3 authenticating users through a firewall, Authenticating users through a firewall -8 – Riverstone Networks WICT1-12 User Manual

20-8 Riverstone Networks RS Switch Router User Guide Release 8.0

IP Policy Configuration Examples

IP Policy-Based Forwarding Configuration

20.2.3

Authenticating Users through a Firewall

You can define an IP policy that authenticates packets from certain users via a firewall before accessing the network.
If, for some reason the firewall is not responding, the packets to be authenticated are dropped.

Figure 20-3

illustrates

this kind of configuration.

Figure 20-3 Using an IP policy to authenticate users through a firewall

Packets from users defined in the “contractors” group are sent through a firewall. If the firewall cannot be reached
packets from the contractors group are dropped. Packets from users defined in the “full-timers” group do not have to
go through the firewall.

The following is the IP policy configuration for the Policy Router in

Figure 20-3

:

interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1

acl contractors permit ip 10.50.1.0/24 any any any 0

acl full-timers permit ip 10.50.2.0/24 any any any 0

ip-policy access permit acl contractors next-hop-list 11.1.1.1 action policy-only

ip-policy access permit acl full-timers next-hop-list 12.1.1.1 action policy-first

ip-policy access apply interface mls0

full-timers

10.50.2.0/24

Servers

Rout-

Firewall

Policy

Router

Router

contractors

10.50.1.0/24

11.1.1.1

12.1.1.1