Hello,
We have a newly installed MX5 router,and we're looking to secure the system routing engine AS well as setup radius authentication for access control to the control plane.
The system is split into 2 logical systems because the router serves as both the primary edge router AND the internal core router.
Basically:
Internet <--> MX5 LS1 (Edge) <--> Firewall <--> MX5 LS2 (Core) <--> Layer 2 Switching Core
All the internal private IP space terminates on MX5 LS2 for internal inter-vlan routing, there is then a default route to a /30 IP between the MX5 and the Firewall. The Firewall then has a default route to MX5-LS1 which terminates our ISP and BGP peers.
LS1 is actually the default global LS.
I'm having trouble wrapping my head around how to configure radius authentication for system logins. Our radius server sits behind LS2, but you cannot configure radius or even system login statements in the logical system "edit system" stanza.
Should I create a firewall filter on LS1 blocking SSH, other unwanted traffic, then create a Logical Tunnel between LS1 and LS2 with a static route for radius traffic sourcing from LS1 to reach the radius server on LS2?
Sanitized configuration is below:
## Last changed: 2014-06-18 09:22:28 MDT
version 12.3R6.6;
system {
host-name sanitized;
authentication-order [ password radius ];
root-authentication {
encrypted-password "sanitized"; ## SECRET-DATA
}
name-server {
172.21.21.29;
172.21.21.36;
}
login {
user jbarron {
";
uid 2000;
class super-user;
authentication {
encrypted-password "sanitized"; ## SECRET-DATA
}
}
}
services {
ssh;
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
}
ntp {
boot-server 217.114.59.66;
server 217.114.59.66;
}
}
logical-systems {
LS2{
interfaces {
ge-1/1/0 {
unit 0 {
description "To Juniper CP_CoreEX4200-VC1 Ge-0/0/0";
family bridge {
interface-mode trunk;
vlan-id-list [ 20 25 50 125-300 ];
}
}
}
ge-1/1/1 {
unit 0 {
description "To Sophos Eth0";
family inet {
address 192.168.199.2/30;
}
}
}
irb {
unit 20 {
family inet {
address 172.21.1.1/24;
}
}
unit 25 {
family inet {
address 172.21.50.1/24;
}
}
unit 50 {
family inet {
address 172.10.0.1/24;
}
}
unit 125 {
family inet {
address 172.21.22.1/24;
}
}
unit 135 {
family inet {
address 172.21.21.1/24;
}
}
unit 145 {
family inet {
address 172.21.20.1/24;
}
}
unit 155 {
family inet {
address 172.21.19.1/24;
}
}
unit 165 {
family inet {
address 172.21.18.1/24;
}
}
unit 175 {
family inet {
address 172.21.2.1/23;
}
}
unit 185 {
family inet {
address 172.21.16.1/24;
}
}
unit 195 {
family inet {
address 172.21.15.1/24;
}
}
unit 200 {
family inet {
address 172.21.14.1/24;
}
}
unit 205 {
family inet {
address 172.21.24.1/24;
}
}
unit 215 {
family inet {
address 172.21.23.1/24;
}
}
unit 226 {
family inet {
address 172.22.22.1/16;
}
}
unit 300 {
family inet6 {
address sanitized/48;
}
}
}
}
routing-instances {
Internal BD{
instance-type virtual-switch;
interface ge-1/1/0.0;
bridge-domains {
VLAN_125 {
description Core;
vlan-id 125;
routing-interface irb.125;
}
VLAN_135 {
description Servers;
vlan-id 135;
routing-interface irb.135;
}
VLAN_145 {
description Executive;
vlan-id 145;
routing-interface irb.145;
}
VLAN_155 {
description Operations;
vlan-id 155;
routing-interface irb.155;
}
VLAN_165 {
description Support;
vlan-id 165;
routing-interface irb.165;
}
VLAN_175 {
description Engineering;
vlan-id 175;
routing-interface irb.175;
}
VLAN_185 {
description Sales;
vlan-id 185;
routing-interface irb.185;
}
VLAN_195 {
description IT;
vlan-id 195;
routing-interface irb.195;
}
VLAN_20 {
description SAN;
vlan-id 20;
routing-interface irb.20;
}
VLAN_200 {
description "Wireless Clients";
vlan-id 200;
routing-interface irb.200;
}
VLAN_205 {
description QA;
vlan-id 205;
routing-interface irb.205;
}
VLAN_215 {
description Enterprise;
vlan-id 215;
routing-interface irb.215;
}
VLAN_226 {
description Legacy;
vlan-id 226;
routing-interface irb.226;
}
VLAN_25 {
description VoIP;
vlan-id 25;
routing-interface irb.25;
}
VLAN_300 {
description IPv6;
vlan-id 300;
routing-interface irb.300;
}
VLAN_50 {
description "Guest Wifi";
vlan-id 50;
routing-interface irb.50;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.199.1;
}
}
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-1/0/0 {
description WAN;
unit 0 {
family inet {
address sanitized/30;
}
family inet6 {
address sanitized/64;
}
}
}
ge-1/0/2 {
description "To Sophos UTM WAN";
unit 0 {
family bridge {
interface-mode access;
vlan-id 2;
}
}
}
ge-1/0/3 {
description "To Sophos UTM WAN";
unit 0 {
family bridge {
interface-mode access;
vlan-id 2;
}
}
}
fxp0 {
unit 0 {
family inet {
address 192.168.199.254/24;
}
}
}
irb {
unit 2 {
family inet {
address sanitized/25;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
rib inet6.0 {
static {
rib-group CP-IPv6;
route ::/0 next-hop sanitized;
route sanitized{
discard;
install;
readvertise;
}
}
}
static {
route 0.0.0.0/0 next-hop sanitized;
}
rib-groups {
CP-IPv6 {
import-rib inet6.0;
}
}
autonomous-system 62478;
}
protocols {
bgp {
group TWTelecom {
type external;
family inet6 {
any;
}
export To-TWTelecom;
peer-as 4323;
neighbor sanitized {
description "Ethernet to TWTelecom IPv6";
}
}
}
}
policy-options {
policy-statement To-TWTelecom {
term 1 {
from {
route-filter sanitized exact;
}
then {
next-hop self;
accept;
}
}
term 2 {
then reject;
}
}
}
routing-instances {
Sophos_WAN {
instance-type virtual-switch;
interface ge-1/0/2.0;
interface ge-1/0/3.0;
bridge-domains {
FW_Wan_Access {
vlan-id 2;
routing-interface irb.2;
}
}
}
}
#MX5#firewallfilters#routing-engine#LogicalSystems