A
- access control lists
- access security
- accounts
- address filter, IP See IP access filter
- Admin Center
- accessing
- groups
- passwords
- users
- adding
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters, creating
- IP access filters, removing
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing access
- modifying properties
- monitoring
- prohibiting
- reinstating prohibited
- administrative passwords
- administrative settings
- Apache daemon
- archive file
- authentication
B
- bandwidth throttling
- banner
- BIOS menu
- booting CTPView server from CD
- browser
C
- Circuit to Packet network
- clock options
- CompactFlash card
- configuration settings
- configuration, server
- CTP devices
- CTP platforms
- adding and removing
- adding comments to monitoring status
- automatically collecting statistical data
- changing display settings for network monitoring
- checking connections to the CTPView server
- displaying network statistics
- displaying reports
- displaying runtime query results
- host groups, adding and removing
- managing
- manually overriding monitoring status
- monitoring (CTPView GUI)
- passwords
- port forwarding
- restoring configuration
- saving configuration automatically
- setting audible status alert
- SNMP communities, adding and removing
- SSH connections
- understanding network reports
- updating CTPOS
- CTPOS
- burn CTPOS flash image 1, 2
- burning image to a CompactFlash card
- default accounts and passwords
- updating
- upgrade files
- CTPView
- CTPView Admin Center See Admin Center
- CTPView GUI
- adding comments to platform monitoring status
- Admin Center, accessing
- automatically removing outdated files
- automatically synchronizing servers
- bandwidth throttling
- browser settings
- browser, logging in
- changing default user password
- checking network connections
- configuring automatic functions
- creating more server disk space
- CTP platform reports
- display settings
- display settings help
- displaying platform and port runtime query results
- email notifications
- Global_Admin account, creating
- groups
- host groups, adding and removing
- managing users and groups
- manually overriding platform monitoring status
- monitoring the CTP platform network
- network monitoring display settings
- network reports 1
- network statistics
- NTP servers, managing
- passwords
- platforms, adding and removing
- port forwarding, managing
- restoring configuration
- CTP platform
- CTPView server, by synchronizing servers 1, 2
- restoring server configuration
- saving configuration
- server clock, setting
- setting audible platform status alert
- SNMP communities, adding and removing
- start-up (log-in) banner
- support for tabbed or nontabbed browsers
- synchronizing servers
- user properties, modifying
- users
- adding
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters, creating
- IP address access filters, removing
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing access
- monitoring
- prohibiting
- reinstating prohibited
- validating server configuration 1, 2
- verifying server OS installation
- CTPView server
- access security, managing 1, 2
- account
- acquiring shell access
- booting from CD
- clock, setting
- configuring guidelines on a virtual machine
- configuring on a Hyper-V server
- configuring on an ESXi server
- creating disk space
- data file permissions, resetting
- default accounts and passwords
- determining free disk space
- disk space, creating
- firewall defaults, restoring
- installation log
- installing OS (CTPView server CLI)
- installing the software overview
- log-in banner, setting
- logging level, setting
- logs, managing
- MySQL server, restarting
- network access, configuring
- on a Hyper-V server
- on a Hyper-V server, overview
- on a virtual machine, overview
- on an ESXi server
- on an ESXi server, overview
- password
- password requirements 1, 2
- port forwarding, configuring
- preparing a new
- restoring browser access
- restoring configuration by synchronizing servers 1, 2
- restoring configuration overview
- restoring configuration settings
- restoring shell access
- software installation and upgrade
- start-up (log-in) banner
- synchronizing to restore configuration 1, 2
- system administrator account, resetting
- system file defaults, restoring
- TACACS+ settings
- TACACS+, configuring
- third-party software on
- upgrade files
- upgrading the software overview
- user passwords, managing
- users, managing shell account
- validating configuration 1, 2
- verifying OS installation
- web certificate, creating
- CTPView server CLI
- BIOS menu password 1, 2
- burning CTPOS image to a CompactFlash card
- changing default user password
- changing root account password 1, 2
- installing server OS
- reviewing the installation log
- CTPView server menu
- access security, managing
- accessing
- creating more server disk space 1, 2
- GRUB boot loader password 1, 2
- log-in banner, setting
- logging level, setting
- logs, managing
- MySQL Apache account password 1, 2
- MySQL IP access lists
- MySQL root account password 1, 2
- MySQL server, restarting
- network access, configuring
- OpenSSL authenticaton, creating and self-signing web certificate
- port forwarding, managing
- restoring server configuration settings 1, 2
- saving CTPView configuration settings 1, 2
- TACACS+, configuring
- user passwords, managing
- users, managing shell account
- web certificate, creating
- CTPView server OS
- software installation and upgrade
- verifying installation
- CTPView server, OpenSSL
- CTPView software
- configuring administrative settings
- saving configuration settings 1, 2
- updating CTPOS
- upgrade files
- upgrading
- user security levels
D
- data file permissions
E
- email notifications
- ESXi server
F
- files
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- firewall
G
- Global_Admin account
- groups, user
- GRUB boot loader
H
I
- installation
- IP access filter
- IP address filter See IP access filter
L
- limiting CTP network bandwidth
- log-in banner
- configuring
- setting
- logging level
- login security
- logs
M
- menu
- MySQL database
- automatically backing up
- changing the Apache account password 1, 2
- changing the root account password 1, 2
- configuring IP access control lists
- MySQL server
N
- native authentication with Steel-Belted RADIUS
- network access
- network reports
- nonroot account
- nonroot passwords
- NTP servers
O
- OpenSSL authentication
- OS, CTPView server
- installing (CTPView server CLI)
- software installation and upgrade
- verifying installation on server
- outdated files
- automatically removing
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- overview
- Circuit to Packet network
- CTP network software
- restoring configuration 1, 2
- restoring server configuration
- software installation and upgrade
- synchronizing servers (CTPView)
P
- passwords
- BIOS menu changing 1, 2
- changing administrative
- changing requirements
- CTP platform user
- CTPOS
- CTPView GUI
- CTPView server
- changing default
- changing root 1, 2
- creating nonroot
- default
- recovering lost
- requirements 1, 2
- setting new nonroot
- setting new root
- excluding from use
- expiration of user
- Global_Admin account
- GRUB boot loader changing 1, 2
- limiting use
- managing user
- MySQL database changing 1, 2, 3, 4
- reinstating excluded
- requirements of user
- port forwarding
R
- receive packet processing
- redundant files
- removing (CTPView GUI)
- removing (CTPView server menu) 1, 2
- remote host See CTP platforms
- root passwords
- RSA SecurID authentication with Steel-Belted RADIUS
S
- security levels
- serial stream processing
- setting user password
- shell access to CTPView server
- SNMP communities See adding and removing
- software
- installation and upgrade
- upgrade files
- SSH
- connections to CTP platforms
- persistent connections to CTP platforms
- start-up banner
- configuring
- setting
- Steel-Belted RADIUS
- synchronization of CTPView servers
- automatic method
- configuring the synchronization network
- manual method
- overview
- to restore configuration 1, 2
- system administrator account
- system file
T
- third-party software
- transmit packet processing
- troubleshooting
- two factor authentication with Steel-Belted RADIUS
U
- upgrade
- user accounts, unlocking
- user groups See groups, user
- user passwords
- changing CTP platform
- changing CTPView GUI default
- changing server’s default
- changing server’s root 1, 2
- expiration
- requirements
- users
- adding
- authentication with Steel-Belted RADIUS
- automatic logout
- counters
- deleting active
- deleting inactive
- deleting prohibited
- displaying prohibited
- IP access filters
- locked-out IP addresses
- lockout period
- logging out selected
- login attempts
- login properties
- managing
- managing access
- managing passwords
- modifying properties
- monitoring
- password requirements 1, 2
- prohibiting
- reinstating prohibited
- security levels 1, 2
- shell account, classification
- shell account, managing
V
- virtual machine
W
- web certificate
Download This Guide
Related Documentation
Configuring CTPView User Authentication with Steel-Belted RADIUS
Starting with CTPView Release 4.1, you can provide RADIUS authentication to both HTTPS and SSH users. Earlier releases of CTPView supported RADIUS authentication only for HTTPS users. Enabling RADIUS authentication for SSH users ensures that both HTTPS and SSH users have a common authentication method without requiring separate user-specific configuration.
Starting with CTPView Release 4.1, users do not require a local user account on the CTPView server. For CTPView 4.0 and earlier, a user must have an account on the CTPView server. You can add a user or verify whether a user account exists from the CTPView CLI menu. The username for the CTPView account must match the username that is configured on the RADIUS server.
You can enable or disable RADIUS authentication for both SSH and HTTPS users. You can block a specific user by disbaling that user from the RADIUS server.
To provide RADIUS authentication, use an independent Steel-Belted RADIUS (SBR) server or an RSA SecurID appliance with your CTPView server running FC9 or Centos OS and CTPView 3.4R1 or later. The RSA SecurID appliance incorporates an SBR server, making the configuration very similar to that of an independent SBR server.
Users are authenticated in the following order:
- By the SBR server.
- By the local CTPView application.
You can configure the SBR server to use native user authentication or pass-through authentication with RSA SecurID.
- Native user authentication references user accounts stored on the SBR server. When trying the native user method, the SBR software searches its database for an entry whose User-Type is Native User and whose username matches the User-Name in the Access-Request.
- Pass-through authentication (two-factor authentication) enables the SBR server to pass authentication requests through to RSA Authentication Manager (RSA SecurID). RSA SecurID is then responsible for validating the username and password found in the Access-Request.
The order of authentication between these two categories of users is set on the SBR server. You can add the same user (that is, the same user ID) to both the SBR server and the local CTPView application.
- Configuring RADIUS Settings on the CTPView Server
- Configuring the SBR Server’s Dictionary Files
- Configuring the SBR Server’s Active Authentication Method
- Adding the CTPView Server as a RADIUS Client on an SBR Server
- Adding CTPView Users to an SBR Server
- Assigning SecurID Tokens to CTPView Users
Configuring RADIUS Settings on the CTPView Server
Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).
To configure RADIUS settings on the CTPView server:
- From the CTPView Configuration Menu, select 9) AAA
Functions.
The RADIUS Menu is displayed.
- Select 8) RADIUS/RSA SecurID Configuration.
Configure the parameters described in Table 25.
Field
Function
Your Action
Servers
Displays the RADIUS servers configured on CTPView.
You can add up to 10 RADIUS servers.
If you define multiple servers, the order in which they are tried differs on the basis of whether the user is trying to access CTPView via SSH or HTTPS. For access via SSH, the servers are tried in order. For HTTPS access, the servers are tried in a round-robin fashion. In both cases, the process continues until the system receives a response from a server or until the maximum number of retries is reached for all servers.
Specify a RADIUS server.
Make sure you specify an IPv4 address if you are configuring RADIUS authentication for HTTPS. IPv6 addresses are supported for RADIUS authentication for SSH.
Destination Port
Specifies the RADIUS destination port.
The default value is 1812.
Retry Attempts
Specifies the number of attempts that the CTPView server makes to contact the listed RADIUS server.
Specify a value in the range of 0 through 9.
Off-Line-Failover
Determines whether the login credentials are passed to the local account login function when no RADIUS server responds to the login request.
Select one:
- Allowed to Loc Acct—User credentials are passed to the local account login function.
- Not Allowed—User is denied access and the session is terminated.
Reject-Failover
Determines whether the login credentials are passed to the local account login function.
The user credentials are not passed if the login information is incorrect or if the user does not have an account for the RADIUS server.
Select one:
- Allowed to Loc Acct—User credentials are passed to the local account login function.
- Not Allowed—User is denied access and the session is terminated.
- Select 6) Initialize Web UI Template Accounts.
- Enter the MySQL root account password when prompted.
- Select 1) Servers.
The system displays the RADIUS servers that are configured currently.
- Enter y to add, remove, or modify a server
from the list.
Note: Whenever you make changes to the server list, you must reenter all RADIUS servers.
- When prompted, enter the following information:
- Shared secret
- Timeout period
- Number of retries
Note: For shared secret, only alphanumeric characters and special characters such as “at” sign (@), curly braces ({}), pound sign (#), percent sign (%), tilde (~), square brackets ([]), equal sign (=), comma (,), em dash (–), and underscore (_) are supported.
Configuring the SBR Server’s Dictionary Files
To configure the SBR server’s dictionary files:
- Log in to the SBR server as an administrator.
- Open the file
C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\juniper.dctand append the following new block of text to the bottom of the file:################################################################# # CTP Specific Attributes ################################################################# ATTRIBUTE Juniper-CTP-Group Juniper-VSA(21, integer) r VALUE Juniper-CTP-Group Read_Only 1 VALUE Juniper-CTP-Group Admin 2 VALUE Juniper-CTP-Group Privileged_Admin 3 VALUE Juniper-CTP-Group Auditor 4 ATTRIBUTE Juniper-CTPView-APP-Group Juniper-VSA(22,integer) r VALUE Juniper-CTPView-APP-Group Net_View 1 VALUE Juniper-CTPView-APP-Group Net_Admin 2 VALUE Juniper-CTPView-APP-Group Global_Admin 3 VALUE Juniper-CTPView-APP-Group NET_DIAG 4 ATTRIBUTE Juniper-CTPView-OS-Group Juniper-VSA(23, integer) r VALUE Juniper-CTPView-OS-Group Web_Manager 1 VALUE Juniper-CTPView-OS-Group System_Admin 2 VALUE Juniper-CTPView-OS-Group Auditor 3 ################################################################# # CTP Specific Attributes #################################################################
- Open the file
C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\vendor.iniand locate the block of text that begins:vendor-product = Juniper M/T Series
- Add the following text after that block.
vendor-product = Juniper CTP Series dictionary = Juniper ignore ports = no port-number-usage = per-port-type help-id = 2000
Note: SBR Enterprise Release 6.1.4 and SBR Carrier Release 7.2.4 supports the RADIUS attributes required for CTP Series. This step is required only if you are using an earlier version of SBR and the Juniper CTP Series attribute is not listed.
- Restart the Steel-Belted RADIUS service on the server.
Configuring the SBR Server’s Active Authentication Method
To configure the SBR server’s active authentication method:
- Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
- Select Steel-Belted RADIUS > Authentication
Policies > Order of Methods.
Ensure that your chosen method, Native User or SecurID User, is listed under the section Active Authentication Methods.
Adding the CTPView Server as a RADIUS Client on an SBR Server
To add the CTPView server as a RADIUS client on an SBR server:
- Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
- Select Steel-Belted RADIUS > RADIUS Clients.
- Add your CTPView server as a client. In the Make or model field, select Juniper CTP Series.
Adding CTPView Users to an SBR Server
To add CTPView users to an SBR server:
- Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
Select the user type.
- For native users, select Steel-Belted RADIUS > Users> Native.
- For RSA SecurID users, select Steel-Belted RADIUS > Users > SecurID.
- Add a user with the Add Native User dialog box or the Add SecurID dialog box, depending on your choice in the previous step.
- In the Attributes section, click the Return List tab and then click Add. The Add Return List Attribute dialog box opens.
- In the Attributes section select Juniper-CTPView_APP-Group.
In the Value section select one of the following authorization levels for the user you are adding:
- Global_Admin
- Net_Admin
- Net_View
- Net_Diag
Assigning SecurID Tokens to CTPView Users
SecurID authentication requires that you issue a SecurID token to each user and assign it to them on the RSA SecurID appliance. The first time a new user logs in to the CTPView software, the token code displayed on the SecurID token is the password. The user is then prompted to create a PIN. On subsequent logins, the user’s PIN followed immediately by the token code displayed on the SecurID token is the password.
To assign SecurID tokens:
- On the RSA SecurID appliance, launch the RSA Authentication Manager Host Mode application.
- Select User > Add User.
Complete at least the following required fields:
- Last Name
- Default Login
- Required to Create a PIN
- Assign Token
