ON THIS PAGE
LDAP Authentication and Authorization over TLS
Learn about LDAP authentication and authorization over TLS (LDAPS) for Junos OS user login.
LDAP Authentication over TLS
Junos OS User Authentication Overview
Junos OS authenticates users trying to log in either locally or by using a centralized database. Local authentication or authorization is possible for users whose username and password are configured using the Junos OS CLI or RPCs. In Junos OS Release 20.2R1, Junos OS supports LDAP with TLS security (LDAPS) support for user login and ensures secure transmission of data between the LDAPS client and the LDAPS server.
In releases before Junos OS Release 20.2R1, Junos OS supports centralized user authentication and authorization through standard RADIUS and TACACS protocols.
Junos OS supports these methods of user authentication:
Local password authentication
LDAP over TLS (LDAPS)
Benefits of LDAP Authentication over TLS
Encryption and data integrity—LDAPS ensures that user credentials are encrypted, thereby maintaining privacy of communications. The user encrypts the data using the private key and only the intended recipient that possesses the private key can decrypt the signed data using the signer's public key. This ensures data integrity.
Enhanced security—The TLS protocol ensures the data is securely sent and received over the network. TLS uses certificates to authenticate and encrypt the communication that provides advanced security.
Scalability—LDAPS provides greater performance and scalability without loss of reliability. There is no limit to the number of users who can be supported using this feature as users maintain their own certificates, and certificate authentication involves exchange of data between client and server only.
Supported and Unsupported Features
Junos OS supports LDAPS for user authentication and authorization only. Junos OS does not support accounting. over LDAPS.
The LDAPS client is implemented and integrated as part of Junos OS. However, implementation of the LDAPS server on Junos OS is not supported. Instead, this feature is implemented using the OpenLdap 2.4.46 server.
Lightweight Directory Access Protocol (LDAP) is a standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. You can accomplish authentication and authorization using the following rich set of LDAP security functions such as:
Directory content manipulation
Transport Layer Security (TLS) Overview
TLS is an application-level protocol that provides encryption technology for the Internet. It is the most widely used security protocol for applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging, and voice over IP (VoIP). TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the LDAPS client and the LDAPS server. LDAPS uses local certificates that are dynamically acquired from the Junos public key infrastructure (PKI) .
TLS ensures secure transmission of data between a client and a server effectively and ensures privacy of communications, authentication, confidentiality, and data integrity. You can use the TLS protocol for certificate exchange, mutual authentication, and cipher negotiation to secure the stream from potential tampering and ethical hacking.
How LDAPS Authentication Works
To provide secure LDAPS support for Junos OS operator login, user credentials and configurations are stored in either the LDAPS server or the LDAP-supported databases. An LDAPS client on the device running Junos OS communicates with a configured LDAPS server. To achieve this, the LDAPS client is implemented and integrated as part of the device running Junos OS.
Figure 2 shows the LDAPS authentication process.
- A remote user logs in to a device running Junos OS through SSH, TELNET or any other login utility.
- The LDAPS client (which is the device running Junos OS) establishes a TCP connection with the LDAPS authorization server using a TLS protocol request.
- After the client receives the TLS response, the client and server authenticate their identities.
- The LDAPS client authenticates itself using the proxy account that is preconfigured on the LDAPS server using the bind request (binddn and bindpw).
- If the bind operation is successful, the LDAPS server sends an acknowledgment to the LDAPS client.
- The LDAPS client then sends an authentication request to the LDAPS server with the login credentials of the user trying to log in.
- After successful authorization, the LDAPS client notifies the user of the successful login. The authorization data of the user is saved into a file that is used later to enforce authorization.
- The client closes the connection with the LDAPS server.
For more information on LDAP Authentication over TLS, see Configure LDAP Authentication over TLS.