Device Administrator Authentication Overview
To authenticate device administrators when they attempt to connect to the security device, you can use the default authentication server (on the device) or an external authentication server.
The root device administrator is always stored and authenticated using the local database; however, for non-root read/write and read-only device admins (including vsys device admins), you can specify an external auth server (RADIUS, SecurID, or LDAP server) that stores device administrator accounts. To select an external server from the auth server list, you must have already created and configured an Authentication Server object in the NSM UI.
By default, authentication and accounting are performed in the RADIUS auth server. You can configure separate RADIUS servers for accounting and authentication for XAuth and L2TP user types (in ScreenOS 6.2). XAUTH and L2TP users can disable the default accounting and configure a different RADIUS server for accounting.
After the device administrator is authenticated, the auth server checks the privilege level of the device admin. A privilege level defines the privileges that are accessible to the device admin after successful logging in to the device. They are:
For device administrators stored in the local database, the security device uses the privilege level specified in the local device administrator account.
For device administrators stored on an external auth server, select one of the following privilege settings:
Get privilege from RADIUS server—Select this option to query a RADIUS server for all external device administrator privileges. The RADIUS server must contain the device administrator accounts and netscreen.dct (Juniper Networks dictionary file).
Read-Write, Read-Only—Select a privilege level that applies to all external device administrators. Although the device administrator accounts are stored on the external server, the security device provides the device administrator privilege level. Use this option when storing accounts on a SecurID or LDAP server, or when using a RADIUS server that does not contain the Juniper Networks dictionary file. By default, the external device administrator privilege level is set to Read-Only.