Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Modifying the User Management Configuration for Security Devices

 

You can use the User Management section on the Modify Configuration page to modify the user details, authentication methods, password settings, access profile, and so on.

Note

Refer to the Junos OS documentation (available at https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/junos/product/) for a particular release and device. There you can find detailed information on the configuration parameters for that device.

To modify the basic configuration:

  1. Select Devices > Security Devices.

    The Security Devices page appears.

  2. Select the devices to modify configuration.
  3. From the More or right-click menu, select Configuration > Modify Configuration.

    The Modify Configuration page appears with the Basic Setup section selected by default.

  4. Click User Management in the left-navigation menu.

    The User Management section on the Modify Configuration page is displayed.

  5. Modify the configuration according to the guidelines provided in Table 1.
  6. After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.

Table 1: User Management

Setting

Guideline

User Details

Provides the users details to the device’s local database. Existing users are displayed in a table with their username, full name, login type, and user type.

To add a user:

  1. Click + icon.

    The Add User page is displayed.

  2. Enter the details as follows:
    • User Type—

      • Select Root to add the user to the root device.

      • Select LSYS to add the user to the logical systems device.

      • Select TSYS to add the user to the tenant systems device.

    • LSYS/TSYS—Select a logical system/tenant system device to which the user will have access.

      Note: This field is displayed only if you have selected user type as LSYS/TSYS.

    • Username—Enter the username of the user (up to 64 characters) on the device. Do not include spaces, colons, or commas in the username.

    • User ID—Enter a user ID, which is a numeric identifier that is associated with the username.

      If you do not assign a user ID to a username, the system automatically assigns one when the configuration is pushed to the device.

      Range: 100 through 64,000

    • Full Name—Enter the full name of the user on the device; all alphanumeric characters are allowed except colon (:).

    • Password—Enter a password that is a minimum of six characters long and that must contain at least one uppercase letter, one lowercase letter, one number, and one special character.

    • Confirm password—Re-enter the login password for the user.

    • Login Type—Select the login type of the user, which defines the access privileges for a user. The following login types are available:

      • Super-user—All permissions

      • Operator—Clear, network, reset, trace, and view permissions

      • Read-only—View permissions

      • Unauthorized—No permissions

  3. Click OK.

    If the fields entered are valid, a user is created and a confirmation message is displayed at the top of the Modify Configuration page.

To edit the information of a user, select it and click pencil icon. Then edit the user details in the Edit User dialog box and click OK.

To delete an existing user, select it and click delete icon.

Authentication Methods

Specifies the authentication method the device should use to authenticate users.

To add the authentication order:

  1. Click the + icon.

    The Add Authentication Order page is displayed.

  2. Select the authentication order.
  3. Click OK.

RADIUS Servers

Select the checkbox to specify the details of RADIUS servers.

To configure RADIUS Servers:

  1. Click the + icon.

    The Add RADIUS server page is displayed.

  2. Enter the following details:
    • IP Address—Enter the 32–bit IP address of the server.

    • Password—Enter the password for the server.

    • Confirm Password—Re-enter the password for the server

    • Server Port—Enter an appropriate port.

    • Source IP Address—Enter the source IP address of the server.

    • Retry Attempts—Specify the number of times that the server should try to verify the user’s credentials.

  3. Click OK.

Select a radius server and click pencil icon to edit the radius server. Click delete to delete the radius server.

TACACS+ Servers

Select the checkbox to provide the details of TACACS+ server.

To configure a TACACS+ server:

  1. Click the + icon.

    The Add TACACS+ server page is displayed.

  2. Enter the following details:
    • IP Address—Enter the 32–bit IP address of the server.

    • Password—Enter the password for the server.

    • Confirm Password—Re-enter the secret password for the server.

    • Server Port—Enter an appropriate port.

      The port range is from 1 through 65535. The default value is 1812.

    • Source IP Address—Enter the source IP address of the server.

    • Timeout—Specify the amount of time (in seconds) the device should wait for a response from the server.

      Timeout period range is from 1 to 90 seconds. The default value is 3 seconds.

  3. Click OK.

Select an IP address and click the pencil icon to edit the server details and click delete to delete the server details.

Password Settings

Minimum Reuse

Select the minimum number of old passwords that must not be same as the new password.

The range is from 1 through 20.

Maximum Length

Select the maximum password length.

The range is from 20 through 128.

Minimum Length

Select the minimum password length.

The range is from 6 through 20.

Access Profile

Create an access profile

You can configure the Lightweight Directory Access Protocol (LDAP) for SRX Series devices.

To create an access profile:

  1. Click the + icon.

    The Add Access Profile page is displayed.

  2. Configure the parameters according to the guidelines in Table 2.
  3. Click OK.

Address pool

To add an address pool:

  1. Click the + icon.

    The Add Address Pool page is displayed.

  2. Enter the IPv4 address pool name.
  3. Click OK.
FW Authentication - Pass Through Settings

Default Profile

Select the profile that the policies can use to authenticate users.

FTP Banners

Login

Enter the login prompt for users logging in using FTP.

Success

Enter a successful login prompt for users logging in using FTP.

Fail

Enter a failed login prompt for users logging in using FTP.

Telnet Banners

Login

Enter the login prompt for users logging in using Telnet.

Success

Enter a successful login prompt for users logging in using Telnet.

Fail

Enter a failed login prompt for users logging in using Telnet.

HTTP Banners

Login

Enter the login prompt for users logging in using HTTP.

Success

Enter a successful login prompt for users logging in using HTTP.

Fail

Enter a failed login prompt for users logging in using HTTP.

FW Authentication - Web Authentication Settings

Default Profile

Select the profile that the policies can use to authenticate users.

Success

Enter a message that will be displayed on a successful login for users logging in using Web authentication.

Table 2: Access Profile

Setting

Description

General Settings

Access Profile Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 64 characters.

Authentication Order

Order 1

Configure the order in which the user tries different authentication methods during login. For each login attempt, the method for authentication starts with the first one, until the password matches.

Select the following authentication methods:

  • NONE—No authentication for the specified user.

  • LDAP—The SRX Series device uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

  • Password—Use a locally configured password in the access profile.

  • Radius—Use RADIUS authentication services.

    If RADIUS servers fails to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

  • Secure ID—Configure the RSA SecurID authentication.

    Users can enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user’s PIN and a randomly generated token that is valid for a short period of time (approximately one minute). A static password is configured for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who has lost SecurID token.

Order 2

Configure the next authentication method if the authentication method included in the authentication Order 1 is not available, or if the authentication is available but returns a reject response.

Select the authentication method from the list and click Next.

Authentication Type

Entity Requesting Access

To add entity requesting access.

  1. Click the + icon.

    The Add Entity Requesting Access page is displayed.

  2. Enter the following details:
    • User Name—Enter the user name.

    • Password—Enter the password.

    • Confirm Password—Re-enter the password.

    • XAUTH IP Address—Enter the IPv4 address of the external authentication server to verify the authentication user account.

    • Groups—Enter the group name to store several user accounts together on the external authentication servers.

    • Address Assignment—Select the address pool.

  3. Click OK.

You can select the username and edit or delete it.

LDAP Server

Configure the LDAP server for authentication.

To add the LDAP server:

  1. Click the + icon.

    The Add LDAP Server page is displayed.

  2. Enter the following details:
    • Address—Enter the IPv4 address or hostname of the LDAP authentication server.

      • Port—Select the port number on which to contact the LDAP server. Range is from 1 to 65535.

      • Retry—Select the number of retries that a device can attempt to contact an LDAP server. Range is from 1 to 10 seconds.

      • Routing Instance—Enter the routing instance used to send LDAP packets to the LDAP server.

      • Source Address—Enter a source IP address for each configured LDAP server.

      • Timeout—Select the amount of time that the local device waits to receive a response from an LDAP server. The range is from 3 to 90 seconds.

  3. Click OK.
LDAP Options

Base Distinguished Name

Enter the base distinguished name that defines the user.

Revert Interval

Select the amount of time that elapses before the primary server is contacted if a backup server is being used.

The range is from 60 to 4294967295.

Additional Details

Assemble

Select the checkbox to assemble user’s LDAP distinguished name (DN) using a common name identifier, username, and base distinguished name.

Common Name

Enter the common name identifier used as a prefix for the username during the assembly of the users distinguished name.

Search

Select the checkbox to enable the search option.

Search Filter

Enter the name of the filter to find the user’s LDAP distinguished name.

Admin Search

Select the checkbox to perform an LDAP administrator search. By default, the search is an anonymous search.

Distinguished Name

Enter the distinguished name of an administrative user. The distinguished name is used for performing the LDAP search.

Password

Configure the plain-text password for the administrative user.