proNX Optical Director
Help Center User GuideRelease Notes
 
X
User Guide
Release Notes
Contents  

Security

About the Security Page

To access this page, select the Administration tab and click Security in the left-nav bar.

Note Remote authentication is supported only using RADIUS servers in this release.

The Security page lists the remote authentication servers configured for proNX Optical Director user authentication.

The servers in this same list are also available to be selected for device user authentication. Device user authentication is used when you use the proNX Optical Director to discover a device. When you discover a device, you enter the login credentials in the Device Discovery dialog. These credentials are then authenticated by the device either locally on the device or by using a remote authentication server. To select a remote authentication server from this list for device user authentication, see About the Device Security Page.

The servers are listed in alphabetical order in both lists. The order that the servers are listed is relevant. See Authentication Process.

Tasks You Can Perform

You can perform the following actions on this page:

  • View the list of remote authentication servers.

  • Specify a new remote authentication server for this list.

  • Edit the information for an existing remote authentication server.

  • Remove an existing remote authentication server from this list.

  • Change the order of remote authentication servers in this list. The order of the servers in this list dictates the authentication order.

Field Descriptions

Table 63 explains the fields in the Security page.

Table 63: Fields in the Security Page

Field

Description

Server Name

The name of the authentication server.

IP Address

The IP address of the authentication server.

Port

The protocol port to use.

Authorization Type

The type of authorization to use. Only radius-pap is supported.

Attempts

The number of attempts to reach each server in the list during authentication.

Timeout

The number of seconds to wait for a response from each server during authentication.

Authentication Process

The authentication process is similar regardless of whether the authentication client is the proNX Optical Director or the device. For proNX Optical Director user authentication, the authentication client is the proNX Optical Director. For device user authentication, the authentication client is the device.

The order that the authentication servers are listed affects the authentication order. The server list for proNX Optical Director user authentication is shown in About the Security Page. The server list for device user authentication is shown in About the Device Security Page.

The servers are listed in alphabetical order in both lists. To change the position of a server in the list, change the server name by deleting and re-adding the server using a name that alphabetically positions the server in the desired position.

The authentication client tries to authenticate with the first server in the list. If the authentication client does not receive a response after Timeout seconds, the authentication client tries the next server in the list, and so on. If the authentication client goes through the whole list without receiving a response from any server, the authentication client cycles through the list again. The authentication client goes through the list for the number of times specified by the Attempts attribute.

If one of the authentication servers rejects the authentication request, or if none of the authentication servers responds to the authentication request within the period specified by the Timeout and Attempts attributes, local user authentication is performed.

Note Set the Timeout and Attempts values such that the maximum time that authentication can take is under 5 seconds (for example, 3 attempts with a timeout of 1 second). This allows local authentication to take place in the unlikely event that the authentication servers are unreachable.

Local User Authentication

Local user authentication allows you to log in if the remote authentication servers are unreachable or if a misconfiguration causes the remote authentication servers to reject the login request. In these situations, the user is authenticated locally.

The credentials for local user authentication are stored in the local database. For the proNX Optical Director user, this is the proNX Optical Director database administered using Administration>Users>User Management (see About the User Management Page). For the device user, this is the database stored on the device (see the respective device documentation).

The local and remote authentication databases are independent of each other. You can have the same or different usernames and you can have the same or different passwords in each database. The same username and password can be rejected by the remote authentication server but accepted by local user authentication, and vice versa. There is no correlation between the two databases.

Vendor-Specific Attribute (VSA) Requirements for Remote Authentication

Some authentication clients require vendor-specific attributes to be returned from the remote authentication server during the authentication process. These attributes can include an indication of the privilege level for the user being authenticated (Table 64).

Table 64: Vendor-Specific Attribute (VSA) Requirements for RADIUS Authentication

Authentication Client

Requirement on the RADIUS Server

Required Attribute Values

Example Configuration (FreeRADIUS1)

proNX Optical Director

Requires the RADIUS server to return the Juniper-Local-User-Name VSA in the Access-Accept message.

This VSA is encapsulated within attribute 26 with the vendor ID set to the Juniper Networks ID number, 2636.

The attribute value indicates the privilege level.

Juniper-Local-User-Name (string): super-user

dictionary file:

VENDOR       Juniper 2636
BEGIN-VENDOR Juniper
ATTRIBUTE    Juniper-Local-User-Name 1 string
END-VENDOR   Juniper

users file:

Juniper-Local-User-Name := "super-user"

TCX1000-RDM20

Requires the RADIUS server to return both the Lumentum-CLI-Priv VSA and the Lumentum-SFTP-Priv VSA in the Access-Accept message.

This VSA is encapsulated within attribute 26 with the vendor ID set to the Lumentum ID number, 46184.

The attribute value indicates the privilege level.

Lumentum-NACM (string): read-write-exec

Lumentum-CLI-Priv (string): admin

Lumentum-SFTP-Priv (string): read-write

dictionary file:

VENDOR       Lumentum 46184
BEGIN-VENDOR Lumentum
ATTRIBUTE    Lumentum-NACM 1 string
ATTRIBUTE    Lumentum-CLI-Priv 2 string
ATTRIBUTE    Lumentum-SFTP-Priv 3 string
END-VENDOR   Lumentum

users file:

Lumentum-NACM := read-write-exec
Lumentum-CLI-Priv := "admin"
Lumentum-SFTP-Priv := "read-write”

TCX1000-ILA

Requires the RADIUS server to return the User-Role VSA in the Access-Accept message.

This VSA is encapsulated within attribute 26 with the vendor ID set to the Oplink ID number, 7483.

The attribute value indicates the privilege level.

Alternatively, instead of using the User-Role VSA, the TCX1000-ILA can process the same attribute value (privilege level) in the Reply-Message attribute.

User-Role (integer): 2

dictionary file:

VENDOR       Oplink 7483
BEGIN-VENDOR Oplink
ATTRIBUTE    User-Role 1 integer
END-VENDOR   Oplink

users file:

User-Role := 2

1 These examples are provided to illustrate the concepts only. Consult your RADIUS server vendor’s documentation for proper configuration of the vendor-specific attributes.

Note: For RADIUS server requirements for devices not listed in the table, see the documentation for those devices.

Viewing the Authentication Server List

Procedure

Use this procedure to view the list of remote authentication servers.

  1. Select the Administration tab and click Security in the left-nav bar.

    A table displaying the list of file servers is displayed in alphabetical order. See Table 63 for an explanation of the fields.

  2. To search, copy, print, or save the table, see Working with Tables.

Adding an Authentication Server to the Authentication Server List

Procedure

Use this procedure to add an authentication server to the list.

  1. Select the Administration tab and click Security in the left-nav bar.

    A table displaying the list of authentication servers is displayed.

  2. Click New to add an authentication server to this list. The Create a New Authentication Server dialog appears.
  3. Specify the Server Name of the server you want to add.

    Since the remote authentication servers are listed alphabetically, the name you give the server dictates where that server is placed in the list, which consequently influences the authentication order.

  4. Specify the IPv4 or IPv6 IP address of the server you want to add.
  5. Specify the Secret that the authentication client uses to communicate with the authentication server.
  6. Specify the protocol Port to use.
  7. Select the Authorization Type from the drop-down list.
  8. Specify the Attempts and Timeout values.

    For convenience, the product of these two values is shown in the Delay field. The Delay field indicates the maximum time in seconds that the RADIUS client waits for remote user authentication to complete. This field is informational and represents the time delay encountered when the remote authentication servers are unreachable. Keeping this delay under 5 seconds allows local user authentication to take place.

  9. Click Save to add the specified authentication server.

    The dialog closes and the server you just specified is shown in the server list.

Editing an Authentication Server

Procedure

Use this procedure to edit an authentication server in the authentication server list.

  1. Select the Administration tab and click Security in the left-nav bar.

    A table displaying the list of authentication servers is displayed.

  2. Select the authentication server you want to edit and click Edit.

    The Edit an Existing Authentication Server dialog appears.

  3. Update the IP address, Secret, Port, Authorization Type, Attempts, and/or Timeout as needed.
  4. Click Update to save your changes.

    The dialog closes and the server is updated.

Note If you are currently using this server for device user authentication, the changes that you make are not automatically propagated to the device. In order to propagate the changes to the device, you have to delete and re-add this server from the Device Security page (see Adding or Deleting a RADIUS Server or Changing the RADIUS Security Options.

Deleting an Authentication Server from the Authentication Server List

Procedure

Use this procedure to delete an authentication server from the list.

  1. Select the Administration tab and click Security in the left-nav bar.

    A table displaying the list of file servers is displayed.

  2. Select the authentication server you want to delete and click Delete.

    A confirmation dialog appears.

    Note If you are currently using this server for device user authentication, the confirmation dialog offers you the ability to delete the server from all device user authentication lists as well. This saves you the extra step of having to remove this server from all device user authentication lists.

  3. Click Delete to confirm.

Changing the Authentication Server Order in the Authentication Server List

Procedure

Use this procedure to change the order that the remote authentication servers are listed. The order is relevant for user authentication.

To change the placement of a particular server in the list, delete the server and add it back with a different name.

  1. Select the authentication server you want to move and follow the procedure in Deleting an Authentication Server from the Authentication Server List to delete that server. It is recommended that you choose the option to delete the server from all device user authentication lists.
  2. Follow the procedure in Adding an Authentication Server to the Authentication Server List to re-add the deleted server, but choose a server name that places the server in the desired position in the alphabetically ordered list.
  3. If you are using this server for device user authentication, add the server back to the device user authentication lists. See About the Device Security Page.
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit