Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring SecurID User Authentication
This example shows how to configure SecurID as the external authentication server.
Requirements
Before you begin:
- Create an authentication user group.
- Specify that Server-1 is to be used as the SecurID server
and that its configuration file resides on the device in the /var/db/securid/Server-1/sdconf.rec file. From configuration mode, enter this command:user@host# set access securid-server Server-1 configuration-file “/var/db/securid/Server-1/sdconf.rec”
Overview
SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.
When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.
Configuration
CLI Quick Configuration
To quickly configure SecurID as the external authentication server, copy the following commands and paste them into the CLI:
[edit]set access profile Profile-2 authentication-order
securidset access profile Profile-2 client Client-1
client-group alphaset access profile Profile-2 client Client-1
client-group betaset access profile Profile-2 client Client-1
client-group gammaset access profile Profile-2 client Client-1
firewall-user password pwdset access profile Profile-2 client Client-2
client-group alphaset access profile Profile-2 client Client-2
client-group betaset access profile Profile-2 client Client-2
firewall-user password pwdset access profile Profile-2 client Client-3
firewall-user password pwdset access profile Profile-2 client Client-4
firewall-user password pwdset access profile Profile-2 session-options
client-group alphaset access profile Profile-2 session-options
client-group betaset access profile Profile-2 session-options
client-group gammaset access profile Profile-2 session-options
client-idle-timeout 255set access profile Profile-2 session-options
client-session-timeout 4Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure SecurID as the external authentication server:
- For the Profile-2 profile, configure SecurID as
the server to be used for external authentication. This restricts
firewall users to authenticate through the SecurID server only. If
the SecurID server authentication fails, the firewall user is locked
out: [edit]
user@host# set access profile Profile-2 authentication-order securidTo share a single SecurID server across multiple profiles, for each profile set the authentication-order parameter to include securid as the authentication mode.
- Configure Client1-4 firewall users and assign the
Client-1 firewall user to client groups alpha, beta, and gamma, and
assign the Client-2 firewall user to client groups alpha and beta.[edit access profile Profile-2]
user@host# set client Client-1 client-group alpha
user@host# set client Client-1 client-group beta
user@host# set client Client-1 client-group gamma
user@host# set client Client-1 firewall-user password pwd
user@host# set client Client-2 client-group alpha
user@host# set client Client-2 client-group beta
user@host# set client Client-2 firewall-user password pwd
user@host# set client Client-3 firewall-user password pwd
user@host# set client Client-4 firewall-user password pwd - Configure client groups in the session
options.[edit access profile Profile-2]
user@host# set session-options client-group alpha
user@host# set session-options client-group beta
user@host# set session-options client-group gamma
user@host# set session-options client-idle-timeout 255
user@host# set session-options client-session-timeout 4
Results
From configuration mode, confirm your configuration by entering the show access profile Profile-2 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host# show access profile Profile-2authentication-order securid;
client Client-1 {
client-group [ alpha beta gamma ];
firewall-user {
password "$9$jpimT9A0REyn6yl"; ## SECRET-DATA
}
}
client Client-2 {
client-group [ alpha beta ];
firewall-user {
password "$9$IMVRyK7-w4oG-d"; ## SECRET-DATA
}
}
client Client-3 {
firewall-user {
password "$9$GfUkPn/tB1h9C"; ## SECRET-DATA
}
}
client Client-4 {
firewall-user {
password "$9$JuZi.FnC0OR/9"; ## SECRET-DATA
}
}
session-options {
client-group [ alpha beta gamma ];
client-idle-timeout 255;
client-session-timeout 4;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Troubleshooting with Logs
Purpose
Use these logs to identify any issues.
Action
From operational mode, enter the show log messages command and the show log dcd command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding External Authentication Servers
- Example: Deleting the SecurID Node Secret File
