Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create Access Profiles

Use the Access Profile page to create access profile with local, LDAP, or RADIUS authentication methods.

To create access profile with local, LDAP, or RADIUS authentication methods:

  1. Select SRX > Identity> Access Profile.
  2. Click the + icon.
  3. Complete the configuration by using the guidelines in Table 1.
  4. Click OK.

    A summary page display a preview of the complete configuration.

Table 1: Access Profile Configuration Parameters

Field

Description

General Setting

Access Profile Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. The maximum length is 255 characters.

Description

Enter a description for the access profile. The maximum length is 255 characters.

Assign Device

Device

Select these devices from the Available column and move to the Selected column.

You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.

Authentication

Select the authentication method the device should use to authenticate users;

  • Local
  • RADIUS
  • LDAP

Local

Provide the following details:

  • Address Assignment—Select the address pool or create an address pool.

  • User Name—Enter the user name.

  • Secret—Enter the password for the server.
  • XAUTH IP Address—Enter the IPv4 address of the external authentication server.
  • Groups—Enter the group name to store several user accounts together on the external authentication servers.
RADIUS

Select the toggle button to specify the details of RADIUS servers.

To configure RADIUS Servers:

  1. Click the + icon.

  2. Enter the following details:

    • IP Address—Enter the 32–bit IP address of the server.
    • Secret—Enter the password for the server.
    • Port-Enter the port number on which to contact the RADIUS server. The range is 1 through 65,535.
    • Retry-Enter the number of retries that a device can attempt to contact RADIUS server. The range is 1 through 10.
    • Routing Instance-Enter the routing instance used to send RADIUS packets to the RADIUS server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables.
    • Source Address-Enter a source IP address configured on one of the device(s) interfaces.
    • Timeout-Enter the amount of time that the local device waits to receive a response from an RADIUS authentication server. The range is 3 to 90 seconds.

3. Click OK.

LDAP

Select the toggle button to specify the details of LDAP server.

To configure LDAP Servers:

  1. Click the + icon.

  2. Enter the following details:

    • IP Address—Enter the IPv4 address of the LDAP server.
    • Port-Enter the port number on which to contact the LDAP server. The range is 1 through 65,535.
    • Retry-Enter the number of retries that a device can attempt to contact an LDAP server. The range is 1 through 10.
    • Routing Instance-Enter the routing instance used to send LDAP packets to the LDAP server. A routing instance is a collection of routing tables, the interfaces contained in the routing tables, and the routing protocol parameters that control the information in the routing tables.
    • Source Address-Enter a source address for each configured LDAP server. Each LDAP request sent to an LDAP server uses the specified source address.
    • Timeout-Enter the amount of time that the local device waits to receive a response from an LDAP server. The range is 3 to 90 seconds.

3. Click OK.

LDAP Options

Revert Interval

Specify the amount of time that elapses before the primary server is contacted if a backup server is being used. The range is 60 through 4,294,967,295 seconds.

Base distinguished name

Specify the base distinguished name, that is used in one of the following ways:

  • If you use the Assemble option to assemble the user's distinguished name and the base distinguished name is appended to a username to generate the user's distinguished name. The resulting distinguished name is used in the LDAP bind call.

  • If you are using the search filter to search for the user's distinguished name. The search is restricted to the subtree of the base distinguished name.

The base distinguished name is a series of basic properties that define the user. For example, in the base distinguished name, o=juniper, c=us, where o for organization, and c stands for country.

LDAP Option Type

Assemble

Specify that a user’s LDAP distinguished name is assembled through the use of a common name identifier, the username, and base distinguished name.

Common name

Enter a common name identifier used as a prefix for the username during the assembly of the user's distinguished name. For example, uid specifies “ user id,” and cn specifies “common name.”

Search Filter

Enter the name of the filter to find the user's LDAP distinguished name. For example, a filter cn specifies that the search matches a user whose common name is the username.

Admin Search

Perform an LDAP administrator search. By default, the search is an anonymous search. To perform an administrator search, you must specify administrator credentials, which are used in the bind as part of performing the search.

Distinguished Name

Enter the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search.

For example, cn=admin, ou=eng, o=juniper, dc=net.

Password

Configure the plain-text password for the administrative user. This password is used in the bind for performing the LDAP search.

Order 1

Configure the order in which the different user authentication methods are tried when a user attempts to log in. For each login attempt, the method for authentication starts with the first one, until the password matches.

The method can be one or more of the following:

  • NONE—No authentication for the specified user.

  • LDAP—Use LDP. The SRX Series Firewall uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

  • Local—Use a locally configured password in the access profile.

    You can set the password to none or configure for the following authentication orders:

    • LDAP

    • Radius servers

    • Local

  • Radius—Use RADIUS authentication services.

    If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

Order 2

Configure the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.