Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

What issues can occur when using WebAuth on a firewall that is using multiple Virtual Routers?



Article ID: KB12798 KB Last Updated: 11 Aug 2010Version: 2.0
What issues can occur when using WebAuth on a firewall that is using multiple Virtual Routers?


When using Webauth on a firewall with multiple VRs (Virtual Routers) there are two issues that can be encountered when the Webauth IP is not in the same VR as the client attempting to authenticate.

1.  The first issue is that this traffic will be crossing zones which will trigger a policy lookup.  Therefore a policy is required.

For example:
Client is in the Trust zone.
The Trust zone is in the Trust-VR virtual router.
The Webauth IP is on an interface in the Untrust zone.
The Untrust zone is in the Untrust-VR virtual router.
This will trigger a policy lookup from Trust to Untrust for the Webauth request from the client to the Webauth IP. If there is no policy to allow this traffic without requiring Webauth first, then the traffic will drop.

2.  The second issue is with how the firewall stores the authentication. In the first example, if the Webauth IP is successfully reached, the firewall will let the client authenticate. Once the client has authenticated the firewall will store which VR the client authenticated in, in this case the Untrust-VR, in the auth table. As part of the firewall's authentication process for all subsequent traffic the firewall will assign that VR as the expected ingress VR for all traffic from the authenticated client. As the client really resides in the Trust-VR and sends all traffic there first, the firewall will not match the traffic to an authenticated client and will drop it as unauthenticated.

The only way to avoid this is to have the Webauth IP in the Trust-VR and have the client authenticate using that IP instead. This will ensure the correct ingress VR is present in the firewall Auth table. To check this parameter in the Auth table use the following commands:
get auth table
get auth table id <ID number of the client in question>
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search