Saturday, January 27, 2018

JuniperSRX and IPv6 local-services

The Juniper SRX has been superior  with it's offering for ipv6 in a firewall appliance.

Other firewall  vendors has been lacking in this area , & with functions supporting  syslog , ntp, radius, tacacs, etc  and it's support of IPv6. These local services for the most part has been ignored in regards to IPv6. In this post,  I will demo  most of these services being deployed on a branch model  SRX.


1st here's the JunOS version deployed & used in these examples.




For IPv6 to work,  you need to check and possible enable  ipv6 flow mode & yes a reboot would be required after committing.



NTP configuration and a IPv6 tcpdump for  proof.




SYSLOG and  IPv6  tcpdump capture of our syslog messages.




RADIUS and IPv6

take heed to change the  authentication order  and select radius




Here's the  freeradius  cfg details  for RADIUS  the user is steve and the radius_client  NAS is 2001:DB8:199::1





NOTE ALL RADIUS ACCEPT/REJECT MESSAGES ARE SENT  UNENCRYPTED


( TCPDUMP for  various  radius messages between NAS and RADIUS-Server )





NOTE: Between the NAS client and freeradius , PAP is the default . You can change this behavior within JunOS  radius options and use chap for  more security. Ideally RADIUS+DTLS will encrypt the full transmission which offers greater security.


Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


No comments:

Post a Comment