Part 2:
show services user-identification active-directory-access domain-controller status
show services user-identification authentication-table authentication-source all
show services user-identification device-information table all
show services user-identification active-directory-access statistics ip-user-mapping
lab@vSRX-1> show configuration services user-identification | display set
set services user-identification active-directory-access domain juniper.net user administrator
set services user-identification active-directory-access domain juniper.net user password "$9$tIX5pBEcSeMWxEhVwg4ZGUDiHm5Qz6CA0"
set services user-identification active-directory-access domain juniper.net domain-controller DC1 address 172.16.1.253
set services user-identification active-directory-access domain juniper.net ip-user-mapping discovery-method wmi event-log-scanning-interval 10
set services user-identification active-directory-access domain juniper.net ip-user-mapping discovery-method wmi initial-event-log-timespan 1
set services user-identification active-directory-access domain juniper.net user-group-mapping ldap authentication-algorithm simple
set services user-identification active-directory-access domain juniper.net user-group-mapping ldap base DC=juniper,DC=net
set services user-identification active-directory-access authentication-entry-timeout 30
set services user-identification active-directory-access wmi-timeout 10
Part 3:
SD: Configure / Firewall Policy / Policies workspace.
>> Create a Fw Policy / secu policy
>> Add Rule to policy
lab@vSRX-1> show configuration security policies | display set
set security policies from-zone Trust to-zone Server policy UserFW match source-address any
set security policies from-zone Trust to-zone Server policy UserFW match destination-address any
set security policies from-zone Trust to-zone Server policy UserFW match application any
set security policies from-zone Trust to-zone Server policy UserFW match source-identity authenticated-user
set security policies from-zone Trust to-zone Server policy UserFW then permit
!!! Hiden command:
clear services user-identification active-directory-access active-directory-authentication-table
show services user-identification active-directory-access active-directory-authentication-table al
jim/lab123@Lab
Part 4:
SD: Configure / User Firewall Management / Access Profile workspa ce.
>> Create an Access profile
set access profile AD-Profile authentication-order ldap
set access profile AD-Profile authentication-order password
set access profile AD-Profile ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net
set access profile AD-Profile ldap-options search search-filter sAMAccountName=
set access profile AD-Profile ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=juniper,DC=net
set access profile AD-Profile ldap-options search admin-search password lab123@Lab
set access profile AD-Profile ldap-server 172.15.1.253 port 389
Same but from the vSRX:
lab@vSRX-1> show configuration access | display set
set access profile AD-Profile authentication-order ldap
set access profile AD-Profile authentication-order password
set access profile AD-Profile ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net
set access profile AD-Profile ldap-options search search-filter sAMAccountName=
set access profile AD-Profile ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=juniper,DC=net
set access profile AD-Profile ldap-options search admin-search password "$9$Ef0hrvW87dVYvMaZji.mPfTQn9AtOIRS"
set access profile AD-Profile ldap-server 172.15.1.253 port 389
Part 5:
SD: Configure / Firewall Policy / Policies workspace.
>> Add a rule to the policy
Pushed by the Security Director:
set security policies from-zone Trust to-zone Server policy userFW-unauth match application any
set security policies from-zone Trust to-zone Server policy userFW-unauth match destination-address any
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-address any
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unauthenticated-user
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unknown-user
set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall access-profile AD-Profile
set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall domain juniper.net
lab@vSRX-1> show configuration security policies | display set
set security policies from-zone Trust to-zone Server policy UserFW match source-address any
set security policies from-zone Trust to-zone Server policy UserFW match destination-address any
set security policies from-zone Trust to-zone Server policy UserFW match application any
set security policies from-zone Trust to-zone Server policy UserFW match source-identity authenticated-user
set security policies from-zone Trust to-zone Server policy UserFW then permit
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-address any
set security policies from-zone Trust to-zone Server policy userFW-unauth match destination-address any
set security policies from-zone Trust to-zone Server policy userFW-unauth match application any
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unauthenticated-user
set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unknown-user
set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall access-profile AD-Profile
set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall domain juniper.net
lab / lab123
jum / lab123 ( domain: juniper ) | 