Configuring a Global Authentication Policy

To configure global authentication policies, follow these steps:

  1. From the Junos Scope main window, click Settings > Users > Authentication Policy > Global Authentication Policy. The Global Authentication Policy dialog box appears.
    Image view_globalauthent_policy.gif

    The Global Authentication Policy dialog box displays the Maximum Login Attempts and the Access Window fields with zero as the default value, and the Access Control List Add button.

  2. Enter the following information in the Global Authentication Policy dialog box:
    • Maximum Login Attempts—The maximum number of consecutive failure login attempts allowed within the access window for a user. If a user reaches the maximum number of login attempts, the user status automatically becomes locked. This field can have a value from 0 to 100. If the maximum login attempts is 0, the authentication policy for the user will not be active, the user account will be assumed to be unlocked, and the normal login mechanism will be applied. If a user account status is unlocked, the user can successfully log in to the Junos Scope software by providing a valid username and password. If the account status is locked, the user is denied access to the Junos Scope software, even if the user provides a valid username and password, and is shown the message “ The user account is currently locked. Please contact the system administrator.” For the Junos Scope administrator (the initially configured user), the user account is always unlocked.
    • Access Window—The access window for a user account starts when the first login failure occurs for the user account and runs until one of the following occurs:
      • A user successfully logs in. The access window is then reset.
      • A user tries unsuccessfully to log in for the maximum login attempts. The user account is then locked and the access window timer is reset.

    The Access Window field can have a minimum value of 0 (for example, all the field minute(s), hour(s), second(s) having a value of 0) and a maximum value of 24 hours for example, the hour(s) field can have a maximum value of 24, while the minute(s) and second(s) fields have a value of 0). The default value is 0. However, individually, the hour(s) field can have a value from 0 to 24, the minute(s) field can have a value of from 0 to 59, and the second(s) field can have a value from 0 to 59. If the Access Window field is 0, the authentication policy for the user account will not be active, and the normal login mechanism will always be applied.

    The timer for the access window starts when an invalid login attempt is made on a user account. If a user account is not locked and no further invalid login attempt is tried for that account, the timer for the access window is automatically reset either after a time period equal to the access window or if the user successfully logs in to Junos Scope within the access window period.

    If the authentication policy for a user account is set up with 3 maximum login attempts and a 1-hour access window, the clock for the access window starts at the first unsuccessful attempt when the user types an invalid password to login. If the user makes three unsuccessful attempts within 1 hour, then the user account will be LOCKED at the third unsuccessful attempt and will be redirected to the “ The user account is currently locked. Please see the system administrator.message. Any further attempts by the user to log in using the username, even with a valid password, will be denied.

  3. Click Add. A row with empty fields will be added to the access control list table.
    Image globauth_acladded.gif
  4. Enter the following information in the access control list table row:
    • Network—The IP address of the client machines that should be allowed or denied access to the Junos Scope software. In the Network field you can specify a specific client address, in which case the user has to use the wild card as 32 (128 for IPv6), or the specific first valid client address, in which case you have to use the mask as the number of bits that should exactly match the given IP address.
    • Mask—The network mask of the client machines that should be allowed or denied access to the to the Junos Scope software. Specifies the number of bits of the client IP that should match with the given IP address.
    • Allow—The authentication action to be performed, whether to deny or allow access to the client machine if the IP address is matched.
    • Comment—The comment to identify access control list entry. You can provide a comment to identify each access control list entry or to provide a reason for allowing or denying access.
    • Actions—The Move Up and Move Down options used for ordering access control list entries. When a user logs in, the IP address of the machine from which he has logged in is compared with the access list in sequence until a match is found. If a match is found then the action specified (allow/deny) is done, and the process does not continue further. However If no match is found the client is allowed access by default. Since order plays an important role in the access list, Move Up and Move Down options are provided to change the order of access control list entries. The Delete option is provided to delete an access control list entry.

      Note: Repeat Steps 3 and 4 to add more access control list entries to the access control list table.

  5. Click Save to commit the changes to the database.
    Click Reset to clear all the values you have entered and restore the last saved values.