 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
To manage a number of firewall users, you can create user or client groups and store the information either on the local Juniper Networks device or on an external RADIUS or LDAP server.
|
Before You Begin |
|---|
|
For background information, read Firewall User Authentication Overview. |
A client group is a list of groups that the client belongs to. As with client-idle timeout, a client group is used only if the external authentication server does not return a value in its response (for example, LDAP servers do not return such information).
The RADIUS server sends the client's group information to the Juniper Networks device using Juniper VSA (46). The client-match portion of the policy accepts a string that can either be the username or groupname the client belongs to.
Example 1 shows client groups configured for a client. If a client group is not defined for the client, then the client group under the hierarchy access> profile>session-options is used.
Two example configurations are shown below. The first shows how to configure a local user called client1 for groups G1, G2, and G3 using J-Web and the CLI configuration editor. Within this example, client groups are configured for a client. If a client group is not defined for the client, then the client group under the hierarchy access> profile>session-options is used. The example configuration shows how to configure the default client group for all users in a profile called managers using J-Web and the CLI configuration editor.
This topic covers:
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |