Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Users

 

User Management Configuration Page Options

  1. Select Configure>System Properties>User Management in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platform.

    Or

    Select Configure>Device Setup>Basic Settings>User Management in the J-Web user interface.

    The User Management configuration page appears.

  2. (Junos OS Release 19.1R1 and later releases) Select Configure>Users>User Management in the J-Web user interface.

    The User Management configuration page appears. Table 118 explains the contents of this page.

  3. Click one:

    • Save—Saves all the user management configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels all your entries and returns to the main configuration page.

Table 118: User Management Configuration Details

Field FunctionAction
User Details

User Details

Provides the users details to the device’s local database. The options available are:

  • Add

  • Edit

  • Delete

  • Search

  • Filter

Select an option:

To add a new user, click Add. Then enter the details specified below and click OK.

  • User name—Enter a unique name for the user. Do not include spaces, colons, or commas in the username.

  • Login ID—Enter a unique ID for the user.

  • Full Name—Enter the user’s full name. If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.

  • Password—Enter a login password for the user. The login password must meet the following criteria:

    • The password must be at least 6 characters long.

    • You can include most character classes in a password (alphabetic, numeric, and special characters), except control characters.

    • The password must contain at least one change of case or character class.

    • Confirm password—Re-enter the login password for the user.

    • Role—Select the user’s access privilege from the following options:

      • super-user

      • operator

      • read-only

      • unauthorized

  • To edit the information of a user, select it and click Edit. Then edit the user details in the Edit User dialog box and click OK.

  • To delete an existing user, select it and click Delete.

Authentication Methods

Authentication Method And Order

Specifies the authentication method the device should use to authenticate users. The options available are:

  • Password

  • RADIUS Servers

  • TACACS+Servers

Enable authentication methods and drag and drop to change the authentication order.

RADIUS Servers

RADIUS Servers

Specifies the details of RADIUS servers.

Click Configure.

To add a new RADIUS server, click +. Then enter the details specified below and click OK.

  • IP Address—Enter the server’s 32–bit IP address.

  • Password—Enter the secret password for the server.

  • Confirm Password—Re-enter the secret password for the server.

  • Server Port—Enter an appropriate port.

  • Source Address—Enter the source IP address of the server.

  • Time out—Specify the amount of time (in seconds) the device should wait for a response from the server.

  • Retry Attempts—Specify the number of times that the server should try to verify the user’s credentials.

  • To delete an existing RADIUS server, select it and click Delete.

TACACS

TACACS Servers

Specifies the details of TACACS servers.

Click Configure.

To add a new TACACS server, click +. Then enter the details specified below and click OK.

  • IP Address—Enter the server’s 32–bit IP address.

  • Password—Enter the secret password for the server.

  • Confirm Password—Re-enter the secret password for the server.

  • Server Port—Enter an appropriate port.

  • Source Address—Enter the source IP address of the server.

  • Time out—Specify the amount of time (in seconds) the device should wait for a response from the server.

  • To delete an existing TACACS server, select it and click Delete.

Password Settings

Note:

  • Starting in Junos OS Release 19.1R1, the User Management configuration supports the password settings range.

  • J-Web interface does not support configuring the number of characters by which the new password should be different from the existing password.

Minimum Reuse

Specifies the minimum number of old passwords which should not be same as the new password.

Starting in Junos OS Release 19.1R1, this Minimum Reuse option is supported.

Click top or bottom arrow to specify the minimum number of old passwords that you want to use. Range: 1-20.

Maximum Lifetime

Specifies the maximum password lifetime.

Starting in Junos OS Release 19.1R1, this Maximum Lifetime option is supported.

Click top or bottom arrow to specify the maximum lifetime of your password in days. Range: 30-365.

Minimum Lifetime

Specifies the minimum password lifetime.

Starting in Junos OS Release 19.1R1, this Minimum Lifetime option is supported.

Click top or bottom arrow to specify the minimum lifetime of your password in days. Range: 1-30.

Access Profiles Configuration Page Options

  1. Select Configure>Access>Access Profiles in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Authentication>Access Profiles in the J-Web user interface.

    The Access Profiles configuration page appears.

  2. (Junos OS Release 19.1R1 and later releases) Select Configure>Users>Access Profile in the J-Web user interface.

    The Access Profiles configuration page appears.

  3. Click one:

    • Add or +—Adds a new or duplicate access profile configuration. Enter information as specified in Table 119.

    • Edit or /—Edits a selected access profile configuration.

    • Delete or X—Deletes the selected access profile configuration.

    • Search Icon—Enables you to search a firewall policy or rule from the grid.

Table 119: Add Access Profile Configuration Details

Field FunctionAction
General Settings

Access Profile Name

Specifies the name of the access profile.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 64 characters.

Authentication Order

Order 1

Configures the order in which the user tries different authentication methods during login. For each login attempt, the method for authentication starts with the first one, until the password matches.

Select one or more of the following authentication method:

  • NONE—No authentication for the specified user.

  • LDAP—Use LDP. The SRX Series device uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

  • Password—Use a locally configured password in the access profile.

    You can set the password to none or configure for the following authentication orders:

    • LDAP

    • Radius servers

    • Secure ID

  • Radius—Use RADIUS authentication services.

    If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

  • Secure ID—Configure the RSA SecurID authentication.

    Users can enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user’s PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is configured for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who has lost SecurID token.

Order 2

Configures the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.

Select the authentication method from the list and click Next.

Password

Address Assignment

Specifies the address pool used by the access profile.

Select an address pool from the list.

Click + to create the password using the address pool and enter the following details:

  • User Name—Enter the user name.

  • Password—Enter the password.

  • XAUTH IP Address—Enter the IPv4 address of the external authentication server to verify the authentication user account.

  • Groups—Enter the group name to store several user accounts together on the external authentication servers.

LDAP

LDAP

Configures the LDAP server for authentication.

Click + to add LDAP server, enter the following details, and click OK:

  • Address—Enter the IPv4 address or hostname of the LDAP authentication server.

  • Port—Configure the port number on which to contact the LDAP server.

    Range is 1-65535.

  • Retry—Specify the number of retries that a device can attempt to contact an LDAP server.

    Range is 1-10 seconds.

  • Routing Instance—Configure the routing instance used to send LDAP packets to the LDAP server.

  • Source Address—Configure a source IP address for each configured LDAP server.

  • Timeout—Configure the amount of time that the local device waits to receive a response from an LDAP server.

    Range is 3-90.

LDAP Options

Base Distinguished Name

Specifies the base distinguished name that defines the user.

Enter thebase distinguished name.

Revert Interval

Specifies the amount of time that elapses before the primary server is contacted if a backup server is being used.

Use top/bottom arrows to provide the revert interval.

Range is 60-4294967295.

Additional Details

Assemble

Specifies that a user’s LDAP distinguished name (DN) is assembled through the use of a common name identifier, the username, and base distinguished name.

Enable the assemble option.

Common Name

Specifies the common name identifier used as a prefix for the username during the assembly of the users distinguished name.

Enter a common name identifier.

Search

Specifies that a user’s LDAP distinguished name is assembled through the use of a common name identifier, a username, and a base distinguished name.

Enable the search option.

Firewall Authentication Configuration Page Options

  1. Select Configure>Access>FW Authentication in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Authentication>FW Authentication in the J-Web user interface.

    The Firewall Authentication configuration page appears. Table 120 explains the contents of this page.

  2. (Junos OS Release 19.1R1 and later releases) Select Configure>Users>FW Authentication in the J-Web user interface.

    The Firewall Authentication configuration page appears. Table 120 explains the contents of this page.

  3. Click one:

    • OK/Save—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Reset—Resets your entries and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 120: Add Firewall Authentication Configuration Details

Field FunctionAction
Pass-through Settings

Default Profile

Specifies the profile that the policies use to authenticate users. The options available are:

  • None

  • stu-access-profile

  • juniper-access-profile

Select an option.

HTTP Banner

Login

Displays the login prompt for users logging in using HTTP.

Failed

Displays failed login prompt for users logging in using HTTP.

Success

Displays a successful login prompt for users logging in using HTTP.

FTP Banners

Login

Displays the login prompt for users logging in using FTP.

Failed

Displays failed login prompt for users logging in using FTP.

Success

Displays a successful login prompt for users logging in using FTP.

Telnet Banners

Login

Displays the login prompt for users logging in using telnet.

Failed

Displays failed login prompt for users logging in using telnet.

Success

Displays a successful login prompt for users logging in using telnet.

Web-auth-settings

Default Profile

Specifies the profile that the policies use to authenticate users. The options available are:

  • None

  • stu-access-profile

  • juniper-access-profile

Select an option.

Banner Success

Displays a successful login prompt for users logging in using Web authentication banner.

Web-auth logo upload

Logo image

Indicates an image to be chosen for the Web authentication logo.

Note: For the good logo image, the image format must be in .gif and the resolution must be 172x65.

Browse

Navigates to the available logo image on the user's local disk.

Navigate to the logo image.

Upload File

Uploads the image.

Click the button to upload the image.

Restore Juniper logo

Restores the default Juniper Networks logo.

Click the button to restore the Juniper Networks logo.

UAC Settings Configuration Page Options

  1. Select Configure>Authentication>UAC Settings in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Authentication>UAC Settings in the J-Web user interface.

    The UAC Settings configuration page appears.

  2. (Junos OS Release 19.1R1 and later releases) Select Configure>Users>UAC Settings in the J-Web user interface.

    The UAC Settings configuration page appears. Table 121 explains the contents of this page.

  3. Click one:

    • Add or +—Adds a new Infranet Controller. Enter information as specified in Table 121.

    • Edit or /—Edits the selected Infranet Controller configuration.

    • Delete or X—Deletes the selected Infranet Controller configuration.

  4. Click one:

    • OK/Save—Saves the configuration and returns to the main configuration page.

    • Actions>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 121: Infranet Controller Configuration Details

Field FunctionAction
Global Settings

Certificate Verification

Determines whether server certificate verification is required when initiating a connection between a device and an Access Control Service in a UAC configuration.

Select the following options from the list:

  • None—Certificate verification is not required.

  • Optional—Certificate verification is not required. If the CA certificate is not specified in the ca-profile option, the commit check passes and no warning is issued.

  • Required—Certificate verification is required. If the CA certificate is not specified in the ca-profile option, an error message is displayed, and the commit check fails. Use this option to ensure strict security.

  • Warning—Certificate verification is not required. A warning message is displayed during commit check if the CA certificate is not specified in the ca-profile option.

Interval

Specifies the value in seconds that the device should expect to receive a heartbeat signal from the IC Series device.

Enter the heartbeat interval in seconds. Range: 1 through 9999.

Test Only Mode

Allows all traffic and log enforcement result.

Enable the Test Only Mode option.

Timeout

Specifies (in seconds) that the device should wait to get a heartbeat response from an IC Series UAC Appliance.

Enter the timeout in seconds. Range: 2 through 10000.

Timeout Action

Specifies the action to be performed when a timeout occurs and the device cannot connect to an Infranet Enforcer.

Select the timeout action.

Infranet Controller

Name

Specifies the name of the Infranet Controller.

Enter a name for the Infranet Controller.

IP address

Specifies an IP address for the Infranet Controller.

Enter an IP address for the Infranet Controller.

Interface

Specifies the interface used for the Infranet Controller.

Select an interface.

Password

Specifies the password to use for the Infranet Controller.

Enter the password.

CA Profiles

Specifies the preferred CA to use for the Infranet Controller. If no value is specified, then no certificate request is sent (although incoming certificates are still accepted).

Select a CA from the list in the CA Profiles column and then click the right arrow to move them to the Selected column.

Note: To deselect a CA, select the CA in the Selected column and then click the left arrow to move them to the CA Profiles column.

Port

Specifies the port number to be associated with this Infranet Controller for data traffic.

Enter a value from 1 through 65,535.

Server Certificate Subject

Specifies the subject name of the Infranet Controller certificate to match.

Enter the server certificate subject name.

Captive Portal

Captive Portal

Specifies the preconfigured security policy for captive portal on the Junos OS Enforcer.

Click + to add a captive portal.

Name

Specifies the name of the captive portal.

Enter a name for the captive portal.

Redirect Traffic

Specifies a traffic type to be redirected.

Select a traffic type.

Redirect URL

Specifies a URL to which the traffic should be redirected.

Enter the URL to which the captive portal should be directed.

Release History Table
Release
Description
19.1R1
Starting in Junos OS Release 19.1R1, the User Management configuration supports the password settings range.
19.1R1
Starting in Junos OS Release 19.1R1, this Minimum Reuse option is supported.
19.1R1
Starting in Junos OS Release 19.1R1, this Maximum Lifetime option is supported.
19.1R1
Starting in Junos OS Release 19.1R1, this Minimum Lifetime option is supported.