Player Auth
Player Auth
As most of the bigger players in the firewall market, Juniper/Netscreen SreenOS based firewalls allow you to use/enforce/require authentication for various reasons :
- Admin login
- Client VPN
- Authentication to open a specific rule on the firewall
In a default configuration, ScreenOS uses a local user account database for all types of authentication listed above. In some real life environments, it’s not uncommon to see that administrators would want to use their existing Active Directory infrastructure as a back-end authentication database, and use additional features such as Active Directory group membership to be more specific in terms of allowing access. ScreenOS offers 2 ways of accomplishing this : using ldap or using radius. In fact, if external authentication is allowed on appliances, in most cases, this happens thru ldap and/or radius. But not all implementations are the same and/or will offer similar functionality. For example : Nortel Contivity ldap allows you to specify an Active Directory bind account. This allows the device to read AD, read object attributes, and use those attributes to assign fixed IP addresses and so on. Despite the fact that using ldap to query group membership may seem trivial, in a lot of appliances, this simple feature is not available or does not work very well. When it comes down to Netscreen, I have found that using ldap is not the way to go. You can use ldap for authentication, but you won’t be able to implement granularity in terms of AD groups, and set specific policies combined with AD group membership . However, Radius will do just fine, and the nice thing is : you can easily turn your Windows DC into a Radius server.
Before explaining how you can set this up, let’s define what we want to accomplish :
- Allow end-users to activate a firewall policy by authenticating to the netscreen firewall, using their AD username and password
- Allow administrators to specify who can authenticate to the firewall
- Allow administrators to create firewall policies and assign a certain AD group or certain AD groups to those policies, so only members of that group will be able to activate that specific rule (or set of rules)
One more note before getting started : Juniper supports different Account types : Admin, Auth, XAuth, L2TP and 802.1x. Each of those types have specific features, so it is important to understand their use and limitations :
Since we want to use User Groups, we’ll need to use either local users or Radius. How will the Juniper know which AD Group was used ? We’ll tell the Radius server to pass back the name of the group to the Juniper firewall, and we’ll define an "external group" on the Juniper with exactly the same name. That External Group can be used in your policy, and Radius will take care of authentication.
The following configuration guide will be based on the following configuration :
- The management IP address on the LAN interface of the Juniper firewall is 1.1.1.2. The LAN interface of the firewall is 1.1.1.1
- We’ll enable Web Authentication on ethernet0/0 (LAN), on virtual IP 1.1.1.3, using SSL
- The shared secret between the Firewall and the Radius server is ThisIsATest (This is a really bad shared secret. You should choose a longer and more complex shared secret in real life. Use at least 16 characters !)
- The Active Directory IAS server runs on 1.1.1.10
- The Active Directory Group that will be used is called "Remote Access Users". My domain is called "CORELAN", so the group in IAS will be "CORELANRemote Access Users"
- Put your AD users in the AD group
tq
About the Author:
Now the author is working at a Financial company in Jakarta.
Having MCTS|CCNA|AIS|CSA certification. The author has major experience as IT engineer, IT Consultant and Project Manager.
Article Source: ArticlesBase.com - Using Active Directory and IAS based Radius for Netscreen WebAuth authentication
 |
No items matching your keywords were found.
Runescape Authority Pride [Rs]