Which type of user authentication is configured?

A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.Which type of user authentication is configured?

A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.Which type of user authentication is configured?

A.
pass-through with Web redirect

B.
WebAuth with HTTP redirect

C.
WebAuth

D.
pass-through

Show Hint

Leave a Reply 11

Your email address will not be published. Required fields are marked *

朱大力

朱大力

may be is D

Reply

Aintechco

Aintechco

Ans: D

Pass-Through Authentication
Two types of firewall user authentication are available—pass-through or Web authentication. Pass-through
authentication must first be triggered by Telnet, FTP, and Hypertext Transfer Protocol (HTTP) traffic. In this type of
firewall authentication, the user initiates a session to a remote network device or resource. If traffic matches the
security policy configured for pass-through authentication, the SRX Series Services Gateway intercepts the session.
The user receives a prompt for a username and password. If the authentication is successful, subsequent traffic
from the same source IP address is automatically allowed to pass through the device, provided it matches the
applied security policy.

Reply

lhhd

lhhd

What about web redirect? .

Reply

Apollo

Apollo

So what is right?
+ policy auth {
+ then {
+ permit {
+ firewall-authentication {
+ pass-through {
+ access-profile prof1;
+ web-redirect;
+ }
+ }
+ }
+ }
Is it then A?

Reply

w3pgrrrrr

w3pgrrrrr

THE CORRECT ANSWER IS “D” passthrough
+1 Aintechno

What he has published is directly from the jncis-sec study guide
The SRX only allows PASS-THROUGH or WEB-AUTH

In other words, there are no “http redirect” or “web redirect” supported.

Pass through must first be triggered by telnet, ftp, http. The SRX intercepts the login, grabs it from you, and authenticates to the server. If the server you’re trying to access says “OK” to your password, SRX let’s traffic flow

Web auth is different. With web auth you first have to login to the srx “http://yourCorpSrx.com” and authenticate
Once you’ve authenticated, you can access whatever service/site you need (and you will still have to authenticate again to THOSE services)

Make sense?

Reply

w3pgrrrrr

w3pgrrrrr

Just want to make sure I am 100% clear here

Pass through, SRX is intercepting login request from remote server
Web Auth, SRX requires you to login into it FIRST… THEN you can access other sites/ftps/etc

Reply

w3pgrrrrr

w3pgrrrrr

whoa.. wish I could edit my replies =)

“Directly accessing the device through a browser before gaining access to a remote resource is burdensome. To alleviate this burden, the Junos OS allows Web redirection. The graphic illustrates the configuration of Web
redirection. With Web redirection enabled, the device responds to the user device with an HTTP redirect message, which tells the user device to use HTTP to access the Junos security platform at a particular address. The Junos OS
uses the address of the interface on which the initial user request was received. You must enable Web authentication for this interface and for the system itself, just as you would for standard Web authentication.”

then{
permit{
firewall-authentication{

Reply

w3pgrrrrr

w3pgrrrrr

Dear lord this question is confusing
whoa.. wish I could edit my replies =)

Let’s start with the easiest answer to eliminate, “C. WebAuth”
From JNCIS-SEC study guide,
“Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly
access the Junos security platform using HTTP. The user enters the address or hostname of the device into a Web
browser and then receives a prompt for a username and password”

So we can safely say this isn’t happening. The user trying to go to http://www.site.com not http://MyCorpSrx.com

—————–
Now let’s take a look at the second easiest to eliminate “D. pass-through”
from the JNCIS-SEC study guide,
“If traffic matches the security policy configured for pass-through authentication, the SRX Series Services Gateway intercepts the session.
The user receives a prompt for a username and password.”
What does the user receive? Not a webpage, the user receives A PROMPT.
So this is an incorrect answer.

——————-
Now let’s take a look at our final two answers
“A. pass-through with Web redirect”
and
“B. WebAuth with HTTP redirect”

This is very simple deduction.
From the study guide, “With Web authentication configured, users must first directly access the Junos security platform using HTTP.”

So that is to say that there is never a case when WebAuth can be configured with HTTP redirect. It is impossible! If you have enabled WebAuth on the SRX it is going to intercept requests for ANY TYPE OF TRAFFIC and ask for authentication first.

So the answer must be “A”.
Please see the below output from my SRX device to further prove that “A” is the correct answer. I apologize for my hasty answer above. I am not 100% sure the answer is correctly “A”

Please post back if you have any questions and I will answer them.

{primary:node1}[edit security policies from-zone trust to-zone untrust policy authTest]
root@moneypenny02# show
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}

Now my options for PASS THROUGH firewall-authentication(you can clearly see web-redirect)
{primary:node0}[edit security policies from-zone trust to-zone untrust policy authTest then]
root@moneypenny02# set permit firewall-authentication pass-through ?
Possible completions:
Execute this command
access-profile Specify access profile name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don’t inherit configuration data from these groups
client-match Name of user or group to match
web-redirect Redirect unauthenticated HTTP requests to the device’s internal web server

Now my options for WEB-AUTHENTICATION (clearly no option for web-redirect)
{primary:node1}[edit security policies from-zone trust to-zone untrust policy authTest then]
root@moneypenny02# set permit firewall-authentication web-authentication ?
Possible completions:
Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don’t inherit configuration data from these groups
client-match Name of user or group to match

WOW! WHAT A TEST QUESTION!!!!

Reply

w3pgrrrrr

w3pgrrrrr

dear admin can you delete my first 3 posts and leave the final long one?
It is the best explanation

Also if possible pl”ease chance,
“I am not 100% sure the answer is correctly “A””
it is supposed to read
“I am NOW 100% sure the answer is correctly “A”

Reply

w3pgrrrrr

w3pgrrrrr

and maybe for the pursuit of knowledge you can include this juniper explanation,

“In pass-through authentication, the user attempts to access the remote network resource directly, and the Junos security
platform intercepts the session to perform firewall authentication, while buffering the session. The buffered session is released
as long as authentication is successful. In Web authentication, the user must first access an IP address belonging to the Junos
security device using a Web browser; the authentication is performed using this HTTP session. The user can then proceed to
access the remote network resource as long as authentication is successful. FTP, Telnet, and HTTP traffic trigger pass-through
authentication, while an HTTP session must trigger Web authentication.”

Reply