Hello Experts,
I'm stuck with configuring the web-authentication on vSRX. I've tried searching on youtube juniper channel but can't seem to find a tutorial on setting web-authentication for SRX hence I've followed this video which for older junos 12. https://www.youtube.com/watch?v=HtO_qqTW2mY
The issue i face is, I'm not able to load the authentication page on web browser (firefox or chrome) see attached image, please can you advise where i've made a mistake? Also is there any config i can do that doesn't need one to specifically go to web-authentication inet address instead gets redirected to web-authentication automatically and once authenticated, srx continues to the web address user wanted to browse?
below is the config, appreciate your support.
root# run show configuration
## Last commit: 2020-08-07 07:50:56 UTC by root
version 20200609.165031.6_builder.r1115480;
system {
root-authentication {
encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
}
services {
ssh;
dhcp-local-server {
group WIRED {
interface ge-0/0/1.20;
}
group WLAN {
interface ge-0/0/1.10;
}
}
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
}
domain-name www.vsrx3.com;
name-server {
4.2.2.2;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set LAN-TO-WAN {
from zone trust;
to zone untrust;
rule LAN-TO-WAN {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
web-authentication {
client-match [ G1 G2 G3 ];
}
}
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
ping;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/1.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
telnet;
snmp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.200/24;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 10 {
vlan-id 10;
family inet {
address 10.10.10.1/24;
address 10.10.10.2/24 {
web-authentication {
http;
https;
redirect-to-https;
}
}
}
}
unit 20 {
vlan-id 20;
family inet {
address 10.10.20.1/24;
}
}
}
fxp0 {
unit 0;
}
}
access {
profile WEBAUTH {
client Client-1 {
client-group [ G1 G2 G3 ];
firewall-user {
password "$9$iHPQCtOEhr"; ## SECRET-DATA
}
}
session-options {
client-group [ G1 G2 G3 ];
}
}
address-assignment {
pool WLAN {
family inet {
network 10.10.10.0/24;
range WLAN-Clients {
low 10.10.10.10;
high 10.10.10.200;
}
dhcp-attributes {
name-server {
1.1.1.1;
4.2.2.2;
}
router {
10.10.10.1;
}
}
}
}
pool WIRED {
family inet {
network 10.10.20.0/24;
range WIRED-Clients {
low 10.10.20.10;
high 10.10.20.200;
}
dhcp-attributes {
name-server {
4.2.2.2;
1.1.1.1;
}
router {
10.10.20.1;
}
}
}
}
}
firewall-authentication {
web-authentication {
default-profile WEBAUTH;
banner {
success "LOGIN SUCCESS";
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.1;
}
}
[edit]
root#