Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding External Authentication Servers

    AAA provides an extra level of protection and control for user access in the following ways:

    • Authentication determines the firewall user.
    • Authorization determines what the firewall user can do.
    • Accounting determines what the firewall user did on the network.

    You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization.

    Once the user's credentials are collected, they are processed using firewall user authentication, which supports the following types of servers:

    • Local authentication and authorization
    • RADIUS authentication and authorization (compatible with Juniper Steel-Belted Radius server)
    • LDAP authentication only (supports LDAP version 3 and compatible with Windows AD)
    • SecurID authentication only (using an RSA SecurID external authentication server)

    Note: Junos OS also supports administrative authentication using local, RADIUS, and TACACS+ servers. For more information on administrative authentication, see the Junos OS Initial Configuration Guide for Security Devices PDF Document.

    This topic includes the following sections:

    Understanding SecurID User Authentication

    SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

    When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.

    Note: The SecurID server includes a feature that presents a user with a challenge if the user provides wrong credentials repeatedly. However, Junos OS does not support the challenge feature. Instead, the SecurID server administrator must resynchronize the RSA token for the user.

    For SecurID, you configure information about the Juniper Networks device on the SecurID server and this information is exported to a file called sdconf.rec.

    To install the sdconf.rec file on the device, you must use an out-of-band method such as FTP. Install the file in a directory whose files are not deleted regularly. Do not put it in a temporary directory. For example, you might install it in /var/db/secureid/server1/sdconf.rec.

    The sdconf.rec file contains information that provides the Juniper Networks device with the address of the SecurID server. You do not need to configure this information explicitly when you configure the SecurID server to be used as the external authentication server.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page