Juniper Networks
Log in
|
How to Buy
|
Contact Us
|
United States (Change)
Choose Country
Close

Choose Country

North America

  • United States

Europe

  • Deutschland - Germany
  • España - Spain
  • France
  • Italia - Italy
  • Россия - Russia
  • United Kingdom

Asia Pacific

  • Asean Region (Vietnam, Indonesia, Singapore, Malaysia)
  • Australia
  • 中国 - China
  • India
  • 日本 - Japan
  • 대한민국 - Korea
  • 台灣 - Taiwan
Solutions
Products & Services
Company
Partners
Support
Education
Community
Security Intelligence Center

Technical Documentation

Download Software
Research a Problem Login required
Case Management Login required
Contract & Product Management Login required
Technical Documentation
Documentation Archive
Report Documentation Bug
Enterprise MIBs
File Format Help
Glossary
Portable Libraries
End-of-Life Products
Contact Support
Guidelines and Policies
Security Resources
Home > Support > Technical Documentation > Configuring CTPView User Authentication with Steel-Belted Radius
Print
FeedbackFeedback

Documentation Search

Advanced Search |  Search Tips

Configuring CTPView User Authentication with Steel-Belted Radius

You can provide RADIUS authentication for users logging in to the CTPView GUI. Use an independent Steel-Belted Radius (SBR) server or an RSA SecurID appliance with your CTPView server running FC9 OS and CTPView 3.4R1 or higher. The RSA SecurID appliance incorporates an SBR server, making the configuration very similar to that for an independent SBR server.

Users are authenticated in the following order:

  1. By the SBR server.
  2. By the local CTPView application.

You can configure the SBR server to use native user authentication or pass-through authentication with RSA SecurID.

  • Native user authentication references user accounts stored on the SBR server. When trying the native user method, the SBR software searches its database for an entry whose User-Type is Native User and whose username matches the User-Name in the Access-Request.
  • Pass-through authentication (two-factor authentication) enables the SBR server to pass authentication requests through to RSA Authentication Manager (RSA SecurID). RSA SecurID is then responsible for validating the username and password found in the Access-Request.

The order of authentication between these two categories of users is set on the SBR server. You can add the same user (that is, the same user ID) to both the SBR server and the local CTPView application.

Note: CTPView does not currently support RADIUS authentication for shell access to the CTPView server.

  1. Configuring RADIUS Settings on the CTPView Server
  2. Configuring the SBR Server’s Dictionary Files
  3. Configuring the SBR Server’s Active Authentication Method
  4. Adding the CTPView Server as a RADIUS Client on an SBR Server
  5. Adding CTPView Users to an SBR Server
  6. Assigning SecurID Tokens to CTPView Users

Configuring RADIUS Settings on the CTPView Server

Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).

To configure RADIUS settings on the CTPView server:

  1. From the CTPView Configuration Menu, select 9) RADIUS Function.

    The RADIUS Menu is displayed.

  2. Select 3) Add/Update RADIUS Template Accounts.
  3. Enter the MySQL root account password when prompted.

    The required template accounts are added to CTPView. These accounts are not configurable. This step is performed as part of the initial configuration of CTPView as a RADIUS client. However, repeating this step has no detrimental effect on the RADIUS configuration.

  4. Return to the RADIUS Menu.
  5. Select 2) View/Set RADIUS Servers and add the RADIUS server’s IP address.
  6. When prompted, enter the following information:

    • shared secret
    • timeout period
    • number of retries
    You can add up to 10 RADIUS servers.
  7. Return to the RADIUS Menu.
  8. Select 1) View/Set RADIUS State.
  9. Select 2) Enable RADIUS.

Configuring the SBR Server’s Dictionary Files

To configure the SBR server’s dictionary files:

  1. Log in to the SBR server as an administrator.
  2. Open the file C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\juniper.dct and append the following new block of text to the bottom of the file:
    #################################################################
    # CTP Specific Attributes
    #################################################################
    ATTRIBUTE Juniper-CTP-Group Juniper-VSA(21, integer) r
    VALUE Juniper-CTP-Group Read_Only 1
    VALUE Juniper-CTP-Group Admin 2
    VALUE Juniper-CTP-Group Privileged_Admin 3
    ATTRIBUTE Juniper-CTPView-APP-Group Juniper-VSA(22,integer) r
    VALUE Juniper-CTPView-APP-Group Net_View 1
    VALUE Juniper-CTPView-APP-Group Net_Admin 2
    VALUE Juniper-CTPView-APP-Group Global_Admin 3
    ATTRIBUTE Juniper-CTPView-OS-Group Juniper-VSA(23, integer) r
    VALUE Juniper-CTPView-OS-Group Admin 1
    VALUE Juniper-CTPView-OS-Group Privileged_Admin 2
    #################################################################
    # CTP Specific Attributes
    #################################################################
  3. Open the file C:\Program Files\Juniper Networks\Steel-Belted RADIUS\Service\vendor.ini and locate the block of text that begins:

    vendor-product = Juniper M/T Series

  4. Add the following text after that block.
    vendor-product = Juniper CTP Series
    dictionary = Juniper
    ignore ports = no
    port-number-usage = per-port-type
    help-id = 2000
  5. Restart the Steel-Belted Radius service on the server.

Configuring the SBR Server’s Active Authentication Method

To configure the SBR server’s active authentication method:

  1. Launch the Steel-Belted Radius Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select Steel-Belted RADIUS > Authentication Policies > Order of Methods.

    Ensure that your chosen method, Native User or SecurID User, is listed under the section Active Authentication Methods.

Adding the CTPView Server as a RADIUS Client on an SBR Server

To add the CTPView server as a RADIUS client on an SBR server:

  1. Launch the Steel-Belted Radius Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select Steel-Belted RADIUS > RADIUS Clients.
  4. Add your CTPView server as a client. In the Make or model field, select Juniper CTP Series.

Adding CTPView Users to an SBR Server

To add CTPView users to an SBR server:

  1. Launch the Steel-Belted Radius Administrator application from your web browser by entering the address http://SBR-server-IP-address:1812.
  2. Click Launch.
  3. Select the user type.

    • For native users, select Steel-Belted RADIUS > Users > Native.
    • For RSA SecurID users, select Steel-Belted RADIUS > Users > SecurID.
  4. Add a user with the Add Native User dialog box or the Add SecurID dialog box, depending on your choice in the previous step.
  5. In the Attributes section, click the Return List tab and then click Add. The Add Return List Attribute dialog box opens.
  6. In the Attributes section select Juniper-CTPView_APP-Group.
  7. In the Value section select one of the following authorization levels for the user you are adding:

    • Global_Admin
    • Net_Admin
    • Net_View

Assigning SecurID Tokens to CTPView Users

SecurID authentication requires that you issue a SecurID token to each user and assign it to them on the RSA SecurID appliance. The first time a new user logs in to the CTPView software, the token code displayed on the SecurID token is the password. The user is then prompted to create a PIN. On subsequent logins, the user’s PIN followed immediately by the token code displayed on the SecurID token is the password.

To assign SecurID tokens:

  1. On the RSA SecurID appliance, launch the RSA Authentication Manager Host Mode application.
  2. Select User > Add User.
  3. Complete at least the following required fields:

    • Last Name
    • Default Login
    • Required to Create a PIN
    • Assign Token

Published: 2010-10-05


 
  • About Juniper
  • The New Network
  • Investor Relations
  • Press Releases
  • Newsletters
  • Juniper Offices
  • Resources
  • How to Buy
  • Partner Locator
  • Image Library
  • Visio Templates
  • Security Center
  • Community
  • Forums
  • Blogs
  • Junos Central
  • Social Media
  • Support
  • Technical Documentation
  • Knowledge Base (KB)
  • Software Downloads
  • Product Licensing
  • Contact Support
Site Map / RSS Feeds / Careers / Accessibility / Feedback / Privacy & Policy / Legal Notices
Copyright© 1999-2011 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out