Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

LDAP over TLS Authentication

The Junos OS supports LDAP over TLS (LDAPS) authentication and authorization for Junos OS user login with TLS security between the device running Junos OS (which is the LDAPS client) and the LDAPS server. For more information, read this topic.

LDAP Authentication over TLS

Junos OS User Authentication Overview

Junos OS authenticates users trying to log in either locally or by using a centralized database. Local authentication or authorization is possible for users whose username and password are configured using the Junos OS CLI or RPCs. In Junos OS Release 20.2R1, Junos OS supports LDAP with TLS security (LDAPS) support for user login and ensures secure transmission of data between the LDAPS client and the LDAPS server.

In releases before Junos OS Release 20.2R1, Junos OS supports centralized user authentication and authorization through standard RADIUS and TACACS protocols.

Figure 1: Centralized Authentication, Authorization, and Accounting (AAA) SetupCentralized Authentication, Authorization, and Accounting (AAA) Setup

Junos OS supports these methods of user authentication:

  • Local password authentication

  • LDAP over TLS (LDAPS)

  • RADIUS

  • TACACS+

Benefits of LDAP Authentication over TLS

  • Encryption and data integrity—LDAPS ensures that user credentials are encrypted, thereby maintaining privacy of communications. The user encrypts the data using the private key and only the intended recipient that possesses the private key can decrypt the signed data using the signer's public key. This ensures data integrity.

  • Enhanced security—The TLS protocol ensures the data is securely sent and received over the network. TLS uses certificates to authenticate and encrypt the communication that provides advanced security.

  • Scalability—LDAPS provides greater performance and scalability without loss of reliability. There is no limit to the number of users who can be supported using this feature as users maintain their own certificates, and certificate authentication involves exchange of data between client and server only.

Supported and Unsupported Features

  • Junos OS supports LDAPS for user authentication and authorization only. Junos OS does not support accounting. over LDAPS.

  • The LDAPS client is implemented and integrated as part of Junos OS. However, implementation of the LDAPS server on Junos OS is not supported. Instead, this feature is implemented using the OpenLdap 2.4.46 server.

LDAP Overview

Lightweight Directory Access Protocol (LDAP) is a standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. You can accomplish authentication and authorization using the following rich set of LDAP security functions such as:

  • Search

  • Retrieve

  • Directory content manipulation

Transport Layer Security (TLS) Overview

TLS is an application-level protocol that provides encryption technology for the Internet. It is the most widely used security protocol for applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging, and voice over IP (VoIP). TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the LDAPS client and the LDAPS server. LDAPS uses local certificates that are dynamically acquired from the Junos public key infrastructure (PKI) .

TLS ensures secure transmission of data between a client and a server effectively and ensures privacy of communications, authentication, confidentiality, and data integrity. You can use the TLS protocol for certificate exchange, mutual authentication, and cipher negotiation to secure the stream from potential tampering and ethical hacking.

How LDAPS Authentication Works

To provide secure LDAPS support for Junos OS operator login, user credentials and configurations are stored in either the LDAPS server or the LDAP-supported databases. An LDAPS client on the device running Junos OS communicates with a configured LDAPS server. To achieve this, the LDAPS client is implemented and integrated as part of the device running Junos OS.

Figure 2 shows the LDAPS authentication process.

Figure 2: LDAPS Authentication ProcessLDAPS Authentication Process

  1. A remote user logs in to a device running Junos OS through SSH, TELNET or any other login utility.

  2. The LDAPS client (which is the device running Junos OS) establishes a TCP connection with the LDAPS authorization server using a TLS protocol request.

  3. After the client receives the TLS response, the client and server authenticate their identities.

  4. The LDAPS client authenticates itself using the proxy account that is preconfigured on the LDAPS server using the bind request (binddn and bindpw).

  5. If the bind operation is successful, the LDAPS server sends an acknowledgment to the LDAPS client.

  6. The LDAPS client then sends an authentication request to the LDAPS server with the login credentials of the user trying to log in.

  7. After successful authorization, the LDAPS client notifies the user of the successful login. The authorization data of the user is saved into a file that is used later to enforce authorization.

  8. The client closes the connection with the LDAPS server.

Configure LDAP Authentication over TLS

LDAP over TLS (LDAPS) is a method of authenticating users who attempt to access the device running Junos OS with TLS security between the LDAPS client and the LDAPS server. This topic includes the following tasks:

Configure the Order of Authentication

Junos OS supports the following methods of user authentication: local password authentication, LDAP over TLS (LDAPS), RADIUS, TACACS+.

You can use the authentication-order statement to prioritize the order in which Junos OS uses the different authentication methods when verifying user access to a device running Junos OS. If you do not set an authentication order, by default Junos OS verifies users based on their configured passwords.

If a user tries to log in and if authentication-order has the ldaps option configured, the user’s credentials are passed to the external LDAP server for user validation.

To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:

For example:

The following are the possible authentication order entry options:

  • ldaps—Verify the user using secure LDAP authentication servers.

  • password—Verify the user using the username and password configured locally by including the authentication-order statement at the [edit system login user] hierarchy level.

  • radius—Verify the user using RADIUS authentication servers.

  • tacplus—Verify the user using TACACS+ authentication servers.

Configure LDAPS Client

To configure LDAP authentication on the client:

  1. Configure an IPv4 or IPv6 server address.

    For example, configure the following IPv4 or IPv6 address:

    The server address is a unique IPv4 or IPv6 address that is assigned to a particular LDAP server and used to route information to the server.

  2. Configure the distinguished name of the search base (LDAP base) that specifies the base of user directory. Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory.

    For example, if the domain is example.com, then the syntax is dc=example, dc=com.

  3. Configure the distinguished name (binddn) to bind the LDAPS client with the LDAPS server.

    For example, if the domain is example.com, then the syntax is dc=example, dc=com. cn is the common name.

  4. Configure the public key (LDAP bindpw) password.

    For example, to set the password as secret:

  5. To enable LDAPS, you must specify the name of the local certificate. For information about configuring the local certificate and certificate authority (CA), see Configuring Digital Certificates. Specify the name of the local certificate to be used for TLS communications.

    You generate the local digital certificate request using request security pki generate-certificate-request. Sign the certificates offline and install on the device using request security pki ca-certificate load.

    For example, to specify the name of the local certificate as ldap-tls-cert:

    Note:

    The certificate name is the name of the public–private key pair mapped to the local digital certificate that is added using request security pki ca-certificate load

  6. Specify a port on the LDAPS server to which the LDAPS client can connect to.

    For example, to set the port number as 432 for the LDAPS server:

  7. By default, Junos OS routes authentication and authorization packets for LDAPS through the default routing instance. LDAPS also supports a management interface in a nondefault VRF instance.

    When you configure the mgmt_junos option for the routing-instance and the management-interfaces statement, the management instances mgmt_junos routes the , LDAPS packets.

    For example:

Configure LDAPS Server

OpenLDAP server is one of the open-source implementations of LDAP and LDAPS. We’ve implemented the LDAP over TLS authentication and authorization feature using the OpenLDAP 2.4.46 server.

Note:

You can configure a maximum of two LDAPS servers.

To configure a typical OpenLDAP server:

  1. Define attribute types for LDAP user authorization parameters in the schema file of the LDAP server.

    For a typical OpenLDAP server, the attribute can be part of nis.schema:

  2. Include the schema file defined as part of Step 1 in the configuration file of the LDAP server. For a typical OpenLDAP server, you can load the definitions to the LDAP server by defining attributes in nis.schema and including the nis.schema schema file in the slapd.conf file.
  3. Configure the user authorization parameters in an LDAP Data Interchange Format (LDIF) file.

    For example:

  4. Load the user configuration in a running LDAP server. In a typical OpenLDAP setup, you can load the LDIF file with the following command:

After you complete the preceding steps, any client can log in with the username and password mentioned in the LDIF file.

Configure TLS Parameters

The TLS protocol ensures that data is securely sent and received over the network. TLS uses certificates to authenticate and encrypt the communication. The client authenticates the server by requesting its certificate and public key. Optionally, the server can also request a certificate from the client, thus ensuring mutual authentication.

For TLS handshake to be successful, the client must have the server certificate authority (CA) profile to validate the server certificate. The server may or may not have the client CA based on the settings. However, if the server mandates client certificate, the server must have the client CA to validate the certificate. Later, the public key is used to encrypt and private key to decrypt the data respectively.

The CA profile defines every parameter associated with a specific certificate to establish secure connection between two endpoints. For more information about configuring CA profiles, see Certificate Authority.

To configure TLS parameters, you need to perform the following tasks:

  • Configure security public key infrastructure (PKI) traceoptions.

  • Create a CA profile.

  • Create a revocation check to specify a method for checking certificate revocation.

  1. Configure PKI traceoptions if you want to retrieve sylog messages from the PKI.

    • To trace syslog messages from the TLS certificate validation during the initial handshake:

    • To trace the syslog messages output to a file:

      For example, to trace the output to the ldap_pki file:

  2. Create a CA profile to validate the server certificate.

    A root certificate is issued by a trusted CA. A subordinate CA is the CA between the root CA and end entity certificates. The root CA is self-signed and signs all subordinate CAs immediately below it. These CAs, in turn, sign the entities below them, either additional subordinate CAs or the ultimate end entity certificates.

    To create a root CA:

    To create a subordinate CA:

  3. Create a revocation check to specify a method for checking certificate revocation.

Configure System Administrative Parameters for LDAPS Authentication

As part of this configuration, you’re creating administrative parameters for LDAP-authenticated users.

You can assign different user templates and login classes to LDAPS-authenticated users. This allows LDAPS-authenticated users to be granted different administrative permissions on the device running Junos OS. By default, LDAPS-authenticated users use the remote user template, if it is configured, and the LDAPS-authenticated users are assigned to the associated class that is specified in the remote user template.

The username remote is a special case in Junos OS. It acts as a template for users that are authenticated by a remote server, but do not have a locally configured user account on the device. In this method, Junos OS applies the permissions of the remote template to those authenticated users without a locally defined account. All users mapped to the remote template are of the same login class.

In the Junos OS configuration, a user template is configured in the same way as a regular local user account, except that no local authentication password is configured because the authentication is remotely performed on the LDAPS server.

To assign login classes, permissions, and encrypted password for LDAPS-authenticated users, perform the following steps:

  1. Assign the login class.

    For example:

  2. Assign permissions to the login class. You can assign all permissions for LDAPS-authenticated users or specific permissions to different users.

    To assign all permissions to LDAPS-authenticated users:

    For example:

    To specify permissions to different users, do one of the following tasks:

    • Create multiple user templates in the Junos OS configuration.

    • Have the LDAPS server specify the template to be applied to the authenticated user.

    Create multiple user templates in the Junos OS configuration.

    Every user template can be assigned a different login class.

    For example:

    Have the LDAPS server specify the template to be applied to the authenticated user.

    For an LDAPS server to indicate which user template is to be applied, it needs to include the juniperLocalUserName attribute (Vendor 2636, type 1, string) Juniper VSA (vendor-specific attribute) in the LDAPS Access-Accept message which indicates the user template to be used in the Junos OS device. The string value in the juniperLocalUserName must correspond to the name of a configured user template on the device.

    From the example in the previous step, the string would be RO, OP, or SU. Configuration of the LDAPS server depends on the server being used.

    If the juniperLocalUserName attribute is not included in the Access-Accept message or the string contains a user template name that does not exist on the device, the user is assigned to the remote user template, if configured. If it is not configured, authentication fails for the user.

    After logging in, the remotely authenticated user retains the same username that was used to log in. However, the user inherits the user class from the assigned user template.

  3. Assign an encrypted password for the user.

    You must specify a password in the encrypted-password statement. If the password contains spaces, enclose it in quotation marks. The “secret” password used by the local router must match that used by the server.

    For example:

See Also

Juniper Networks Vendor-Specific RADIUS and LDAP Attributes

Junos OS supports configuring Juniper Networks RADIUS and LDAP vendor-specific attributes (VSAs) on the authentication server. These VSAs are encapsulated in a RADIUS or LDAP vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636.

Table 1 lists the Juniper Networks VSAs that you can configure.

Some of the attributes accept extended regular expressions, as defined in POSIX 1003.2. If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. For more information, see:

Table 1: Juniper Networks Vendor-Specific RADIUS and LDAP Attributes

Name

Description

Type

Length

String

Juniper-Local-User-Name

Indicates the name of the user template assigned to this user when the user logs in to a device. This attribute is used only in Access-Accept packets.

1

≥3

One or more octets containing printable ASCII characters.

Juniper-Allow-Commands

Contains an extended regular expression that enables the user to run commands in addition to those commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

2

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Juniper-Deny-Commands

Contains an extended regular expression that denies the user permission to run commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

3

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Juniper-Allow-Configuration

Contains an extended regular expression that enables the user to view and modify configuration statements in addition to those statements authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

4

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Juniper-Deny-Configuration

Contains an extended regular expression that denies the user permission to view or modify configuration statements authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

5

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Juniper-Interactive-Command

Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets.

8

≥3

One or more octets containing printable ASCII characters.

Juniper-Configuration-Change

Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets.

9

≥3

One or more octets containing printable ASCII characters.

Juniper-User-Permissions

Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets.

Note:

When the RADIUS or LDAP server defines the Juniper-User-Permissions attribute to grant the maintenance permission or all permission to a user, the user’s list of group memberships does not automatically include the UNIX wheel group. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when the network device defines a local user account with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a user template account with the required permissions and associate individual user accounts with the user template account.

10

≥3

One or more octets containing printable ASCII characters.

The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety.

See Access Privilege Levels Overview.

Juniper-Authentication-Type

Indicates the authentication method (local database, LDAP or RADIUS server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows 'local'. If the user is authenticated using a RADIUS or LDAP server, the attribute value shows 'remote'.

11

≥5

One or more octets containing printable ASCII characters.

Juniper-Session-Port

Indicates the source port number of the established session.

12

size of integer

Integer

Juniper-Allow-Configuration-Regexps
(RADIUS only)

Contains an extended regular expression that enables the user to view and modify configuration statements in addition to those statements authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

13

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Juniper-Deny-Configuration-Regexps
(RADIUS only)

Contains an extended regular expression that denies the user permission to view or modify configuration statements authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

14

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression.

For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).

Related Documentation