Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding External Authentication Servers
AAA provides an extra level of protection and control for user access in the following ways:
- Authentication determines the firewall user.
- Authorization determines what the firewall user can do.
- Accounting determines what the firewall user did on the network.
You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization.
Once the user's credentials are collected, they are processed using firewall user authentication, which supports the following types of servers:
- Local authentication and authorization
- RADIUS authentication and authorization (compatible with Juniper SteelBelted Radius server)
- LDAP authentication only (supports LDAP version 3 and compatible with Windows AD)
- SecurID authentication only (using an RSA SecurID external authentication server)
 | Note: Junos OS also supports administrative authentication using local, RADIUS, and TACACS+ servers. For more information on administrative authentication, see the Junos OS Administration Guide for Security Devices. |
This topic includes the following sections:
Understanding SecurID User Authentication
SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.
When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.
| Note: The SecurID server includes a feature that presents a user with a challenge if the user provides wrong credentials repeatedly. However, Junos OS does not support the challenge feature. Instead, the SecurID server administrator must resynchronize the RSA token for the user. |
For SecurID, you configure information about the Juniper Networks device on the SecurID server and this information is exported to a file called sdconf.rec.
To install the sdconf.rec file on the device, you must use an out-of-band method such as FTP. Install the file in a directory whose files are not deleted regularly. Do not put it in a temporary directory. For example, you might install it in /var/db/secureid/server1/sdconf.rec.
The sdconf.rec file contains information that provides the Juniper Networks device with the address of the SecurID server. You do not need to configure this information explicitly when you configure the SecurID server to be used as the external authentication server.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Firewall User Authentication Overview
- Example: Configuring RADIUS and LDAP User Authentication
- Example: Configuring SecurID User Authentication
- Example: Deleting the SecurID Node Secret File
