Configuring Authentication For Firewall Rules - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Copyright © 2010, Juniper Networks, Inc.

Configuring Authentication for Firewall Rules

You can authenticate the identity of the user who is generating the network traffic. When
you enable authentication in the rule, the user must authenticate future network traffic
by supplying a user name and password in an initial, separate HTTP, FTP, or Telnet
connection. If the user fails to authenticate using one of these services or provides incorrect
credentials, the authentication requirement for the rule is not met and the network traffic
is denied. (Typically, when you enable authentication, you also use the permit action.)
NOTE: You cannot enable authentication for a rule that includes the DNS/53 service
object.
Configuring Authentication
Authentication enables you to control which RAS users can connect to the protected
network and how they can connect. When you select an authentication server, you must
also configure the users that authentication server authenticates.
Select the authentication mechanism:
No Authentication—Use this option to enable the specified RAS users to connect
without authentication.
Authentication—Use for RAS users that use HTTP, FTP, or Telnet services to connect
to the protected network. You can select an access profile as an authentication option
from the Access Profile drop-down list box .
Web Authentication—Use for RAS users using HTTP to connect to the protected
network.
Infranet Authentication—Use this option to enable specified RAS users to connect
using a Juniper Networks Infranet Controller.
An unauthenticated user trying to access a UAC protected resource via HTTP, is usually
redirected to a URL of an authenticating IC. The redirect URL is a global parameter
specified per controller. On devices running ScreenOS 6.2 or later, you can additionally
configure a redirect URL per policy, ensuring that traffic is efficiently handled.
If you define a policy-based redirect URL, and enable redirect in the policy,
unauthenticated HTTP traffic matching the policy is redirected to the policy-based
redirect URL even if a global redirect URL is configured.
If you do not define a policy-based redirect URL, and redirect is enabled in the policy,
unauthenticated HTTP traffic matching the policy is redirected to the global redirect
URL.
Configuring Users
RAS users are represented by user objects. Before you can authenticate a user in a firewall
rule, you must create a user object that defines the user name, user password, and the
authentication location (local or external). For Authentication and Web Authentication,
configure the users:
Chapter 9: Configuring Security Policies
455