Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Access Profiles

    Use the Access Profile page to configure LDAP server.

    To configure LDAP server:

    1. Select Configure > User Firewall Management > Access Profile.
    2. Click the + icon.
    3. Complete the configuration by using the guidelines in Table 1.
    4. Click Finish.

      A Summary page providing a preview of the complete configuration is shown.

    5. Click OK to complete the configuration or Back to make any modifications.

    Table 1: LDAP Server Configuration Parameters



    General Setting

    Access Profile Name

    Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters.


    Enter a description for the access profile; maximum length is 255 characters.

    Authentication Order

    Order 1

    Configure the order in which the different user authentication methods are tried when a user attempts to log in. For each login attempt, the method for authentication starts with the first one, until the password matches.

    The method can be one or more of the following:

    • NONE—No authentication for the specified user.
    • LDAP—Use LDP. The SRX Series device uses this protocol to get user and group information necessary to implement the integrated user firewall feature.
    • Password—Use a locally configured password in the access profile.

      You can set the password to none or configure for the following authentication orders:

      • LDAP
      • Radius servers
      • Secure ID
    • Radius—Use RADIUS authentication services.

      If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

    • Secure ID—Configure the RSA SecurID authentication.

      Users can enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user’s PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is configured for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

    Order 2

    Configure the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.

    Add LDAP Server


    Enter the IPv4 or hostname of the LDAP authentication server.


    Configure the port number on which to contact the LDAP server. The range is 1 through 65,535.


    Specify the number of retries that a device can attempt to contact an LDAP server. The range is 1 through 10.

    Routing Instance

    Configure the routing instance used to send LDAP packets to the LDAP server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables.

    Source Address

    Configure a source address for each configured LDAP server. Each LDAP request sent to an LDAP server uses the specified source address.


    Configure the amount of time that the local device waits to receive a response from an LDAP server. The range is 3 to 90 seconds.

    LDAP Options


    Specify that a user’s LDAP distinguished name is assembled through the use of a common name identifier, the username, and base distinguished name.

    Common Name

    Enter a common name identifier used as a prefix for the username during the assembly of the user's distinguished name. For example, uid specifies “ user id,” and cn specifies “common name.”

    Base Distinguished Name

    Specify the base distinguished name, which can be used in one of the following ways:

    • If you use the Assemble option to assemble the user's distinguished name and the base distinguished name is appended to a username to generate the user's distinguished name. The resulting distinguished name is used in the LDAP bind call.
    • If you are using the search filter to search for the user's distinguished name. The search is restricted to the subtree of the base distinguished name.

    The base distinguished name is a series of basic properties that define the user. For example, in the base distinguished name, o=juniper, c=us, where o for organization, and c stands for country.

    Revert Interval

    Specify the amount of time that elapses before the primary server is contacted if a backup server is being used. The range is 60 through 4,294,967,295 seconds.

    Search Filter

    Specify the name of the filter to find the user's LDAP distinguished name. For example, a filter cn specifies that the search matches a user whose common name is the username.

    Admin Search

    Perform an LDAP administrator search. By default, the search is an anonymous search. To perform an administrator search, you must specify administrator credentials, which are used in the bind as part of performing the search.

    Distinguished Name

    Specify the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search.

    For example, cn=admin, ou=eng, o=juniper, dc=net.


    Configure the plain-text password for the administrative user. This password is used in the bind for performing the LDAP search.

    Assign Device


    Select these devices from the Available column and move them to the Selected column.

    You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.

    Modified: 2017-08-31