To access this page, select the Administration tab and click Security in the left-nav bar.
Note Remote authentication is supported only using RADIUS servers in this release.
The Security page lists the remote authentication servers configured for proNX Optical Director user authentication.
The servers in this same list are also available to be selected for device user authentication. Device user authentication is used when you use the proNX Optical Director to discover a device. When you discover a device, you enter the login credentials in the Device Discovery dialog. These credentials are then authenticated by the device either locally on the device or by using a remote authentication server. To select a remote authentication server from this list for device user authentication, see About the Device Security Page.
The servers are listed in alphabetical order in both lists. The order that the servers are listed is relevant. See Authentication Process.
You can perform the following actions on this page:
View the list of remote authentication servers.
Specify a new remote authentication server for this list.
Edit the information for an existing remote authentication server.
Remove an existing remote authentication server from this list.
Change the order of remote authentication servers in this list. The order of the servers in this list dictates the authentication order.
Table 63 explains the fields in the Security page.
Table 63: Fields in the Security Page
Field | Description |
|---|---|
Server Name | The name of the authentication server. |
IP Address | The IP address of the authentication server. |
Port | The protocol port to use. |
Authorization Type | The type of authorization to use. Only radius-pap is supported. |
Attempts | The number of attempts to reach each server in the list during authentication. |
Timeout | The number of seconds to wait for a response from each server during authentication. |
The authentication process is similar regardless of whether the authentication client is the proNX Optical Director or the device. For proNX Optical Director user authentication, the authentication client is the proNX Optical Director. For device user authentication, the authentication client is the device.
The order that the authentication servers are listed affects the authentication order. The server list for proNX Optical Director user authentication is shown in About the Security Page. The server list for device user authentication is shown in About the Device Security Page.
The servers are listed in alphabetical order in both lists. To change the position of a server in the list, change the server name by deleting and re-adding the server using a name that alphabetically positions the server in the desired position.
The authentication client tries to authenticate with the first server in the list. If the authentication client does not receive a response after Timeout seconds, the authentication client tries the next server in the list, and so on. If the authentication client goes through the whole list without receiving a response from any server, the authentication client cycles through the list again. The authentication client goes through the list for the number of times specified by the Attempts attribute.
If one of the authentication servers rejects the authentication request, or if none of the authentication servers responds to the authentication request within the period specified by the Timeout and Attempts attributes, local user authentication is performed.
Note Set the Timeout and Attempts values such that the maximum time that authentication can take is under 5 seconds (for example, 3 attempts with a timeout of 1 second). This allows local authentication to take place in the unlikely event that the authentication servers are unreachable.
Local user authentication allows you to log in if the remote authentication servers are unreachable or if a misconfiguration causes the remote authentication servers to reject the login request. In these situations, the user is authenticated locally.
The credentials for local user authentication are stored in the local database. For the proNX Optical Director user, this is the proNX Optical Director database administered using Administration>Users>User Management (see About the User Management Page). For the device user, this is the database stored on the device (see the respective device documentation).
The local and remote authentication databases are independent of each other. You can have the same or different usernames and you can have the same or different passwords in each database. The same username and password can be rejected by the remote authentication server but accepted by local user authentication, and vice versa. There is no correlation between the two databases.
Some authentication clients require vendor-specific attributes to be returned from the remote authentication server during the authentication process. These attributes can include an indication of the privilege level for the user being authenticated (Table 64).
Table 64: Vendor-Specific Attribute (VSA) Requirements for RADIUS Authentication
Authentication Client | Requirement on the RADIUS Server | Required Attribute Values | Example Configuration (FreeRADIUS1) |
|---|---|---|---|
proNX Optical Director | Requires the RADIUS server to return the Juniper-Local-User-Name VSA in the Access-Accept message. This VSA is encapsulated within attribute 26 with the vendor ID set to the Juniper Networks ID number, 2636. The attribute value indicates the privilege level. | Juniper-Local-User-Name (string): super-user | dictionary file: VENDOR Juniper 2636 BEGIN-VENDOR Juniper ATTRIBUTE Juniper-Local-User-Name 1 string END-VENDOR Juniper users file: Juniper-Local-User-Name := "super-user" |
TCX1000-RDM20 | Requires the RADIUS server to return both the Lumentum-CLI-Priv VSA and the Lumentum-SFTP-Priv VSA in the Access-Accept message. This VSA is encapsulated within attribute 26 with the vendor ID set to the Lumentum ID number, 46184. The attribute value indicates the privilege level. | Lumentum-NACM (string): read-write-exec Lumentum-CLI-Priv (string): admin Lumentum-SFTP-Priv (string): read-write | dictionary file: VENDOR Lumentum 46184 BEGIN-VENDOR Lumentum ATTRIBUTE Lumentum-NACM 1 string ATTRIBUTE Lumentum-CLI-Priv 2 string ATTRIBUTE Lumentum-SFTP-Priv 3 string END-VENDOR Lumentum users file: Lumentum-NACM := read-write-exec Lumentum-CLI-Priv := "admin" Lumentum-SFTP-Priv := "read-write” |
TCX1000-ILA | Requires the RADIUS server to return the User-Role VSA in the Access-Accept message. This VSA is encapsulated within attribute 26 with the vendor ID set to the Oplink ID number, 7483. The attribute value indicates the privilege level. Alternatively, instead of using the User-Role VSA, the TCX1000-ILA can process the same attribute value (privilege level) in the Reply-Message attribute. | User-Role (integer): 2 | dictionary file: VENDOR Oplink 7483 BEGIN-VENDOR Oplink ATTRIBUTE User-Role 1 integer END-VENDOR Oplink users file: User-Role := 2 |
1 These examples are provided to illustrate the concepts only. Consult your RADIUS server vendor’s documentation for proper configuration of the vendor-specific attributes. Note: For RADIUS server requirements for devices not listed in the table, see the documentation for those devices. | |||
Use this procedure to view the list of remote authentication servers.
A table displaying the list of file servers is displayed in alphabetical order. See Table 63 for an explanation of the fields.
Use this procedure to add an authentication server to the list.
A table displaying the list of authentication servers is displayed.
Since the remote authentication servers are listed alphabetically, the name you give the server dictates where that server is placed in the list, which consequently influences the authentication order.
For convenience, the product of these two values is shown in the Delay field. The Delay field indicates the maximum time in seconds that the RADIUS client waits for remote user authentication to complete. This field is informational and represents the time delay encountered when the remote authentication servers are unreachable. Keeping this delay under 5 seconds allows local user authentication to take place.
The dialog closes and the server you just specified is shown in the server list.
Use this procedure to edit an authentication server in the authentication server list.
A table displaying the list of authentication servers is displayed.
The Edit an Existing Authentication Server dialog appears.
The dialog closes and the server is updated.
Note If you are currently using this server for device user authentication, the changes that you make are not automatically propagated to the device. In order to propagate the changes to the device, you have to delete and re-add this server from the Device Security page (see Adding or Deleting a RADIUS Server or Changing the RADIUS Security Options.
Use this procedure to delete an authentication server from the list.
A table displaying the list of file servers is displayed.
A confirmation dialog appears.
Note If you are currently using this server for device user authentication, the confirmation dialog offers you the ability to delete the server from all device user authentication lists as well. This saves you the extra step of having to remove this server from all device user authentication lists.
Use this procedure to change the order that the remote authentication servers are listed. The order is relevant for user authentication.
To change the placement of a particular server in the list, delete the server and add it back with a different name.