vSRX

  • 1.  vSRX pass-through authentication for different vlans

    Posted 08-09-2020 01:06

    Hello,

     

    I'm trying to simulate pass-through authentication for different vlans on my vSRX, I've managed to apply pass-through authentication on a vlan simulating wireless vlan subnet. however the second vlan simulating wired, i wan't no pass-through authentication and internet reachablity should be open. I've separated security policies under trust-to-untrust zones for WIRED & WIRELESS, Wireless VLAN works as expected i.e. asking for authentication, however the Wired VLAN doesn't ping out to internet, it is able to ping to its default gateway 10.10.20.1 and to Wireless vlan gateway 10.10.10.1 (coz tust-to-trust policy allows that).

    Please can someone point out the mistake in configuration?

     

    Appreciate your support.

     

    root# run show configuration
    ## Last commit: 2020-08-09 07:36:03 UTC by root
    version 20200609.165031.6_builder.r1115480;
    system {
    root-authentication {
    encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
    }
    login {
    user Client-1 {
    full-name Client-1;
    uid 100;
    class operator;
    authentication {
    encrypted-password "$6$AiBhMSZj$1VnhLhiShhqjksEpP/4E.x3Ky4tGQogSZ/kD9reTOfnV/t081y4LGJ25Jw9sl1zTwKO0/3j3CGoOx1eY0SKps1"; ## SECRET-DATA
    }
    }
    }
    services {
    ssh;
    dhcp-local-server {
    group WIRED {
    interface ge-0/0/1.20;
    }
    group WLAN {
    interface ge-0/0/1.10;
    }
    }
    web-management {
    http {
    interface [ fxp0.0 all ];
    }
    https {
    system-generated-certificate;
    interface [ fxp0.0 ge-0/0/0.0 all ];
    }
    }
    }
    domain-name www.vsrx3.com;
    name-server {
    4.2.2.2;
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any any;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    queue-size 2000; ## Warning: 'queue-size' is deprecated
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set LAN-TO-WAN {
    from zone trust;
    to zone untrust;
    rule LAN-TO-WAN {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy default-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy WIRED-permit {
    match {
    source-address WIRED;
    destination-address any;
    application any;
    dynamic-application any;
    url-category any;
    }
    then {
    permit;
    count;
    }
    }
    policy WLAN-permit {
    match {
    source-address WIRELESS;
    destination-address any;
    application any;
    url-category any;
    }
    then {
    permit {
    firewall-authentication {
    pass-through {
    access-profile WEBAUTH;
    web-redirect;
    web-redirect-to-https;
    auth-only-browser;
    }
    }
    }
    count;
    }
    }
    }
    }
    zones {
    security-zone trust {
    tcp-rst;
    address-book {
    address WIRED {
    description "WIRED VLAN";
    range-address 10.10.20.1 {
    to {
    10.10.20.254;
    }
    }
    }
    address WIRELESS {
    description WIRELESS-VLAN;
    range-address 10.10.10.1 {
    to {
    10.10.10.254;
    }
    }
    }
    }
    host-inbound-traffic {
    system-services {
    all;
    ping;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.10 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge-0/0/1.20 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone untrust {
    screen untrust-screen;
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    telnet;
    snmp;
    http;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.0.200/24;
    }
    }
    }
    ge-0/0/1 {
    vlan-tagging;
    unit 10 {
    vlan-id 10;
    family inet {
    address 10.10.10.1/24;
    address 10.10.10.2/24 {
    web-authentication {
    http;
    https;
    redirect-to-https;
    }
    }
    }
    }
    unit 20 {
    vlan-id 20;
    family inet {
    address 10.10.20.1/24;
    }
    }
    }
    fxp0 {
    unit 0;
    }
    }
    access {
    profile WEBAUTH {
    client Client-1 {
    client-group [ G1 G2 G3 ];
    firewall-user {
    password "$9$iHPQCtOEhr"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool WLAN;
    }
    session-options {
    client-group [ G1 G2 G3 ];
    }
    }
    address-assignment {
    pool WLAN {
    family inet {
    network 10.10.10.0/24;
    range WLAN-Clients {
    low 10.10.10.10;
    high 10.10.10.200;
    }
    dhcp-attributes {
    name-server {
    1.1.1.1;
    4.2.2.2;
    }
    router {
    10.10.10.1;
    }
    }
    }
    }
    pool WIRED {
    family inet {
    network 10.10.20.0/24;
    range WIRED-Clients {
    low 10.10.20.10;
    high 10.10.20.200;
    }
    dhcp-attributes {
    name-server {
    4.2.2.2;
    1.1.1.1;
    }
    router {
    10.10.20.1;
    }
    }
    }
    }
    }
    firewall-authentication {
    pass-through {
    default-profile WEBAUTH;
    }
    web-authentication {
    default-profile WEBAUTH;
    banner {
    success "LOGIN SUCCESS";
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.0.1;
    }
    }

    [edit]
    root#



  • 2.  RE: vSRX pass-through authentication for different vlans
    Best Answer

    Posted 08-09-2020 03:38

    Hello,

     

    Do you a valid license for Application Identification in this device and what's the status of the Application identification?

    Just for testing, could you please remove the "dynamic-application" statement from the policy below and run a ping test?

     

    from-zone trust to-zone untrust {
    policy WIRED-permit {
    match {
    source-address WIRED;
    destination-address any;
    application any;
    dynamic-application any; <<<<<<<<<<<<
    url-category any;
    }
    then {
    permit;
    count;
    }

     

    Regards,

    Prakash



  • 3.  RE: vSRX pass-through authentication for different vlans

    Posted 08-09-2020 04:49

    Hello Prakash,

     

    Thanks for your response and looking into this case.

     

    Again, thanks for your suggestion which lead to resolution.

    When I went to set dynamic application from any to none, fw gave an error that services cannot be junos-default and dynamic application none at the same time. So I changed service from Junos-default to any and the reachablity to internet on Wired LAN was successful 🙂

     

    Appreciate your support 🙂

    Regards

    Zeeshan