转载自:https://srxasa.wordpress.com/2011/12/11/junos-srx-firewal-web-authentication/
JunOS SRX firewal Web authentication
Junos srx web authentication 是client 要访问公网的时候,先需要和SRX的一个authentication 进行身份验证,验证成功以后就可以再访问外网了
图如下,
1.接口开启web-authentication
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.80.10/24;
address 192.168.80.11/24 {
web-authentication http; (这里一定要注意,需要另外新建一个同一网段的地址用作HTTP 认证ip,不是用以有的接口地址,不然commit会报错Web-authentication address 192.168.1.1/24 is not within the subnet of any address on this interface
error: configuration check-out failed)
2.新建access profile
profile webauth {
client auth {
firewall-user {
password “$9$c/UlWx-VY2aUdVHqmPQzEcS”; ## SECRET-DATA (新建认证的用户名密码)
}
}
}
firewall-authentication { (新建认证的成功失败的banner)
web-authentication {
default-profile webauth;
banner {
success heelo;
3. 策略开启认证
srx# show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
web-authentication;
4.做到这里就成功了么?刚开始做在这里吃过不少亏,查了好多资料,才成功,需要开启srx 的接口的http 管理功能,这里一定要注意哟
services {
web-management {
http {
interface [ vlan.0 fe-0/0/1.0 ];
现在好了。
输入用户名密码就成功了
查看一下日志:
srx@srx100h# run show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
1 192.168.80.221 N/A N/A web-auth 0 Success auth
本文为旋风原创,转载请注明出处,谢谢。
