Create and Manage Access Profiles

Create Access Profiles

Select SRX > Identity> Access Profile.
Click the plus icon ().

Complete the configuration using the following guidelines:

Table 1: Access Profile Configuration Parameters
Field	Description
`General Setting`
Access Profile Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. The maximum length is 255 characters.
Description	Enter a description for the access profile. The maximum length is 255 characters.
`Assign Device`
Device	Select these devices from the Available column and move to the Selected column. You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.
Authentication	Select the authentication method the device should use to authenticate users; Local RADIUS LDAP
Local	Provide the following details: Address Assignment—Select the address pool or create an address pool. User Name—Enter the user name. Secret—Enter the password for the server. XAUTH IP Address—Enter the IPv4 address of the external authentication server. Groups—Enter the group name to store several user accounts together on the external authentication servers.
RADIUS	Select the toggle button to specify the details of RADIUS servers. To configure RADIUS Servers: Click the plus icon (). Enter the following details: IP Address—Enter the 32–bit IP address of the server. Secret—Enter the password for the server. Port-Enter the port number on which to contact the RADIUS server. The range is 1 through 65,535. Retry-Enter the number of retries that a device can attempt to contact RADIUS server. The range is 1 through 10. Routing Instance-Enter the routing instance used to send RADIUS packets to the RADIUS server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables. Source Address-Enter a source IP address configured on one of the device(s) interfaces. Timeout-Enter the amount of time that the local device waits to receive a response from an RADIUS authentication server. The range is 3 to 90 seconds. 3. Click OK.
LDAP	Select the toggle button to specify the details of LDAP server. To configure LDAP Servers: Click the plus icon (). Enter the following details: IP Address—Enter the IPv4 address of the LDAP server. Port-Enter the port number on which to contact the LDAP server. The range is 1 through 65,535. Retry-Enter the number of retries that a device can attempt to contact an LDAP server. The range is 1 through 10. Routing Instance-Enter the routing instance used to send LDAP packets to the LDAP server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables. Source Address-Enter a source address for each configured LDAP server. Each LDAP request sent to an LDAP server uses the specified source address. Timeout-Enter the amount of time that the local device waits to receive a response from an LDAP server. The range is 3 to 90 seconds. 3. Click OK.
`LDAP Options`
Revert Interval	Specify the amount of time that elapses before the primary server is contacted if a backup server is being used. The range is 60 through 4,294,967,295 seconds.
Base distinguished name	Specify the base distinguished name, that is used in one of the following ways: If you use the Assemble option to assemble the user's distinguished name and the base distinguished name is appended to a username to generate the user's distinguished name. The resulting distinguished name is used in the LDAP bind call. If you are using the search filter to search for the user's distinguished name. The search is restricted to the subtree of the base distinguished name. The base distinguished name is a series of basic properties that define the user. For example, in the base distinguished name, `o=juniper`, `c=us`, where `o` for organization, and `c` stands for country.
LDAP Option Type
Assemble	Specify that a user’s LDAP distinguished name is assembled through the use of a common name identifier, the username, and base distinguished name.
Common name	Enter a common name identifier used as a prefix for the username during the assembly of the user's distinguished name. For example, `uid` specifies “ user id,” and `cn` specifies “common name.”
Search Filter	Enter the name of the filter to find the user's LDAP distinguished name. For example, a filter `cn` specifies that the search matches a user whose common name is the username.
Admin Search	Perform an LDAP administrator search. By default, the search is an anonymous search. To perform an administrator search, you must specify administrator credentials, which are used in the bind as part of performing the search.
Distinguished Name	Enter the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search. For example, `cn`=admin, `ou`=eng, `o`=juniper, `dc`=net.
Password	Configure the plain-text password for the administrative user. This password is used in the bind for performing the LDAP search.
Order 1	Configure the order in which the different user authentication methods are tried when a user attempts to log in. For each login attempt, the method for authentication starts with the first one, until the password matches. The method can be one or more of the following: NONE—No authentication for the specified user. LDAP—Use LDP. The SRX Series Firewall uses this protocol to get user and group information necessary to implement the integrated user firewall feature. Local—Use a locally configured password in the access profile. You can set the password to none or configure for the following authentication orders: LDAP Radius servers Local Radius—Use RADIUS authentication services. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
Order 2	Configure the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.

Click OK.

A summary page display a preview of the complete configuration.

Deploy the Access Profile to SRX Series Firewalls

To deploy the access profile to SRX Series Firewalls:

Select SRX > Identity> Access Profile.

The Access Profile page appears.
Select the access profile that you want to deploy, and click Deploy.

The Deploy page appears.
Click OK.
A new job is created.
Click the job ID to see the update status.

The Job Status page appears showing the state of the updated job.

Manage Access Profiles

Edit—Select the profile, and then click the pencil icon ().
Clone—Select the profile, and then click More > Clone.
Delete from Juniper Security Director Cloud—Select the cache, click the trash can icon (), and then click Delete From Security Director Inventory.
Delete from SRX Series Firewalls and Security Director Inventory—Select the cache, click the trash can icon (), and then click Delete From Device and Security Director Inventory.

ON THIS PAGE

Create and Manage Access Profiles

Create Access Profiles

Deploy the Access Profile to SRX Series Firewalls

Manage Access Profiles