Configuring CTPView User Authentication with Steel-Belted Radius
You can provide RADIUS authentication for users logging
in to the CTPView GUI. Use an independent Steel-Belted Radius (SBR)
server or an RSA SecurID appliance with your CTPView server running
FC9 OS and CTPView 3.4R1 or higher. The RSA SecurID appliance incorporates
an SBR server, making the configuration very similar to that for an
independent SBR server.
Users are authenticated in the
following order:
- By the SBR server.
- By the local CTPView application.
You can configure the SBR server to use
native user authentication or pass-through authentication with RSA
SecurID.
- Native user authentication references user accounts stored
on the SBR server. When trying the native user method, the SBR software
searches its database for an entry whose User-Type is Native User
and whose username matches the User-Name in the Access-Request.
- Pass-through authentication (two-factor authentication)
enables the SBR server to pass authentication requests through to
RSA Authentication Manager (RSA SecurID). RSA SecurID is then responsible
for validating the username and password found in the Access-Request.
The order of authentication between these two categories
of users is set on the SBR server. You can add the same user (that
is, the same user ID) to both the SBR server and the local CTPView
application.
 | Note:
CTPView does not currently support RADIUS authentication
for shell access to the CTPView server. |
- Configuring RADIUS Settings on the CTPView Server
- Configuring the SBR Server’s Dictionary Files
- Configuring the SBR Server’s Active Authentication Method
- Adding the CTPView Server as a RADIUS Client on an SBR Server
- Adding CTPView Users to an SBR Server
- Assigning SecurID Tokens to CTPView Users
Configuring RADIUS Settings on the CTPView Server
Before you begin, log in to the CTPView server
and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).
To configure RADIUS settings on the CTPView
server:
- From the CTPView Configuration Menu, select 9) RADIUS Function.
The RADIUS Menu is displayed.
- Select 3) Add/Update RADIUS Template
Accounts.
- Enter the MySQL root account password when prompted.
The required template accounts are added to CTPView. These accounts
are not configurable. This step is performed as part of the initial
configuration of CTPView as a RADIUS client. However, repeating this
step has no detrimental effect on the RADIUS configuration.
- Return to the RADIUS Menu.
- Select 2) View/Set RADIUS Servers and add the RADIUS server’s IP address.
When prompted, enter the following
information:
- shared secret
- timeout period
- number of retries
You can add up to 10 RADIUS servers.- Return to the RADIUS Menu.
- Select 1) View/Set RADIUS State.
- Select 2) Enable RADIUS.
Configuring the SBR Server’s Dictionary Files
To configure the SBR server’s dictionary
files:
- Log in to the SBR server as an administrator.
- Open the file C:\Program Files\Juniper Networks\Steel-Belted
RADIUS\Service\juniper.dct and append the following new block
of text to the bottom of the file:
#################################################################
# CTP Specific Attributes
#################################################################
ATTRIBUTE Juniper-CTP-Group Juniper-VSA(21, integer) r
VALUE Juniper-CTP-Group Read_Only 1
VALUE Juniper-CTP-Group Admin 2
VALUE Juniper-CTP-Group Privileged_Admin 3
ATTRIBUTE Juniper-CTPView-APP-Group Juniper-VSA(22,integer) r
VALUE Juniper-CTPView-APP-Group Net_View 1
VALUE Juniper-CTPView-APP-Group Net_Admin 2
VALUE Juniper-CTPView-APP-Group Global_Admin 3
ATTRIBUTE Juniper-CTPView-OS-Group Juniper-VSA(23, integer) r
VALUE Juniper-CTPView-OS-Group Admin 1
VALUE Juniper-CTPView-OS-Group Privileged_Admin 2
#################################################################
# CTP Specific Attributes
#################################################################
- Open the file C:\Program Files\Juniper
Networks\Steel-Belted RADIUS\Service\vendor.ini and locate the
block of text that begins:
vendor-product = Juniper M/T Series
- Add the following text after that block.
vendor-product = Juniper CTP Series
dictionary = Juniper
ignore ports = no
port-number-usage = per-port-type
help-id = 2000
- Restart the Steel-Belted Radius service
on the server.
Configuring the SBR Server’s Active Authentication Method
To configure the SBR server’s active
authentication method:
- Launch the Steel-Belted Radius Administrator application
from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
- Select Steel-Belted RADIUS > Authentication Policies > Order of Methods.
Ensure that your chosen method, Native User or SecurID User,
is listed under the section Active Authentication Methods.
Adding the CTPView Server as a RADIUS Client on an SBR Server
To add the CTPView server as a RADIUS client
on an SBR server:
- Launch the Steel-Belted Radius Administrator application
from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
- Select Steel-Belted RADIUS > RADIUS
Clients.
- Add your CTPView server as a client. In the Make
or model field, select Juniper CTP Series.
Adding CTPView Users to an SBR Server
To add CTPView users to an SBR server:
- Launch the Steel-Belted Radius Administrator application
from your web browser by entering the address http://SBR-server-IP-address:1812.
- Click Launch.
Select the user type.
- For native users, select Steel-Belted RADIUS
> Users > Native.
- For RSA SecurID users, select Steel-Belted
RADIUS > Users > SecurID.
- Add a user with the Add Native User dialog
box or the Add SecurID dialog box, depending on your choice in the
previous step.
- In the Attributes section, click the Return List tab and then click Add. The Add Return List Attribute dialog box opens.
- In the Attributes section select Juniper-CTPView_APP-Group.
In the Value section select one of
the following authorization levels for the user you are adding:
- Global_Admin
- Net_Admin
- Net_View
Assigning SecurID Tokens to CTPView Users
SecurID authentication requires
that you issue a SecurID token to each user and assign it to them
on the RSA SecurID appliance. The first time a new user logs in to
the CTPView software, the token code displayed
on the SecurID token is the password. The user is then prompted to
create a PIN. On subsequent logins, the user’s PIN followed
immediately by the token code displayed on the SecurID token is the
password.
To assign SecurID tokens:
- On the RSA SecurID appliance, launch the RSA Authentication
Manager Host Mode application.
- Select User > Add User.
Complete at least the following required
fields:
- Last Name
- Default Login
- Required to Create a PIN
- Assign Token
Published: 2010-10-05