Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring CTPView User Authentication with Steel-Belted RADIUS

 

Starting with CTPView Release 4.1, you can provide RADIUS authentication to both HTTPS and SSH users. Earlier releases of CTPView supported RADIUS authentication only for HTTPS users. Enabling RADIUS authentication for SSH users ensures that both HTTPS and SSH users have a common authentication method without requiring separate user-specific configuration.

Starting with CTPView Release 4.1, users do not require a local user account on the CTPView server. For CTPView 4.0 and earlier, a user must have an account on the CTPView server. You can add a user or verify whether a user account exists from the CTPView CLI menu. The username for the CTPView account must match the username that is configured on the RADIUS server.

You can enable or disable RADIUS authentication for both SSH and HTTPS users. You can block a specific user by disbaling that user from the RADIUS server.

To provide RADIUS authentication, use an independent Steel-Belted RADIUS (SBR) server or an RSA SecurID appliance with your CTPView server running FC9 or Centos OS and CTPView 3.4R1 or later. The RSA SecurID appliance incorporates an SBR server, making the configuration very similar to that of an independent SBR server.

Users are authenticated in the following order:

  1. By the SBR server.

  2. By the local CTPView application.

You can configure the SBR server to use native user authentication or pass-through authentication with RSA SecurID.

  • Native user authentication references user accounts stored on the SBR server. When trying the native user method, the SBR software searches its database for an entry whose User-Type is Native User and whose username matches the User-Name in the Access-Request.

  • Pass-through authentication (two-factor authentication) enables the SBR server to pass authentication requests through to RSA Authentication Manager (RSA SecurID). RSA SecurID is then responsible for validating the username and password found in the Access-Request.

The order of authentication between these two categories of users is set on the SBR server. You can add the same user (that is, the same user ID) to both the SBR server and the local CTPView application.

Configuring RADIUS Settings on the CTPView Server

Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).

To configure RADIUS settings on the CTPView server:

  1. From the CTPView Configuration Menu, select 9) AAA Functions.

    The RADIUS Menu is displayed.

  2. Select 8) RADIUS/RSA SecurID Configuration. Configure the parameters described in Table 1.

    Table 1: RADIUS Menu Options

    Field

    Function

    Your Action

    Servers

    Displays the RADIUS servers configured on CTPView.

    You can add up to 10 RADIUS servers.

    If you define multiple servers, the order in which they are tried differs on the basis of whether the user is trying to access CTPView via SSH or HTTPS. For access via SSH, the servers are tried in order. For HTTPS access, the servers are tried in a round-robin fashion. In both cases, the process continues until the system receives a response from a server or until the maximum number of retries is reached for all servers.

    Specify a RADIUS server.

    Make sure you specify an IPv4 address if you are configuring RADIUS authentication for HTTPS. IPv6 addresses are supported for RADIUS authentication for SSH.

    Destination Port

    Specifies the RADIUS destination port.

    The default value is 1812.

    Retry Attempts

    Specifies the number of attempts that the CTPView server makes to contact the listed RADIUS server.

    Specify a value in the range of 0 through 9.

    Off-Line-Failover

    Determines whether the login credentials are passed to the local account login function when no RADIUS server responds to the login request.

    Select one:

    • Allowed to Loc Acct—User credentials are passed to the local account login function.

    • Not Allowed—User is denied access and the session is terminated.

    Reject-Failover

    Determines whether the login credentials are passed to the local account login function.

    The user credentials are not passed if the login information is incorrect or if the user does not have an account for the RADIUS server.

    Select one:

    • Allowed to Loc Acct—User credentials are passed to the local account login function.

    • Not Allowed—User is denied access and the session is terminated.

  3. Select 6) Initialize Web UI Template Accounts.
  4. Enter the MySQL root account password when prompted.
  5. Select 1) Servers.

    The system displays the RADIUS servers that are configured currently.

  6. Enter y to add, remove, or modify a server from the list. Note

    Whenever you make changes to the server list, you must reenter all RADIUS servers.

  7. When prompted, enter the following information:
    • Shared secret

    • Timeout period

    • Number of retries

    Note

    For shared secret, only alphanumeric characters and special characters such as “at” sign (@), curly braces ({}), pound sign (#), percent sign (%), tilde (~), square brackets ([]), equal sign (=), comma (,), em dash (–), and underscore (_) are supported.

Configuring the SBR Server’s Dictionary Files

To configure the SBR server’s dictionary files:

  1. Log in to the SBR server as an administrator.
  2. Open the file C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\juniper.dct and append the following new block of text to the bottom of the file:
  3. Open the file C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\vendor.ini and locate the block of text that begins:

    vendor-product = Juniper M/T Series

  4. Add the following text after that block.
    Note

    SBR Enterprise Release 6.1.4 and SBR Carrier Release 7.2.4 supports the RADIUS attributes required for CTP Series. This step is required only if you are using an earlier version of SBR and the Juniper CTP Series attribute is not listed.

  5. Restart the Steel-Belted RADIUS service on the server.

Configuring the SBR Server’s Active Authentication Method

To configure the SBR server’s active authentication method:

  1. Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select Steel-Belted RADIUS > Authentication Policies > Order of Methods.

    Ensure that your chosen method, Native User or SecurID User, is listed under the section Active Authentication Methods.

Adding the CTPView Server as a RADIUS Client on an SBR Server

To add the CTPView server as a RADIUS client on an SBR server:

  1. Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select Steel-Belted RADIUS > RADIUS Clients.
  4. Add your CTPView server as a client. In the Make or model field, select Juniper CTP Series.

Adding CTPView Users to an SBR Server

To add CTPView users to an SBR server:

  1. Launch the Steel-Belted RADIUS Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select the user type.

    • For native users, select Steel-Belted RADIUS > Users> Native.

    • For RSA SecurID users, select Steel-Belted RADIUS > Users > SecurID.

  4. Add a user with the Add Native User dialog box or the Add SecurID dialog box, depending on your choice in the previous step.
  5. In the Attributes section, click the Return List tab and then click Add. The Add Return List Attribute dialog box opens.
  6. In the Attributes section select Juniper-CTPView_APP-Group.
  7. In the Value section select one of the following authorization levels for the user you are adding:

    • Global_Admin

    • Net_Admin

    • Net_View

    • Net_Diag

Assigning SecurID Tokens to CTPView Users

SecurID authentication requires that you issue a SecurID token to each user and assign it to them on the RSA SecurID appliance. The first time a new user logs in to the CTPView software, the token code displayed on the SecurID token is the password. The user is then prompted to create a PIN. On subsequent logins, the user’s PIN followed immediately by the token code displayed on the SecurID token is the password.

To assign SecurID tokens:

  1. On the RSA SecurID appliance, launch the RSA Authentication Manager Host Mode application.
  2. Select User > Add User.
  3. Complete at least the following required fields:

    • Last Name

    • Default Login

    • Required to Create a PIN

    • Assign Token