ON THIS PAGE
Specifying Basic Settings for an EX Series Switching or Data Center Switching Access Profile
Specifying RADIUS Accounting Settings for an EX Switching or Data Center Switching Access Profile
Specifying Server Group Settings for a Wireless Access Profile
Specifying Basic Settings for a Campus Switching ELS Access Profile
Specifying RADIUS and LDAP Settings for Campus Switching ELS
Creating and Managing Access Profiles
Access profiles enable authentication configuration for both methods and servers. Network Director supports the configuration of RADIUS, Lightweight Directory Access Protocol (LDAP), and local authentication as authentication methods, and RADIUS as an accounting method.
Use the Manage Access Profiles page to create new Access profiles and manage existing Access profiles.
This topic describes:
Managing Access Profiles
From the Manage Access Profiles page, you can:
Create a new Access profile by clicking Add. For directions, see Creating an Access Profile.
Modify an existing profile by selecting it and clicking Edit.
View information about an Access profile, including the interfaces it is associated with, by either clicking the profile name or by selecting the profile and clicking Details.
Delete an Access profile by selecting the Access profile and clicking Delete.
Tip You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for an Access profile, select the Access profile and click Details.
Clone a profile by selecting a profile and clicking Clone.
The default Access profile named Juniper Networks-access-profile is always available.
Table 1 describes the information provided about Access profiles on the Manage Access Profiles page. This page lists all Access profiles defined for your network, regardless of the scope you selected in the network view.
Table 1: Manage Access Profile Fields
Field | Description |
|---|---|
Profile Name | Name given to the profile when the profile was created. |
Description | Description of the profile that was entered when the profile was created. Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it. |
Family Type | The device family on which the profile was created: EX Switching, Wireless, Campus Switching ELS, or Data Center Switching Non-ELS. |
Creation Time | Date and time when the profile was created. |
Last Updated Time | Date and time when the profile was last modified. |
User Name | The username of the person who created or modified the profile. |
All columns might not be displayed. To show or hide fields listed in the table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.
Creating an Access Profile
In Network Director, you create an Access profile that is then used to authenticate network users. You can also specify servers to be used for user accounting purposes. You can create Access profiles for these kinds of hardware devices:
EX Series Switches—configure Basic Settings and optional Accounting Settings.
Wireless (WLC)—configure Basic Settings and Server Group Settings.
EX Series switches with ELS—configure Basic Settings and Server Settings.
Data Center Switching Non-ELS—configure Basic Settings and optional Accounting Settings.
To create an Access profile, follow these steps:
- Under Views, select one of these options: Logical
View, Location View, Device View or Custom Group View.
Tip Do not select Dashboard View, Datacenter View, or Topology View.
- Click
in the
Network Director banner. - Under Select View, select either Logical View, Location View, Device View or Custom
Group View.
Tip Do not select Dashboard View, Datacenter View or Topology View.
- From the Tasks pane, select the type of network (Wired or Wireless), the appropriate functional area (System, AAA, or Wireless), and select the name of the profile that you want to create. For example, to create a radius profile for a wireless device, click Wireless > AAA > Radius. The Manage Profile page opens.
- Click Add to add a new profile.
If you chose to create a profile for the wired network, Network Director opens the Device Family Chooser window.
- From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), Data Center Switching Non-ELS and Data Center Switching ELS.
- Click OK.
The Create Access Profile page for the selected device family is displayed.
If you chose to create a profile for the wireless network, Network Director opens the Create Access Profile for Wireless page.
- Click Add.
The Device Family Chooser window opens.
- From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching EX, Wireless (WLC), Campus Switching ELS, and Data Center Switching Non-ELS.
- Click OK.
The Create Access Profile wizard for the selected device family opens—it consists of two sections: Basic Settings and RADIUS and LDAP configuration.
- Specify the access settings for the Access profile by
doing one of the following:
For either EX Series switches or Data Center Switching, specify the access settings described in online help, or in Specifying Basic Settings for an EX Series Switching or Data Center Switching Access Profile and Specifying RADIUS Accounting Settings for an EX Switching or Data Center Switching Access Profile .
For controllers, specify the access settings as described in online help and Specifying Basic Settings for a Wireless Access Profile and Specifying Server Group Settings for a Wireless Access Profile.
For Campus Switching ELS, specify the access settings as described in Specifying Basic Settings for a Campus Switching ELS Access Profile and Specifying RADIUS and LDAP Settings for Campus Switching ELS.
- Click either Next or Review. The
Review page appears.
You can either save your profile or make changes to your profile from the Review page. For directions, see Reviewing and Modifying the Access Profile Settings.
- Click Done to save the Access profile.
The system saves the Access profile and then displays the Manage Access Profiles page. Your new or modified Access profile is listed in the table of Access profiles.
Specifying Basic Settings for an EX Series Switching or Data Center Switching Access Profile
Basic settings for EX Series switching or data center switching Access profile include the profile name, authentication server order, and the RADIUS authentication details.
To configure the basic settings for an EX Series switch or data center switching Access profile, enter the settings described in Table 2. Required settings are indicated in the user interface by a red asterisk (*) that appears next to the field label.
Table 2: Access Profile Basic Settings for EX Series Switches and Data Center Switching
Field | Action |
|---|---|
| Access Profile Details | |
Profile Name | Type a unique name that identifies the profile. You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character. |
Description | Type the description of the profile. |
Revert Interval | Specify the number of seconds the switch waits after an authentication server becomes unreachable. The switch rechecks the connection to the server when the specified interval expires. Default is 3 seconds. |
| RADIUS Servers: Authentication | |
View | Select a server entry from the list and then click View to see the details of that entry. |
Task: Create and add a new RADIUS server configuration | To both create and add a RADIUS server configuration to this Access profile for authentication:
|
Task: Add a previously configured RADIUS server for authentication | The RADIUS tab is selected by default for server configuration and configured RADIUS servers are listed on this Server Settings page. To add a previously configured RADIUS server to this Access profile for authentication:
|
Task: Delete a server | To delete a RADIUS server from this Access profile:
|
Proceed to the RADIUS Accounting settings for EX Switching Access profiles by clicking either Accounting Settings or Next. These settings are described in Specifying RADIUS Accounting Settings for an EX Switching or Data Center Switching Access Profile .
Specifying RADIUS Accounting Settings for an EX Switching or Data Center Switching Access Profile
Configure the settings listed in Table 3 for the Access profile Accounting Settings page. Accounting settings are optional in an Access profile. You can also specify accounting settings later by modifying an existing Access profile.
Table 3: Accounting Settings for an EX Switching and Data Center Switching Access Profile
Task | Description |
|---|---|
View | Select a RADIUS server entry from the list and then click View to see the details of that entry. |
Create a new RADIUS server for both authentication and accounting | To both create and add a RADIUS server configuration to this Access profile for both authentication and accounting: Note: A RADIUS profile must be configured for authentication in addition to accounting.
|
Add a previously configured RADIUS server for accounting | A RADIUS server must already be configured before you can add that server for accounting. If the server was previously configured only for authentication, default accounting settings are applied. To add a RADIUS server for accounting:
|
Delete a server | To delete a server from this Access profile:
|
Proceed to the Access profile review by clicking either Review or Next.
Specifying Basic Settings for a Wireless Access Profile
To configure the basic settings for a wireless Access profile, enter the settings described in Table 4. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.
Table 4: Access Profile Basic Settings for Wireless
Field | Action |
|---|---|
Profile Name | Type a unique name that identifies the profile. Use up to 32 characters for wireless profile names. Profile names must not contain special characters or spaces. Note that profiles automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character. |
Description | Type the description of the profile. |
Proceed to the server group settings for wireless Access profiles by either clicking Server Group Settings from the wizard or by clicking Next. These settings are described in Specifying Server Group Settings for a Wireless Access Profile.
Specifying Server Group Settings for a Wireless Access Profile
You can add RADIUS or LDAP servers to an Access profile for wireless authentication. You can add a RADIUS profile for accounting.
To configure RADIUS or LDAP servers for a wireless Access profile, enter the settings described in Table 5. Required settings are indicated in the user interface by a red asterisk (*) that appears next to the field label.
Table 5: Server Group Settings
Field
Action
Configure Server Group Group Name
Type a unique name that identifies the profile.
You can use up to 32 characters for profiles created for wireless devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character.
Server Group Type
Select the type of server group that you want to create:
Accounting—Only RADIUS servers perform user accounting services, and they must also be configured for authentication to do accounting.
Authentication—Both RADIUS and LDAP servers perform user authentication services.
Both—Only RADIUS servers perform both user accounting services and authentication.
Server Type: Select either RADIUS or LDAP.
Tip: LDAP servers do not perform accounting functions, so if you select Accounting for the Server Group Type, the only option here is RADIUS.
Enable Load Balance
Select to enable load-balancing for the servers that are part of the given server group.
Load balancing enables the controller to distribute authentication requests across the authentication servers in a server group. Distributing the authentication process across multiple authentication servers significantly reduces the load on individual servers while increasing resiliency on a system-wide basis.
Enable Command Audit
Wireless controllers can log all CLI commands and all events. Select Enable Command Audit to capture and send every valid command to a RADIUS server log when the accounting command is enabled. The following information is captured: Timestamp, TTY Port, Username, Source IP address, Command issued, Command status (success or failure).
RADIUS or LDAP Server Configuration The heading for this section depends on whether you selected RADIUS or LDAP for Server Type.
View
Select any server entry from the list and then click View to see the details of that entry.
Task: Configure a new RADIUS server for this Access profile
When doing RADIUS Server Configuration, both create and add a RADIUS server to this Access profile by following these steps:
- Click Add > Create RADIUS.
The Create RADIUS Server window opens.
- Complete these fields:
Server Name—Type the name of the RADIUS server that you want to create.
Server Address—Type the IP address of the RADIUS server.
Authentication Port—The default RADIUS authentication port is 1812. You can change the port number by using the up and down arrows.
Secret—Provide a password. If the password contains spaces, enclose it in quotation marks. The secret password used by the switch must match that used by the server.
- Optionally, if you selected either Accounting or Both for a Server Group Type, expand Advanced Settings
and change the values for any of these fields:
Accounting Port—Using the arrows, adjust the number of the UDP port to use for RADIUS accounting messages. The default UDP port is 1813, and the range is from 0 through 65535.
Retry Count—Using the arrows, adjust the retry count until it reflects the number of times Network Director retries connecting to the RADIUS server when the RADIUS server is unavailable. Default is 3.
Timeout—Using the arrows, adjust the timeout value. Timeout indicates how many seconds Network Director allows for RADIUS server connection before giving an unreachable error. Default is 5.
Dead Time—Using the arrows, adjust the number of seconds before Network Director checks a RADIUS server that was previously unresponsive. The default value is 5 seconds.
Use MAC Address as Password—Enable this option if you want each client device to use its MAC address as its password for the RADIUS server. If you enable Use MAC As Password, then the Authorization Password field becomes unavailable.
Authorization Password—If you are not using MAC addresses as passwords for the RADIUS server, provide a common password here.
MAC Address Format—Select None, Hyphens, Colons, One-Hyphen, or Raw to determine the MAC address format used with the RADIUS server. For descriptions and examples of these formats, see Creating and Managing RADIUS Profiles .
Authentication Protocol—Select PAP, CHAP, MSCHAP-V2, or None to determine an authentication protocol for the RADIUS server. These authentication protocols work as follows:
PAP stands for Password Authentication Protocol and is used by Point to Point Protocols to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP. However, PAP transmits unencrypted ASCII passwords over the network and is therefore not secure. Use it as a last resort when the remote server does not support the stronger authentication.
CHAP stands for Challenge Handshake Authentication Protocol and authenticates a user or network host to an authenticating entity. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret password—it is never sent over the network. CHAP provides better security than PAP does.
MSCHAP—stands for Microsoft’s implementation of the Challenge Handshake Authentication Protocol version 2 on the router for password-change support. This feature provides users accessing a router the option of changing the password when the password expires, is reset, or is configured to be changed at the next login. The MS-CHAP variant does not require either peer to know the plaintext of the secret password. MSCHAP-V2 is used as an authentication option with RADIUS servers used for Wi-Fi security using the WPA-Enterprise protocol.
- Click OK.
The Create RADIUS Server window closes and the RADIUS server is automatically added to the list of authentication servers assigned to this Access profile.
- Optionally, if you have more than one RADIUS server listed, use the arrows to reorder the list priority so that the most preferred RADIUS server is listed first.
Task: Add a previously configured RADIUS server for authentication
To add a previously configured RADIUS server to this Access profile:
Tip: RADIUS servers are created by following the steps in Creating and Managing RADIUS Profiles .
- Click Add > Select RADIUS.
The Select RADIUS Server window opens.
- Select a RADIUS server from the available column—any RADIUS server that you created by using Add > Create RADIUS is listed here.
- Click the right arrow to move the highlighted RADIUS server from the Available column to the Selected column.
- Click OK.
The Select RADIUS Server window closes and the RADIUS server is added to the list of authentication servers to be used with this Access profile.
Task: Configure a new LDAP server for this Access profile
To both create and add an LDAP server to this Access profile:
- Click Add > Create LDAP.
The Create LDAP Server window opens.
- Complete these fields for an LDAP server:
Server Name—Type the name of the LDAP server that you want to create.
Server Address—Type the IP address of the LDAP server.
Server Port—The default LDAP authentication port is 389. You can change the port number by using the up and down arrows.
- Optionally, expand the Advanced Settings section and change
any of the following advanced LDAP server configuration:
FQ Domain Name—A fully qualified domain name specifies an exact location in the tree hierarchy of the Domain Name System (DNS), including all domain levels such as the top-level domain and the root zone. A fully qualified domain name can be interpreted only one way.
Dead Time—When a server does not respond for this number of seconds, it is removed from the list of authentication servers for this Access profile. The default dead time is 5 seconds. You can change this value by using the up and down arrows.
Timeout—Adjust the length of time (default is 5 seconds) that elapses with no connection before Network Director gives an unreachable LDAP server error. You can change this value by using the up and down arrows to 1 through 90 seconds.
Bind Mode—When an LDAP session is created (LDAP client connects to a server) the authentication state of the session is set to anonymous. BIND mode establishes the authentication state for a session and sets the LDAP protocol version. The default is Simple bind—you can change this to SASL-MD5. With Simple bind, the users’ credentials are sent to the LDAP Directory Service in clear text.
MAC Address Format—The default address format is None, which means that the MAC address is stated in a single stream (for example, 12ae53ef5676), with no subgrouping of the numbers. You can change this setting to Hyphens (for example, 12-ae-53-ef-56-76), Colons (for example, 12:ae:53:ef:56:76), One-Hyphen, or Raw.
Base Domain—The top level of the LDAP directory tree is the base, referred to as the base DN. Enter a base domain name, for example, DC=eng, DC=Juniper Networks, or DC=com. This string indicates where to load users and groups.
Domain Prefix—AD or NT domains use the NetBIOS name. Default is cn.
Use MAC as Password—Select this option to use the MAC address of devices as the password for authentication purposes.
Authorization Password—If MAC addresses are not used as passwords, provide a password to be used for authentication purposes.
- Click OK.
The server is automatically added to the list of authentication servers assigned to this Access profile.
- Optionally, if you have more than one server listed, use the arrows to reorder the list priority so that the most preferred server is listed first.
- Click OK.
The server is added to the list of authentication servers to be used with this Access profile.
Task: Add a previously configured LDAP server for authentication
To add a previously configured LDAP server to this Access profile:
- Click Add > Select LDAP.
- Select an LDAP server from the Available column—any LDAP server that you created using Add > Create LDAP is listed here in addition to any created with Creating and Managing LDAP Profiles.
- Click the right arrow to move the highlighted LDAP server from the Available column to the Selected column.
- Click OK.
The LDAP server is added to the list of authentication servers to be used with this Access profile.
Task: Delete any server
To delete a server from this Access profile:
- Select a server from the list.
- Click Delete.
The server is removed from the list of authentication servers to be used with this Access profile.
Note Use the UP and DOWN arrows to reorder the server groups. User authentication is first attempted with the server listed first. If that authentication fails, the next method on the list is used.
Proceed to the review for wireless Access profiles by either clicking Review or by clicking Next. For directions for this section, see Reviewing and Modifying the Access Profile Settings.
Specifying Basic Settings for a Campus Switching ELS Access Profile
To configure the basic settings for a Campus Switching ELS Access profile:
- Complete the basic settings and authentication order on
the Create Access Profile for Campus Switching ELS page, as described
in both the online help and in Table 6. Required settings are indicated by a red asterisk (*) that
appears next to the field label in the user interface.
Table 6: Access Profile Basic Settings for Campus Switching ELS
Field
Action
Access Profile Details Profile Name
Type a unique name that identifies the profile.
You can use up to 32 characters for profiles created for wireless devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character.
Description
Type the description of the profile.
Authentication Order Server settings depend on which authentication is done first, RADIUS or LDAP.
Authentication Order
Indicate whether to authenticate first with configured RADIUS servers or with configured LDAP servers by selecting the method from Based On. By default, RADIUS authentication using no password is selected for initial authentication. You can change this to RADIUS authentication with a password by selecting Password.
Select LDAP to authenticate first with configured LDAP servers.
Tip: LDAP is not supported for Data Center or EX Switching devices.
Proceed to the Server Settings for Campus Switching ELS Access profiles by clicking either Server Settings or Next. The settings are described in Specifying RADIUS and LDAP Settings for Campus Switching ELS.
Specifying RADIUS and LDAP Settings for Campus Switching ELS
Configure either a RADIUS server, an LDAP server, or both, on the Server Settings page. A RADIUS server can provide both user accounting services and user authentication but you must be using the RADIUS server for authentication in order to use it for accounting. An LDAP server provides only user authentication. The server settings in this section determine the options used for the access servers in this Access profile.
Configure the Server settings for a Campus Switching ELS Access profile by following the directions in Table 7.
Table 7: Authentication and Accounting Server Settings for ELS Campus Switching
Task | Action |
|---|---|
| AAA: Authentication
Server RADIUS servers are selected for configuration by default. RADIUS servers can do both authentication and accounting. | |
View configured servers in this profile | Select a server entry from the list and then click View to see the details of that entry. |
Create and add a new RADIUS server for authentication | The RADIUS tab is selected by default for AAA Authentication Server configuration. To configure a RADIUS accounting server and add it to this Access profile:
|
Add a previously configured RADIUS server for authentication | The RADIUS tab is selected by default for server configuration and configured RADIUS servers are listed on this Server Settings page. To add a previously configured RADIUS server to this Access profile:
|
Add a previously configured RADIUS server for accounting | A RADIUS server can provide both authentication and accounting. To configure accounting settings for a RADIUS server: Tip: In order to provide accounting, authentication must also be configured.
|
Create and add a new RADIUS server for both authentication and accounting | RADIUS is the only server selection available for accounting. To configure a RADIUS server for both authentication and accounting, and add it to this Access profile:
|
Create and add a new LDAP authentication server | Tip: LDAP servers can be configured for wireless and for Campus Switching ELS. To configure a new LDAP authentication server and add it to this Access profile:
|
Add a previously configured LDAP server for authentication | Tip: LDAP servers can be configured for wireless and for Campus Switching ELS. To add a previously configured LDAP authentication server to this Access profile:
Tip: LDAP is not supported for Data Center or EX Switching devices. |
Delete a server | To delete any server from this Access profile:
|
Proceed to the review for wireless Access profiles by either clicking Review or by clicking Next. For directions for this section, see Reviewing and Modifying the Access Profile Settings.
Reviewing and Modifying the Access Profile Settings
From this page, you can save or make changes to a Access profile:
To make changes to the profile, click Edit associated with the configuration to be changed.
Alternatively, you can click the appropriate sections in the profile workflow at the top of the page that corresponds to the configuration to be changed.
When you are finished with your modifications, click Review to return to this page.
To save a new profile or to save modified settings to an existing profile, click Finish.
You will be returned to the Manage Access Profiles page. Your new or modified Access profile is listed in the table of Access profiles.
What To Do Next
After you create an Access profile, you can do one of the following:
For wireless devices, link the Access profile to an Authentication profile that is created for the same device family. For more information see Creating and Managing Authentication Profiles.
For switching devices, configure Access profile as a attribute while assigning Port profiles to interfaces. For more information see Creating and Managing Port Profiles.
Assigned settings from any profile, including this one, have lower priority than settings made directly to a controller or an access point. For more information, see Adding and Managing an Individual Access Point and Configuring a Controller .