Transparent firewall authentication of Windows client through Juniper SSG
Posted on 2011-02-16
We are currently switching from an MS ISA firewall to a Juniper SSG. One nice feature of ISA is that it's integrated with Active Directory, meaning it's very easy to create firewall access rules that are dependent on AD groups. For example, only users that are members of the AD group FTPUsers are allowed to use FTP through the ISA.
I am attempting to migrate a few of these group-dependent rules over to the Juniper. I have managed to configure MS Network Policy Server as the RADIUS server which the Juniper uses for authentication. This works for authenticating users. However, they are prompted for credentials when attempting to use a protocol whose Juniper rule is group-dependent.
Does anyone know of a way that the Windows clients could pass the credentials of the logged-on user - via RADIUS - to the Juniper when prompted?
It would go something like this:
Windows client requests use of a protocol through the Juniper -->
<-- Juniper queries for user credentials
Windows client provides credentials of currently logged-on user -->
Juniper authenticates user via RADIUS and provides access, if the user is a member of the relevant group
In short, it's going to be cumbersome for my users if they are required to enter credentials any time that they wish to use a group-dependent protocol through the Juniper. I've contacted Juniper support, and they're pointing back to the Windows client as the mechanism for solving this issue. Thank you for your assistance.