Scribd
Upload
60 views2 pages

SRX Ad FW Authentication

This document contains Juniper SRX configuration commands for integrating an SRX firewall with an Active Directory domain for user authentication. It sets interfaces, security zones, routing, and firewall policies to allow traffic from a trusted zone to an untrusted zone for authenticated users. It also configures Active Directory integration using the domain controller IP and administrator credentials to authenticate users and map them to groups for permitted traffic rules.

Uploaded by

Sisir Karmaker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
60 views2 pages

SRX Ad FW Authentication

This document contains Juniper SRX configuration commands for integrating an SRX firewall with an Active Directory domain for user authentication. It sets interfaces, security zones, routing, and firewall policies to allow traffic from a trusted zone to an untrusted zone for authenticated users. It also configures Active Directory integration using the domain controller IP and administrator credentials to authenticate users and map them to groups for permitted traffic rules.

Uploaded by

Sisir Karmaker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

!

CMD command for Active Directory / Domain Controller


! command> dsquery user -name administrator

! edited cli for srx---ad fw authentication

set interfaces ge-0/0/0 unit 0 description M.TIK


set interfaces ge-0/0/0 unit 0 family inet address 172.16.50.2/24
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0

set interfaces ge-0/0/7 unit 0 description LAN


set interfaces ge-0/0/7 unit 0 family inet address 172.168.10.110/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/7.0

set interfaces lo0 unit 0 family inet address 172.168.10.11/32

set routing-options static route 0.0.0.0/0 next-hop 172.16.50.1

set services user-identification active-directory-access domain juniperlab.net user administrator


set services user-identification active-directory-access domain juniperlab.net user password "$9$2koZD.PQ9A0ikA0BIrl24aZGD"
set services user-identification active-directory-access domain juniperlab.net domain-controller juniperlab.net address 172.168.10.107
set services user-identification active-directory-access domain juniperlab.net user-group-mapping ldap base DC=juniperlab,DC=net

set access firewall-authentication web-authentication default-profile juniperlab-user

set access profile juniperlab-user authentication-order ldap


set access profile juniperlab-user ldap-options base-distinguished-name DC=juniperlab,DC=net
set access profile juniperlab-user ldap-options search search-filter sAMAccountName=
set access profile juniperlab-user ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniperlab,DC=net
set access profile juniperlab-user ldap-options search admin-search password "$9$U6iqPFnCBIc5QIcylLXUjHq.P"
set access profile juniperlab-user ldap-server 172.168.10.107

set security policies from-zone trust to-zone untrust policy T2U match source-address any
set security policies from-zone trust to-zone untrust policy T2U match destination-address any
set security policies from-zone trust to-zone untrust policy T2U match application any
set security policies from-zone trust to-zone untrust policy T2U match source-identity "juniperlab.net\ftpgrp"
set security policies from-zone trust to-zone untrust policy T2U then permit

set security policies from-zone trust to-zone untrust policy internet-req match source-address any
set security policies from-zone trust to-zone untrust policy internet-req match destination-address any
set security policies from-zone trust to-zone untrust policy internet-req match application any
set security policies from-zone trust to-zone untrust policy internet-req match source-identity unknown-user
set security policies from-zone trust to-zone untrust policy internet-req match source-identity unauthenticated-user
set security policies from-zone trust to-zone untrust policy internet-req then permit firewall-authentication user-firewall access-profile juniperlab-user
set security policies from-zone trust to-zone untrust policy internet-req then permit firewall-authentication user-firewall domain juniperlab.net

set security policies from-zone trust to-zone trust policy T2T match source-address any
set security policies from-zone trust to-zone trust policy T2T match destination-address any
set security policies from-zone trust to-zone trust policy T2T match application any
set security policies from-zone trust to-zone trust policy T2T then permit

REQUIREMENTS
Domain-controller URL: for user-identification service
Domain-controller IP: for user-identification service and access profile
AD/Administrator Password: for user-identification service and access profile (type at your own premise during the cli writing)
Below command result from AD: for user-identification service and access profile
Open CMD and type command> dsquery user -name administrator
AD/User-Group Names: for access profile and allowing traffic outside the FW

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy