SRX

Expand all | Collapse all

SRX 300 using ACTIVE DIRECTORY to authenticate users and allow access to the resources behind the firewall

  • 1.  SRX 300 using ACTIVE DIRECTORY to authenticate users and allow access to the resources behind the firewall

    Posted 06-25-2017 21:28

    Hello ,

     

    I have an requirement of SRX 300 firewall to use Active directory to authenticate users and provide access to the resources behind the firewall .We have many groups created in Active directory .For suppose a new user needs access to one of the application server .the user will be added to the group in active directory so that he can use the resources . I have read an article but is was not able to understand at Active directory and domain controllers . We used ADFS generally not LDAP . can anyone suggest me the configuration for this .

     

    set services user-identification active-directory-access domain example.net user-group-mapping ldap base DC=example,DC=net

    set services user-identification active-directory-access domain example.net user administrator password pwd

    set services user-identification active-directory-access domain example.net domain-controller ad1 address 192.0.2.15

    set access profile profile1 authentication-order ldap

    set access profile profile1 authentication-order password

    set access profile profile1 ldap-options base-distinguished-name CN=Users,DC=example,DC=com

    set access profile profile1 ldap-options search search-filter sAMAccountName=

    set access profile profile1 ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=example,DC=com

    set access profile profile1 ldap-options search admin-search password password

    set access profile profile1 ldap-server 192.0.2.3

    set security policies from-zone trust to-zone untrust policy p1 match source-address any

    set security policies from-zone trust to-zone untrust policy p1 match destination-address any

    set security policies from-zone trust to-zone untrust policy p1 match application any

    set security policies from-zone trust to-zone untrust policy p1 match source-identity unauthenticated-user

    set security policies from-zone trust to-zone untrust policy p1 match source-identity unknown-user

    set security policies from-zone trust to-zone untrust policy p1 then permit firewall-authentication user-firewall access-profile profile1

    set security policies from-zone trust to-zone untrust policy p2 match source-address any

    set security policies from-zone trust to-zone untrust policy p2 match destination-address any

    set security policies from-zone trust to-zone untrust policy p2 match application any

    set security policies from-zone trust to-zone untrust policy p2 match source-identity “example.com\user1”

    set security policies from-zone trust to-zone untrust policy p2 then permit

    set security user-identification authentication source active-directory-authentication-table priority 125



  • 2.  RE: SRX 300 using ACTIVE DIRECTORY to authenticate users and allow access to the resources behind the firewall

     
    Posted 06-25-2017 22:44

    Hello,

     

    This link would be useful to you.

     

    https://www.juniper.net/documentation/en_US/junos12.1x47/topics/example/example-userfw-ad.html

     

    Regards,

     

    Rushi



  • 3.  RE: SRX 300 using ACTIVE DIRECTORY to authenticate users and allow access to the resources behind the firewall

     
    Posted 06-26-2017 22:12

    Hi Folks,
    Please find a KB on Configuring Active Directory User permissions when using for Integrated User Firewall with Active Directory!

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/userfw-auth-table.html
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29659

     

    -rengar