SRX

Expand all | Collapse all

vSRX web-authentication

Jump to Best Answer
  • 1.  vSRX web-authentication

    Posted 08-07-2020 00:58
      |   view attached

    Hello Experts,

     

    I'm stuck with configuring the web-authentication on vSRX. I've tried searching on youtube juniper channel but can't seem to find a tutorial on setting web-authentication for SRX hence I've followed this video which for older junos 12.  https://www.youtube.com/watch?v=HtO_qqTW2mY

     

    The issue i face is, I'm not able to load the authentication page on web browser (firefox or chrome) see attached image, please can you advise where i've made a mistake? Also is there any config i can do that doesn't need one to specifically go to web-authentication inet address instead gets redirected to web-authentication automatically and once authenticated, srx continues to the web address user wanted to browse?

     

    below is the config, appreciate your support.

     

    root# run show configuration
    ## Last commit: 2020-08-07 07:50:56 UTC by root
    version 20200609.165031.6_builder.r1115480;
    system {
    root-authentication {
    encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
    }
    services {
    ssh;
    dhcp-local-server {
    group WIRED {
    interface ge-0/0/1.20;
    }
    group WLAN {
    interface ge-0/0/1.10;
    }
    }
    web-management {
    http {
    interface fxp0.0;
    }
    https {
    system-generated-certificate;
    interface [ fxp0.0 ge-0/0/0.0 ];
    }
    }
    }
    domain-name www.vsrx3.com;
    name-server {
    4.2.2.2;
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any any;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    queue-size 2000; ## Warning: 'queue-size' is deprecated
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set LAN-TO-WAN {
    from zone trust;
    to zone untrust;
    rule LAN-TO-WAN {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy default-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy default-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    firewall-authentication {
    web-authentication {
    client-match [ G1 G2 G3 ];
    }
    }
    }
    }
    }
    }
    }
    zones {
    security-zone trust {
    tcp-rst;
    host-inbound-traffic {
    system-services {
    all;
    ping;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.10 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge-0/0/1.20 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone untrust {
    screen untrust-screen;
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    telnet;
    snmp;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.0.200/24;
    }
    }
    }
    ge-0/0/1 {
    vlan-tagging;
    unit 10 {
    vlan-id 10;
    family inet {
    address 10.10.10.1/24;
    address 10.10.10.2/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    unit 20 {
    vlan-id 20;
    family inet {
    address 10.10.20.1/24;
    }
    }
    }
    fxp0 {
    unit 0;
    }
    }
    access {
    profile WEBAUTH {
    client Client-1 {
    client-group [ G1 G2 G3 ];
    firewall-user {
    password "$9$iHPQCtOEhr"; ## SECRET-DATA
    }
    }
    session-options {
    client-group [ G1 G2 G3 ];
    }
    }
    address-assignment {
    pool WLAN {
    family inet {
    network 10.10.10.0/24;
    range WLAN-Clients {
    low 10.10.10.10;
    high 10.10.10.200;
    }
    dhcp-attributes {
    name-server {
    1.1.1.1;
    4.2.2.2;
    }
    router {
    10.10.10.1;
    }
    }
    }
    }
    pool WIRED {
    family inet {
    network 10.10.20.0/24;
    range WIRED-Clients {
    low 10.10.20.10;
    high 10.10.20.200;
    }
    dhcp-attributes {
    name-server {
    4.2.2.2;
    1.1.1.1;
    }
    router {
    10.10.20.1;
    }
    }
    }
    }
    }
    firewall-authentication {
    web-authentication {
    default-profile WEBAUTH;
    banner {
    success "LOGIN SUCCESS";
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    }

    [edit]
    root#



  • 2.  RE: vSRX web-authentication
    Best Answer

    Posted 08-07-2020 03:47

    This was the issue.

     

    [edit]
    root# show | compare
    [edit system services web-management http]
    - interface fxp0.0;
    + interface [ fxp0.0 all ];
    [edit system services web-management https]
    - interface [ fxp0.0 ge-0/0/0.0 ];
    + interface [ fxp0.0 ge-0/0/0.0 all ];

    🙂 solved