Hello,
I'm trying to simulate pass-through authentication for different vlans on my vSRX, I've managed to apply pass-through authentication on a vlan simulating wireless vlan subnet. however the second vlan simulating wired, i wan't no pass-through authentication and internet reachablity should be open. I've separated security policies under trust-to-untrust zones for WIRED & WIRELESS, Wireless VLAN works as expected i.e. asking for authentication, however the Wired VLAN doesn't ping out to internet, it is able to ping to its default gateway 10.10.20.1 and to Wireless vlan gateway 10.10.10.1 (coz tust-to-trust policy allows that).
Please can someone point out the mistake in configuration?
Appreciate your support.
root# run show configuration
## Last commit: 2020-08-09 07:36:03 UTC by root
version 20200609.165031.6_builder.r1115480;
system {
root-authentication {
encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
}
login {
user Client-1 {
full-name Client-1;
uid 100;
class operator;
authentication {
encrypted-password "$6$AiBhMSZj$1VnhLhiShhqjksEpP/4E.x3Ky4tGQogSZ/kD9reTOfnV/t081y4LGJ25Jw9sl1zTwKO0/3j3CGoOx1eY0SKps1"; ## SECRET-DATA
}
}
}
services {
ssh;
dhcp-local-server {
group WIRED {
interface ge-0/0/1.20;
}
group WLAN {
interface ge-0/0/1.10;
}
}
web-management {
http {
interface [ fxp0.0 all ];
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 all ];
}
}
}
domain-name www.vsrx3.com;
name-server {
4.2.2.2;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set LAN-TO-WAN {
from zone trust;
to zone untrust;
rule LAN-TO-WAN {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy WIRED-permit {
match {
source-address WIRED;
destination-address any;
application any;
dynamic-application any;
url-category any;
}
then {
permit;
count;
}
}
policy WLAN-permit {
match {
source-address WIRELESS;
destination-address any;
application any;
url-category any;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile WEBAUTH;
web-redirect;
web-redirect-to-https;
auth-only-browser;
}
}
}
count;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address WIRED {
description "WIRED VLAN";
range-address 10.10.20.1 {
to {
10.10.20.254;
}
}
}
address WIRELESS {
description WIRELESS-VLAN;
range-address 10.10.10.1 {
to {
10.10.10.254;
}
}
}
}
host-inbound-traffic {
system-services {
all;
ping;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/1.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
telnet;
snmp;
http;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.200/24;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 10 {
vlan-id 10;
family inet {
address 10.10.10.1/24;
address 10.10.10.2/24 {
web-authentication {
http;
https;
redirect-to-https;
}
}
}
}
unit 20 {
vlan-id 20;
family inet {
address 10.10.20.1/24;
}
}
}
fxp0 {
unit 0;
}
}
access {
profile WEBAUTH {
client Client-1 {
client-group [ G1 G2 G3 ];
firewall-user {
password "$9$iHPQCtOEhr"; ## SECRET-DATA
}
}
address-assignment {
pool WLAN;
}
session-options {
client-group [ G1 G2 G3 ];
}
}
address-assignment {
pool WLAN {
family inet {
network 10.10.10.0/24;
range WLAN-Clients {
low 10.10.10.10;
high 10.10.10.200;
}
dhcp-attributes {
name-server {
1.1.1.1;
4.2.2.2;
}
router {
10.10.10.1;
}
}
}
}
pool WIRED {
family inet {
network 10.10.20.0/24;
range WIRED-Clients {
low 10.10.20.10;
high 10.10.20.200;
}
dhcp-attributes {
name-server {
4.2.2.2;
1.1.1.1;
}
router {
10.10.20.1;
}
}
}
}
}
firewall-authentication {
pass-through {
default-profile WEBAUTH;
}
web-authentication {
default-profile WEBAUTH;
banner {
success "LOGIN SUCCESS";
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.1;
}
}
[edit]
root#