Configure Client Groups
To manage multiple firewall users, create user or client groups and store the information.
Understanding Client Groups for Firewall Authentication
To manage a number of firewall users, you can create user or client groups and store the information either on the local Juniper Networks device or on an external RADIUS or LDAP server.
A client group is a list of groups to which the client belongs. As with client-idle timeout, a client group is used only if the external authentication server does not return a value in its response. (For example, LDAP servers do not return such information.)
The RADIUS server sends the client's group information to the Juniper Networks device using Juniper VSA (46). The client-match portion of the policy accepts a string that can be either the username or the groupname to which the client belongs.
The reason to have a single database for different types of clients (except admins) is based on the assumption that a single client can be of multiple types. For example, a firewall user client can also be an L2TP client.
See Also
Example: Configuring Local Users for Client Groups
This example shows how to configure a local user for client groups in a profile.
Requirements
Before you begin, create an access profile.
Overview
A client group is a list of groups to which the client belongs. As with client-idle timeout, a client group is used only if the external authentication server does not return a value in its response (for example, LDAP servers do not return such information).
This example shows how to configure a local user called Client-1
for client groups G1, G2, and G3 in a profile called Managers. Within
this example, client groups are configured for a client. If a client
group is not defined for the client, then the client group under the access profile session-options
hierarchy is used.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands to a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set access profile Managers client Client-1 client-group G1
set access profile Managers client Client-1 client-group G2
set access profile Managers client Client-1 client-group G3
set access profile Managers client Client-1 firewall-user password pwd
set access profile Managers session-options client-group G1
set access profile Managers session-options client-group G2
set access profile Managers session-options client-group G3
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a local user for client groups in a profile:
Configure the firewall user profile Managers, and assign client groups to it.
user@host# edit access profile Managers [edit access profile Managers] user@host# set client Client-1 client-group G1 user@host# set client Client-1 client-group G2 user@host# set client Client-1 client-group G3 user@host# set client Client-1 firewall-user password pwd
Configure client groups in the session options.
[edit access profile Managers] user@host# set session-options client-group G1 user@host# set session-options client-group G2 user@host# set session-options client-group G3
Results
Confirm your configuration by entering the show
access profile Managers
command from configuration mode. If
the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@host# show access profile Managers client Client-1 { client-group [ G1 G2 G3 ]; firewall-user { password "$ABC123"; ## SECRET-DATA } } session-options { client-group [ G1 G2 G3 ]; }
If you are done configuring the device, enter commit
from configuration mode.