Users—Authentication Policy—Global Authentication Policy—Edit/View Global Authentication Policy

Description

Use the Edit/View Global Authentication Policy dialog box to configure and edit global authentication policies.

Click Settings > Users > Authentication Policy > Global Authentication Policy

Permissions

Superuser

Dialog Elements

Maximum Login Attempts text box—Indicates the maximum number of consecutive failure login attempts allowed within the access window for a user. If a user reaches the maximum number of login attempts, the user status automatically becomes locked. This field can have a value from 0 to 100. If the maximum login attempts is 0, the authentication policy for the user will not be active, the user account will be assumed to be unlocked, and the normal login mechanism will be applied. If a user account status is unlocked, the user can successfully log in to the JUNOScope software by providing a valid username and password. If the account status is locked, the user is denied access to the JUNOScope software, even if the user provides a valid username and password. The message “ The user account is currently locked. Please contact the system administrator,” is displayed.For the JUNOScope administrator (the initially configured user), the user account is always unlocked.

Access Window text boxes—The access window for a user account starts when the first login failure occurs for that account and runs until one of the following occurs:

• A user successfully logs in. The access window is then reset.

• A user tries unsuccessfully to log in for the maximum login attempts. The user account is then locked and the access window timer is reset.

  The Access Window field can have a minimum value of 0 (for example, all the field minute(s), hour(s), and second(s) having a value of 0) and a maximum value of 24 hours, for example, the hour(s) field can have a maximum value of 24, while the minute(s) and second(s) fields have a value of 0). The default value is 0. However, individually, the hour(s) field can have a value from 0 to 24, the minute(s) field can have a value of from 0 to 59, and the second(s) field can have a value from 0 to 59. If the Access Window field is 0, the authentication policy for the user account will not be active, and the normal login mechanism will always be applied.

  The timer for the access window starts when an invalid login attempt is made on a user account. If a user account is not locked and no further invalid login is attempted for that account, the timer for the access window is automatically reset either after a time period equal to the access window or if the user successfully logs in to JUNOScope within the access window period.

  If the authentication policy for a user account is set up with 3 Maximum Login Attempts and a 1-hour Access Window, the clock for the Access Window starts at the first unsuccessful attempt when the user types an invalid password to log in. If the user makes three unsuccessful attempts within 1 hour, then the user account will be LOCKED at the third unsuccessful attempt and will be redirected to the “ The user account is currently locked. Please see the system administrator” message. Any further attempts by the user to log in using the username, even with a valid password, will be denied.

Add button—Expands the dialog box so that you can allow or deny specific clients access to JUNOScope. The following items appear when you click Add:

• Network text box—The IP address of the client machines that should be allowed or denied access to the JUNOScope software. Specify either a specific client address, in which case the user must use the wildcard of 32 (128 for IPv6), or the specific first valid client address, in which case you must use the mask as the number of bits that should exactly match the given IP address.

• Mask drop-down list box—The network mask of the client machines that should be allowed or denied access to the JUNOScope software. Specifies the number of bits in the client IP that should match the given IP address.

• Allow drop-down list box—Lets you determine whether to deny or allow access to the client machine if the IP address is matched.

• Comment text box—Identifies the Access Control List entry. You can provide a comment to identify each Access Control List entry or to provide a reason for allowing or denying access.

• Actions buttons—The Move Up and Move Down options used for ordering Access Control List entries. When a user logs in, the IP address of the user’s machine is compared with the access list in sequence until a match is found. If a match is found, then the action specified (Allow/Deny) is performed, and the process does not continue. However, if no match is found, the client is allowed access by default. Since order plays an important role in the access list, use the Move Up and Move Down options to change the order of Access Control List entries. Use the Delete option to delete an Access Control List entry.

Save button—Saves the global authentication policy changes to the database.

Reset button—Clears all the values you have entered and restores the last saved values.

Export button—Displays the File Download dialog box so that you can export global authentication policy data to a file on the local file system. The default global authentication policy filename is junoscope-globalPolicy.xml.

Import button—Displays the Import dialog box so that you can import global authentication policy data from a file on the local file system.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.