Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring SecurID User Authentication

    This example shows how to configure SecurID as the external authentication server.

    Requirements

    Before you begin, create an an authentication user group.

    Overview

    SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

    When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.

    Specify that Server-1 is to be used as the SecurID server and that its configuration file resides on the device in the /var/db/securid/Server-1/sdconf.rec file. From configuration mode, enter this command:

    user@host# set access securid-server Server-1 configuration-file “/var/db/securid/Server-1/sdconf.rec”

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set access profile Profile-2 authentication-order securid
    set access profile Profile-2 client Client-1 client-group alpha
    set access profile Profile-2 client Client-1 client-group beta
    set access profile Profile-2 client Client-1 client-group gamma
    set access profile Profile-2 client Client-1 firewall-user password pwd
    set access profile Profile-2 client Client-2 client-group alpha
    set access profile Profile-2 client Client-2 client-group beta
    set access profile Profile-2 client Client-2 firewall-user password pwd
    set access profile Profile-2 client Client-3 firewall-user password pwd
    set access profile Profile-2 client Client-4 firewall-user password pwd
    set access profile Profile-2 session-options client-group alpha
    set access profile Profile-2 session-options client-group beta
    set access profile Profile-2 session-options client-group gamma
    set access profile Profile-2 session-options client-idle-timeout 255
    set access profile Profile-2 session-options client-session-timeout 4

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure SecurID as the external authentication server:

    1. For the Profile-2 profile, configure SecurID as the server to be used for external authentication.
      [edit]
      user@host# set access profile Profile-2 authentication-order securid

      To share a single SecurID server across multiple profiles, for each profile set the authentication-order parameter to include securid as the authentication mode.

    2. Configure Client1-4 firewall users and assign the Client-1 firewall user and the Client-2 firewall user to client groups.
      [edit access profile Profile-2]
      user@host# set client Client-1 client-group alpha
      user@host# set client Client-1 client-group beta
      user@host# set client Client-1 client-group gamma
      user@host# set client Client-1 firewall-user password pwd
      user@host# set client Client-2 client-group alpha
      user@host# set client Client-2 client-group beta
      user@host# set client Client-2 firewall-user password pwd
      user@host# set client Client-3 firewall-user password pwd
      user@host# set client Client-4 firewall-user password pwd
    3. Configure client groups in the session options.
      [edit access profile Profile-2]
      user@host# set session-options client-group alpha
      user@host# set session-options client-group beta
      user@host# set session-options client-group gamma
      user@host# set session-options client-idle-timeout 255
      user@host# set session-options client-session-timeout 4

    Results

    From configuration mode, confirm your configuration by entering the show access profile Profile-2 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]

    user@host# show access profile Profile-2
    authentication-order securid;
client Client-1 {
    client-group [ alpha beta gamma ];
    firewall-user {
        password "$9$jpimT9A0REyn6yl"; ## SECRET-DATA
    }
}
client Client-2 {
    client-group [ alpha beta ];
    firewall-user {
        password "$9$IMVRyK7-w4oG-d"; ## SECRET-DATA
    }
}
client Client-3 {
    firewall-user {
        password "$9$GfUkPn/tB1h9C"; ## SECRET-DATA
    }
}
client Client-4 {
    firewall-user {
        password "$9$JuZi.FnC0OR/9"; ## SECRET-DATA
    }
}
session-options {
    client-group [ alpha beta gamma ];
    client-idle-timeout 255;
    client-session-timeout 4;
}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Troubleshooting with Logs

    Purpose

    Use these logs to identify any issues.

    Action

    From operational mode, enter the show log messages command and the show log dcd command.

    Troubleshooting

    Troubleshooting Unsuccessful Authentication In a Dynamic VPN Configuration

    Problem

    Device fails to locate client address in a dynamic VPN configuration.

    Solution

    1. Verify that the device host name, the domain-search, and the name server are configured properly.
      [edit system]
      user@host# set host-name srx101.uaclab.net
      user@host# set domain-search uaclab.net
      user@host# set name-server 10.204.91.25
    2. Verify that the device host name is getting resolved on the RSA server.
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page