Access Profile Overview
Access profiles enable access configuration on the network—this consists of authentication configuration and accounting configuration. Security Director supports Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and local authentication service as authentication methods. Authentication prevents unauthorized devices and users from gaining access to your network. Accounting servers collect and send information used for billing, auditing, and reporting.
SRX Series devices use the LDAP service to get user and group information necessary to implement the integrated user firewall feature. The SRX Series device acts as an LDAP client communicating with an LDAP server. In a common implementation scenario, the domain controller acts as the LDAP server. The LDAP module in the SRX Series device, by default, queries the Active Directory in the domain controller.
The SRX Series device downloads user and group lists from the LDAP server. The device also queries the LDAP server for user and group updates. The SRX Series device downloads a first-level, user-to-group mapping relationship and then calculates a full user-to-group mapping.
By default, the LDAP authentication method uses simple authentication. The client’s username and password are sent to the LDAP server in plaintext. Keep in mind that the password is clear and can be read from the network.
To avoid exposing the password, you can use simple authentication within an encrypted channel, namely Secure Sockets layer (SSL), as long as the LDAP server supports LDAP over SSL. After enabling SSL, the data sent from the LDAP server to the SRX Series device is encrypted.
The LDAP server’s username, password, IP address, and port are all optional, but they can be configured.
If the username and password are not configured, the system uses the configured domain controller’s username and password.
If the LDAP server’s IP address is not configured, the system uses the address of one of the configured Active Directory domain controllers.
If the port is not configured, the system uses port 389 for plaintext or port 636 for encrypted text.
RADIUS is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for computers to connect and use a network service. By default, RADIUS servers are used for both accounting and authentication. From Security Director, you can create and manage RADIUS profiles that configure RADIUS server settings.
With local authentication, you can configure a password for each user allowed to log in to the controller or switch.