Been reviewing and searching some resources as well on how to enable the captive portal for non-domain users and unathenticatd users using web-redirect-to-https.
I'm using vSRX 19.4 for my testing. My vSRX and Windows Active Directory were successfully integrated.
Further, my vSRX is able to lookup the LDAP event logs and can recognize the domain users and groups.
Below are my sample security policies:
A. from-zone HO-LAN to-zone untrust:
- domain-user1 is permitted to browse on facebook and not allowed to browse on youtube
- domain-user2 is permitted to browse on youtube and not allowed to browse on facebook
- all domain users are permitted to browse any URLs (web sites)
- permit non-domain users and unathenticated users using captive portal authentication
B. Global Policy
- default-deny
Everything is working. Until, I am trying to enable a captive portal using web-redirect-to-https for non-domain users and unauthenticated users.
I can't successfully complete my objective by just reading the configuration guides from this TechLibrary pages.
I can't successfully complete my objective by just reading the configuration guides from this TechLibrary pages.
1. Integrated User Firewall Overview - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-intergrated-user-firewall-overview.html
2. Configure Integrated User Firewall -
3. Configure Captive Portal for Unauthenticated Browsers - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-captive-portal-unauth-users.html
I hope somebody could read this and help me as well on how to enable a captive portal using web-redirect-to-https for non-domain users and unauthenticated users. Sharing my sample topology and vSRX configuration for reference.
I hope somebody could read this and help me as well on how to enable a captive portal using web-redirect-to-https for non-domain users and unauthenticated users. Sharing my sample topology and vSRX configuration for reference.
[edit]
mike@vsrx-ho# show services user-identification active-directory-access
domain juniperdemo.local {
user {
Administrator;
password "$9$0HTqOESyrK8xdlKGiHkPf1RhcyKM8X"; ## SECRET-DATA
}
domain-controller WinSvr.juniperdemo.local {
address 172.20.20.10;
}
ip-user-mapping {
discovery-method {
wmi;
}
}
user-group-mapping {
ldap {
authentication-algorithm simple;
base DC=juniperdemo,DC=local;
user {
Administrator;
password "$9$2HgZDjiqfQnHqIcSyKvoJGUjqmfT"; ## SECRET-DATA
}
}
}
}
[edit]
mike@vsrx-ho#
[edit]
mike@vsrx-ho# show access profile ldap-profile
authentication-order [ ldap password ];
address-assignment {
pool LAN-DHCP-POOL;
}
ldap-options {
base-distinguished-name DC=juniperdemo,DC=local;
search {
search-filter sAMAccountName=;
admin-search {
distinguished-name CN=Administrator,CN=Users,DC=juniperdemo,DC=local;
password "$9$wxsoZGUi.fzDiOREhrl24aJGik.P"; ## SECRET-DATA
}
}
}
ldap-server {
172.20.20.10 {
port 389;
retry 10;
timeout 3;
}
}[edit]
mike@vsrx-ho# show security policies from-zone HO-LAN to-zone untrust
policy inet-policy-user1 {
match {
source-address HO-LAN;
destination-address any;
application any;
source-identity "juniperdemo.local\domain-user1";
}
then {
permit {
application-services {
idp;
ssl-proxy {
profile-name ssl-forward-proxy;
}
utm-policy utm-domain-user1;
security-intelligence-policy tp-poc-policy;
advanced-anti-malware-policy tp-poc-policy;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy inet-policy-user2 {
match {
source-address HO-LAN;
destination-address any;
application any;
source-identity "juniperdemo.local\domain-user2";
}
then {
permit {
application-services {
idp;
ssl-proxy {
profile-name ssl-forward-proxy;
}
utm-policy utm-domain-user2;
security-intelligence-policy tp-poc-policy;
advanced-anti-malware-policy tp-poc-policy;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy permit-all-domain-users {
match {
source-address HO-LAN;
destination-address any;
application any;
source-identity "juniperdemo.local\users";
}
then {
permit {
application-services {
idp;
ssl-proxy {
profile-name ssl-forward-proxy;
}
security-intelligence-policy tp-poc-policy;
advanced-anti-malware-policy tp-poc-policy;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy permit-nd-users {
match {
source-address HO-LAN;
destination-address any;
application any;
source-identity [ unauthenticated-user unknown-user ];
}
then {
permit {
firewall-authentication {
user-firewall {
access-profile ldap-profile;
web-redirect-to-https;
auth-only-browser;
domain juniperdemo.local;
}
}
}
log {
session-init;
session-close;
}
count;
}
}
[edit]
mike@vsrx-ho#
[edit]
mike@vsrx-ho# show security policies from-zone HO-LAN to-zone HO-SVR
policy HO-LAN-to-DC {
match {
source-address any;
destination-address domain-controller;
application any;
dynamic-application any;
}
then {
permit;
}
}
[edit]
mike@vsrx-ho#
[edit]
mike@vsrx-ho# show security user-identification
authentication-source active-directory-authentication-table {
priority 125;
}