring this correctly please?

     

    Thanks

     

     

     



  • 2.  RE: Configuer bespoke Ports

     
    Posted 02-19-2018 02:15

    I have tested various options. 

     

    Option 1: Change the addresses to ANY ANY Application RADIUS (as I configured) - Not successful

    Option 2: Change the applicaiton RADIUS to junos-radius - Successful

    Option 3: Change Source and destination back to LNS and RADIUS using junos-radius - Successful

    Option 4: Change application junos-radius back to RADIUS - Not successful

     

    From the LNS, are ports UDP 1812, 1813 and 1814 the forwarded packets to the RADIUS Server or something different?

     

    Could someone please tell me what is included in the "junos-radius" application (ports etc etc)?

     

    Thanks



  • 3.  RE: Configuer bespoke Ports
    Best Answer

     
    Posted 02-19-2018 03:05

    Delete the source port section of your custom definition

     

    delete applications application RADIUS term radius source-port 1812-1814

     

    Source ports will be random and the destination port fixed for this application.

     



  • 4.  RE: Configuer bespoke Ports

     
    Posted 02-19-2018 03:33

    Hi Spuluka,

     

    Thank you. That worked perfectly. I thought that the PPP protocol would have sent an authentication request on udp1812 also, but that seems to not be the case.

     

    Thanks