Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure External Authentication Servers

 

An external authentication server is used to collect user’s credentials from the external servers for authentication.

Understanding External Authentication Servers

Authentication, authorization, and accounting (AAA) servers provide an extra level of protection and control for user access in the following ways:

  • Authentication determines the firewall user.

  • Authorization determines what the firewall user can do.

  • Accounting determines what the firewall user did on the network.

You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization.

Once the user's credentials are collected, they are processed using firewall user authentication, which supports the following types of servers:

  • Local authentication and authorization

  • RADIUS authentication and authorization (compatible with Juniper Steel-Belted Radius server)

  • LDAP authentication only (supports LDAP version 3 and is compatible with Windows AD)

  • SecurID authentication only (using an RSA SecurID external authentication server)

Note

Junos OS also supports administrative authentication using local, RADIUS, and TACACS+ servers.

This topic includes the following sections:

Understanding SecurID User Authentication

SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.

Note

The SecurID server includes a feature that presents a user with a challenge if the user provides wrong credentials repeatedly. However, Junos OS does not support the challenge feature. Instead, the SecurID server administrator must resynchronize the RSA token for the user.

For SecurID, you configure information about the Juniper Networks device on the SecurID server, and this information is exported to a file called sdconf.rec.

To install the sdconf.rec file on the device, you must use an out-of-band method such as FTP. Install the file in a directory whose files are not deleted regularly. Do not put it in a temporary directory. For example, you might install it in /var/db/secureid/server1/sdconf.rec.

The sdconf.rec file contains information that provides the Juniper Networks device with the address of the SecurID server. You do not need to configure this information explicitly when you configure the SecurID server to be used as the external authentication server.

Example: Configuring RADIUS and LDAP User Authentication

This example shows how to configure a device for external authentication.

Requirements

Before you begin, create an authentication user group.

Overview

You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, an LDAP, or a SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy provokes an authentication check.

This example shows how access profile Profile-1 is configured for external authentication. Two RADIUS servers and one LDAP server are configured in the access profile. However, the order of authentication specifies RADIUS server only, so if the RADIUS server authentication fails, then the firewall user fails to authenticate. The local database is not accessed.

Note

If the firewall clients are authenticated by the RADIUS server, then the group-membership VSA returned by the RADIUS server should contain alpha, beta, or gamma client groups in the RADIUS server configuration or in the access profile, Profile-1. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set access profile Profile-1 authentication-order radius
set access profile Profile-1 client Client-1 client-group alpha
set access profile Profile-1 client Client-1 client-group beta
set access profile Profile-1 client Client-1 client-group gamma
set access profile Profile-1 client Client-1 firewall-user password pwd
set access profile Profile-1 client Client-2 client-group alpha
set access profile Profile-1 client Client-2 client-group beta
set access profile Profile-1 client Client-2 firewall-user password pwd
set access profile Profile-1 client Client-3 firewall-user password pwd
set access profile Profile-1 client Client-4 firewall-user password pwd
set access profile Profile-1 session-options client-group alpha
set access profile Profile-1 session-options client-group beta
set access profile Profile-1 session-options client-group gamma
set access profile Profile-1 session-options client-idle-timeout 255
set access profile Profile-1 session-options client-session-timeout 4
set access profile Profile-1 ldap-options base-distinguished-name CN=users,DC=junos,DC=juniper,DC=net
set access profile Profile-1 ldap-options search search-filter sAMAccountName=
set access profile Profile-1 ldap-options search admin-search distinguished-name cn=administrator,cn=users,dc=junos,dc=juniper,dc=net
set access profile Profile-1 ldap-options search admin-search password pwd
set access profile Profile-1 ldap-server 203.0.113.39/24
set access profile Profile-1 radius-server 203.0.113.62/24 secret example-secret
set access profile Profile-1 radius-server 203.0.113.62/24 retry 10
set access profile Profile-1 radius-server 203.0.113.27/24 secret juniper

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure a device for external authentication:

  1. Specify the RADIUS server for external authentication order.
  2. Configure Client1-4 firewall users and assign the Client-1 firewall user and Client-2 firewall user to client groups.
  3. Configure client groups in the session options.
  4. Configure the IP address for the LDAP server and server options.
  5. Configure the IP addresses for the two RADIUS servers.

Results

From configuration mode, confirm your configuration by entering the show access profile Profile-1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show access profile Profile-1

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Enabling LDAP Authentication with TLS/SSL for Secure Connections

Beginning with Junos OS Release 15.1X49-D70, SRX Series devices support the Transport Layer Security (TLS) StartTLS extension for LDAP for firewall user authentication and the integrated user firewall authentication for obtaining username and role information through firewall authentication. StartTTLS allows protocol data transfers between the LDAP server and client over the TLS layer after successful negotiation between the peers. StartTLS upgrades an existing insecure LDAP connection to a secure TLS/SSL connection.

Note

SRX Series devices support TLSv1.1 and TLS v1.2 to use LDAP authentication with TLS/SSL.

With StartTLS for LDAP, a secure communication can be provided with the following sets of ciphers that provide increasingly strong security:

  • High encryption cipher: AES256-SHA,DES-CBC3-SHA

  • Medium encryption ciphers: High encryption cipher + RC4-SHA:RC4-MD5:AES128-SHA

  • Medium encryption ciphers: Medium encryption ciphers +

    DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC4-SHA:

    EXP1024-RC4-MD5:EXP-DES-CBC-SHA:EXP-RC4-MD5

Implementation of StartTLS on LDAP is interoperable with the following standard LDAP servers:

  • Windows Active Directory

  • Novell e-Directory

  • Sun LDAP

  • OpenLDAP

By default, LDAP traffic is not transmitted securely. You can set LDAP traffic to be confidential and secure by using Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology.

To configure TLS parameters as a part of LDAP server configuration:

  1. Define TLS type as start-tls to configure LDAP over StartTLS.
  2. Configure the peer host name to be authenticated.
  3. Specify the timeout value on the TLS handshake. You can enter 3 through 90 seconds.
  4. Specify TLS version (v1.1 and v1.2 are supported) as the minimum protocol version enabled in connections. By default, SRX Series device uses TLS v1.2 to negotiate the TLS connection with the LDAP server:
Note

SRX Series devices support an additional check on the LDAP server’s certificate during the TLS handshake for LDAP authentication by default. If the validation of the server certificate is not required, you can use the following configuration to ignore the validation of server’s certificate and accept the certificate without checking:

By default, the no-tls-certificate-check remains disabled.

Example: Configuring SecurID User Authentication

This example shows how to configure SecurID as the external authentication server.

Requirements

Before you begin, create an authentication user group.

Overview

SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.

Specify that Server-1 is to be used as the SecurID server and that its configuration file resides on the device in the /var/db/securid/Server-1/sdconf.rec file. From configuration mode, enter this command:

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set access profile Profile-2 authentication-order securid
set access profile Profile-2 client Client-1 client-group alpha
set access profile Profile-2 client Client-1 client-group beta
set access profile Profile-2 client Client-1 client-group gamma
set access profile Profile-2 client Client-1 firewall-user password pwd
set access profile Profile-2 client Client-2 client-group alpha
set access profile Profile-2 client Client-2 client-group beta
set access profile Profile-2 client Client-2 firewall-user password pwd
set access profile Profile-2 client Client-3 firewall-user password pwd
set access profile Profile-2 client Client-4 firewall-user password pwd
set access profile Profile-2 session-options client-group alpha
set access profile Profile-2 session-options client-group beta
set access profile Profile-2 session-options client-group gamma
set access profile Profile-2 session-options client-idle-timeout 255
set access profile Profile-2 session-options client-session-timeout 4

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure SecurID as the external authentication server:

  1. For the Profile-2 profile, configure SecurID as the server to be used for external authentication.

    To share a single SecurID server across multiple profiles, for each profile set the authentication-order parameter to include securid as the authentication mode.

  2. Configure clients 1 through 4 as firewall users, and assign Client-1 and Client-2 to client groups.
  3. Configure client groups in the session options.

Results

From configuration mode, confirm your configuration by entering the show access profile Profile-2 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]


user@host# show access profile Profile-2

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Troubleshooting

Troubleshooting Unsuccessful Authentication In a Dynamic VPN Configuration

Problem

Device fails to locate client address in a dynamic VPN configuration.

Solution

  1. Verify that the device host name, the domain-search, and the name server are configured properly.

  2. Verify that the device host name is getting resolved on the RSA server.

Example: Deleting the SecurID Node Secret File

This example shows how to delete the node secret file.

Requirements

Before you begin, confirm that it is necessary to delete the SecurID node secret file.

Overview

When the Juniper Networks device initially communicates successfully with the SecurID server, a node secret file is created for it automatically. The file is created as a result of the handshake between the Juniper Networks device and the SecurID server after the software authenticates the first user successfully. All subsequent communication between the Juniper Networks device and the SecurID server relies on this secret as a representation of trust between the two nodes instead of repeating the handshake with each authentication request.

Under normal circumstances you should not delete the node secret file. In the rare case that you must do so, for example, to debug a serious problem, you can use the clear command to remove the file.

Warning

If you delete the file, you must deselect a box on the SecurID server to indicate that the node secret file for the Juniper Networks device and the SecurID server no longer exists. Otherwise, authentication attempts will fail.

Configuration

Step-by-Step Procedure

To delete the node secret file:

  1. Use the clear command to remove the node secret file. During subsequent user authentication, the device reestablishes a shared secret with the SecurID server and re-creates the node secret file. From operational mode, enter the clear network-access command to clear the securid-node-secret-file for the Juniper Networks device.
    user@host> clear network-access securid-node-secret-file
  2. From operational mode, confirm your deletion by entering the show network-access securid-node-secret-file command. If the output does not display, repeat the instructions in this example to correct it.
    user@host> show network-access securid-node-secret-file

Verification

Verify the deletion by entering the show network-access securid-node-secret-file command.