Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Infranet Controller (IC) to VSYS configuration example



Article ID: KB11005 KB Last Updated: 26 Dec 2012Version: 4.0
This article demonstrates the relevant working configuration on the Juniper firewall needed for IC to Firewall/VSYS communication and interoperability
There are multiple departments in an organization, each represented by a Virtual System, distributed over multiple A/P NS5200 clusters in diverse geographical locations and connected through single mode fiber. 

The IC allows users to access resources in multiple custom virtual systems (custom-VSYS) on different firewalls at the same time . Traffic from each department is identified with a separate VLAN tag.

The example shows UAC version 2.1 and ScreenOS 6.0.0r2; but it will also work with newer versions .

When the User authenticates to the IC, the IC  can use local or external authentication to a RADIUS or LDAP server.  Once the user is authenticated, the IC pushes an auth policy into the Root-Vsys of the FW. The FW has policies applied in the custom VSYS.

Configuration on the Juniper firewall:

Configuration in the root vsys:

FW1-> get conf | inc infranet
set auth-server "$infranet" id 1
set auth-server "$infranet" server-name ""
set auth-server "$infranet" account-type xauth 802.1X

set auth-server "$infranet" radius secret "tttttttxxxxx"
set auth-server "$infranet" src-interface "loopback.1"
set infranet controller name ""
set infranet controller name " " host-name port 11122
set infranet controller name " " src-interface loopback.1
set infranet controller name " " password "vvvvvvvttttttt"
set infranet controller name " " ca-hash  "xxxxyyyyyy"

Policies configured inside Custom-VSYS :

Config in VSYS vs-nr1

set policy id 67 from "Untrust" to "Trust-vs-nr1"  "net-" "Any" "ANY" permit infranet-auth log
set policy id 68 from "Untrust" to "Trust-vs-nr1"  "net-" "Any" "ANY" permit infranet-auth log
set policy id 65 from "Untrust" to "Trust-vs-nr1"  "net-" "Any" "ANY" permit infranet-auth log

Config in VSYS vs-nr2

set policy id 65 from "Untrust" to "Trust-vs-nr2"  "net-" "Any" "ANY" permit infranet-auth log   



  1. There is only one auth table in ScreenOS.  Care must be taken to assure that any UAC access through policies in a VSYS uses a single set of IP addresses. In other words, auth table entries should be OK as long as a single IP address represents the same endpoint regardless of VSYS

  2. There is only one set of infranet-auth policies in ScreenOS. The same set of policies is used for infranet-auth, regardless of VSYS

  3. There is only one IC configuration in ScreenOS. The IC configuration is not VSYS-specific

  4. If IPSec is used, the RADIUS server configuration for XAuth should be in the root VSYS. There should only be one such configuration, and it should be shared by all VSYS.

documentation: For additional information, consult the How the Firewall Works with the Infranet Controller section of the Concepts & Examples ScreenOS Reference Guide: Vol 9, User Authentication


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search