[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Authentication Plug-Ins

This section shows how to configure the authentication plug-ins described in Table 21. Because authentication and authorization are similar, the plug-in user interface does not distinguish between them. However, when you configure plug-ins, you need to set them up to perform the correct behavior, either authentication or authorization.

You can configure multiple authentication plug-ins. The plug-ins are called in an arbitrary order, and each plug-in can return authorization values. (If multiple plug-ins return a session-timeout value, the smallest value is used.) Authentication or authorization succeeds if all plug-in calls succeed.




Table 21: Authentication Plug-Ins  
Plug-In
Description

Basic RADIUS authentication

Sends authentication information to an external RADIUS authentication server or a group of redundant servers.

Java class name—net.juniper.smgt.sae.plugin.RadiusAuthPluginEventListener

Custom RADIUS authentication

Provides customized functions that can also be found in the flexible RADIUS authentication plug-ins. Custom plug-ins are internal plug-ins that are designed to deliver better system performance than the flexible RADIUS plug-ins. You can extend this plug-in by using the RADIUS client library.

Java class name—net.juniper.smgt.sae.plugin.CustomRadiusAuth

Flexible RADIUS authentication

Performs the same functions as the basic RADIUS authentication plug-in, but also lets you customize RADIUS authentication packets that the SAE sends to RADIUS servers. You can specify which fields are included in RADIUS authentication packets and what information is contained in the fields.

Java class name—net.juniper.smgt.sae.plugin.FlexibleRadiusAuthPluginEventListener

LDAP authentication

Performs authentication against different directories using different authentication methods. There are two LDAP authentication plug-ins: one authenticates subscribers, and the second authenticates SRC administrators so that they can access the SAE Web Admin application.

Java class name of the subscriber authentication plug-in—net.juniper.smgt.sae.plugin.LdapAuthenticator

Java class name of the administrator authentication plug-in—net.juniper.smgt.sae.plugin.adminLdap

Limiting subscribers

Limits the number of authenticated subscribers who connect to an IP interface on the router.

Java class name—net.juniper.smgt.sae.plugin.LimitNumSubscriberPerIntfAuthPluginListener

Limiting Subscribers on Router Interfaces

You can limit the number of authenticated subscribers who connect to an IP interface on the router. This plug-in does not limit the number of unauthenticated subscribers who connect to an IP interface, and does not limit the number of subscribers who connect to a physical or link-layer interface. In the case of subscriber interfaces, the plug-in limits the number of authenticated subscribers on the subscriber interface but not on the underlying primary IP interface.

Use the following configuration statement to set up a plug-in that limits the number of subscribers who connect to interfaces:

shared sae configuration plug-ins pool name interface-subscriber-limit {
concurrent-subscribers concurrent-subscribers;
}

To set up a plug-in that limits the number of subscribers on interfaces:

  1. From configuration mode, access the custom RADIUS accounting plug-in configuration. In this sample procedure, the plug-in called subsLimit is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration plug-ins pool
    subsLimit interface-subscriber-limit
    
    
    
  3. Configure the number of authenticated subscribers who can connect to an IP interface on the router simultaneously.
  4. [edit shared sae group west-region configuration plug-ins pool subsLimit
    interface-subscriber-limit]
    
    user@host# set concurrent-subscribers concurrent-subscribers
    
    
    
  5. (Optional) Verify your configuration.
  6. [edit shared sae group west-region configuration plug-ins pool subsLimit
    interface-subscriber-limit]
    
    user@host# show
    
    concurrent-subscribers 1;
    

Configuring Basic RADIUS Authentication Plug-Ins

You can use basic RADIUS authentication plug-ins to send authentication information to an external RADIUS accounting server or a group of redundant servers. To communicate with nonredundant servers, you need to create additional instances of the plug-in.

Use the following configuration statements to set up basic RADIUS authentication plug-ins:

shared sae configuration plug-ins pool name radius-authentication {
load-balancing-mode (failover | roundRobin);

failback-timer failback-timer;

nas-ip (SspIp | ErxIp);

retry-interval retry-interval;

maximum-queue-length maximum-queue-length;

bind-address bind-address;

udp-port udp-port;

default-peer default-peer;
}

To set up basic RADIUS authentication plug-ins:

  1. From configuration mode, access the basic RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called RadiusAuth is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration plug-ins pool
    RadiusAuth radius-authentication
    
    
    
  3. Configure the mode for load-balancing RADIUS servers.
  4. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set load-balancing-mode (failover | roundRobin)
    
    
    
  5. Specify if and when the SAE attempts to fail back to the default peer.
  6. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set failback-timer failback-timer
    
    
    
  7. (Optional) Configure the value of the NAS-Ip attribute.
  8. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set nas-ip (SspIp | ErxIp)
    
    
    
  9. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.
  10. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set retry-interval retry-interval
    
    
    
  11. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.
  12. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set maximum-queue-length maximum-queue-length
    
    
    
  13. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.
  14. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set bind-address bind-address
    
    
    
  15. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.
  16. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set udp-port udp-port
    
    
    
  17. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.
  18. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# set default-peer default-peer
    
    
    
  19. (Optional) Verify your configuration.
  20. [edit shared sae group west-region configuration plug-ins pool RadiusAuth
    radius-authentication]
    
    user@host# show
    
    load-balancing-mode failover;
    
    failback-timer -1;
    
    retry-interval 3000;
    
    maximum-queue-length 10000;
    
    default-peer peer1;
    

Related Information

For additional information, see the following sources:

Configuring Flexible RADIUS Authentication Plug-Ins

Flexible RADIUS authentication plug-ins provide the same features as basic RADIUS authentication plug-ins. In addition, they allow you to customize RADIUS authentication packets that the system sends to RADIUS servers and specify which fields are included in the RADIUS authentication packets and what information is contained in the fields.

Use the following configuration statements to set up flexible RADIUS authentication plug-ins:

shared sae configuration plug-ins pool name flex-radius-authentication {
load-balancing-mode (failover | roundRobin);

failback-timer failback-timer;

timeout timeout;

retry-interval retry-interval;

maximum-queue-length maximum-queue-length;

bind-address bind-address;

udp-port udp-port;

error-handling (0 | 1);

default-peer default-peer;

template template;
}

To set up flexible RADIUS authentication plug-ins:

  1. From configuration mode, access the flexible RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called flexRadiusAuth is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration plug-ins pool
    flexRadiusAuth flex-radius-authentication
    
    
    
  3. Configure the mode for load-balancing RADIUS servers.
  4. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set load-balancing-mode (failover | roundRobin)
    
    
    
  5. Specify if and when the SAE attempts to fail back to the default peer.
  6. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set failback-timer failback-timer
    
    
    
  7. (Optional) Configure the maximum time the SAE waits for a response from a RADIUS server.
  8. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set timeout timeout
    
    
    
  9. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.
  10. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set retry-interval retry-interval
    
    
    
  11. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.
  12. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set maximum-queue-length maximum-queue-length
    
    
    
  13. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.
  14. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set bind-address bind-address
    
    
    
  15. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.
  16. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set udp-port udp-port
    
    
    
  17. Configure the way the SAE handles errors.
  18. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set error-handling (0 | 1)
    
    
    
  19. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.
  20. [edit shared sae group west-region configuration plug-ins pool flexRadiusAuth
    flex-radius-authentication]
    
    user@host# set default-peer default-peer
    
    
    
  21. Configure the name of the RADIUS packet template that defines attributes for this plug-in.
  22. [edit shared sae group west-region configuration plug-ins pool flexRadiusAct
    flex-radius-accounting]
    
    user@host# set template template
    
    
    
  23. (Optional) Verify your configuration.
  24. [edit shared sae group west-region configuration plug-ins pool
    flexRadiusAuth flex-radius-authentication]
    
    user@host# show
    
    load-balancing-mode failover;
    
    failback-timer -1;
    
    timeout 15000;
    
    retry-interval 3000;
    
    maximum-queue-length 10000;
    
    error-handling 0;
    
    default-peer 1;
    
    template stdAuth;
    
    peer-group 1 {
    
      server-address ;
    
      server-port 1812;
    
      secret ********;
    
    }
    

Related Information

For additional information, see the following sources:

Configuring Custom RADIUS Authentication Plug-Ins

The custom RADIUS authentication plug-ins provide the same functions as the flexible RADIUS authentication plug-ins, but are designed to deliver better system performance. To use a custom plug-in, you must provide a Java class that implements the SPI defined in the RADIUS client library. Use this SPI to specify which fields and field values to include in RADIUS accounting packets. The RADIUS client library is part of the SAE core API.

See the documentation for the RADIUS client library in the SRC software distribution in the folder SDK/doc/sae/net/juniper/smgt/sae/radiuslib or the SAE core API documentation on the Juniper Networks Web site at

http://www.juniper.net/techpubs/software/management/sdx/api-index.html

For a sample implementation, see the following directory in the SRC software distribution: SDK/plugin/java/src/net/juniper/smgt/sample/radiuslib/RadiusPacketHandlerImpl.java.

Use the following configuration statements to set up custom RADIUS authentication plug-ins:

shared sae configuration plug-ins pool name custom-radius-authentication {
java-class-radius-packet-handler java-class-radius-packet-handler;

class-path-radius-packet-handler class-path-radius-packet-handler;

require-mandatory-attributes;

load-balancing-mode (failover | roundRobin);

failback-timer failback-timer;

timeout timeout;

retry-interval retry-interval;

maximum-queue-length maximum-queue-length;

bind-address bind-address;

udp-port udp-port;

default-peer default-peer;
}

To set up custom RADIUS authentication plug-ins:

  1. From configuration mode, access the custom RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called customRadiusAuth is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration plug-ins pool
    customRadiusAuth custom-radius-authentication
    
    
    
  3. Configure the name of the Java class that implements the RadiusPacketHandler interface in the RADIUS client library.
  4. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set java-class-radius-packet-handler java-class-radius-packet-handler
    
    
    
  5. Configure the URLs that identify a location from which Java classes are loaded when the plug-in is initialized.
  6. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set class-path-radius-packet-handler class-path-radius-packet-handler
    
    
    
  7. (Optional) Specify that a RADIUS authentication or accounting request must contain all mandatory RADIUS attributes before sending the request packet.
  8. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set require-mandatory-attributes
    
    
    
  9. Configure the mode for load-balancing RADIUS servers.
  10. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set load-balancing-mode (failover | roundRobin)
    
    
    
  11. Specify if and when the SAE attempts to fail back to the default peer.
  12. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set failback-timer failback-timer
    
    
    
  13. (Optional) Configure the maximum time the SAE waits for a response from a RADIUS server.
  14. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set timeout timeout
    
    
    
  15. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.
  16. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set retry-interval retry-interval
    
    
    
  17. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.
  18. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set maximum-queue-length maximum-queue-length
    
    
    
  19. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.
  20. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set bind-address bind-address
    
    
    
  21. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.
  22. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set udp-port udp-port
    
    
    
  23. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.
  24. [edit shared sae group west-region configuration plug-ins pool customRadiusAuth
    custom-radius-authentication]
    
    user@host# set default-peer default-peer
    
    
    
  25. (Optional) From operational mode, verify your configuration.
  26. [edit shared sae configuration plug-ins pool customRadiusAuth
    custom-radius-authorization]
    
    user@host# show
    
    java-class-radius-packet-handler
    net.juniper.smgt.radius.RadiusPacketHandlerImpl;
    
    require-mandatory-attributes;
    
    load-balancing-mode failover;
    
    failback-timer -1;
    
    timeout 15000;
    
    retry-interval 3000;
    
    maximum-queue-length 10000;
    
    default-peer peer4;
    

Related Information

For additional information, see the following sources:

Configuring LDAP Authentication Plug-Ins

Use the following configuration statements to configure LDAP authentication plug-ins:

shared sae configuration plug-ins pool name ldap-authentication {
method (search | bind);

server server;

bind-dn bind-dn;

bind-password bind-password;

search-filter search-filter;

(ldaps);

search-base-dn search-base-dn;

name-attribute name-attribute;

password-attribute password-attribute;

service-bundle-attribute service-bundle-attribute;

session-volume-quota session-volume-quota;

timeout timeout;
}

To create LDAP authentication plug-ins:

  1. From configuration mode, access the custom LDAP authentication plug-in configuration. In this sample procedure, the plug-in called ldapAuth is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration plug-ins pool
    ldapAuth ldap-authentication
    
    
    
  3. Configure the LDAP authentication method that the SAE uses.
  4. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set method (search | bind)
    
    
    
  5. (Optional) Configure a comma-separated list of IP addresses or hostnames of the LDAP authentication server.
  6. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set server server
    
    
    
  7. (Optional) Configure the DN used to authenticate access to the directory.
  8. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set bind-dn bind-dn
    
    
    
  9. (Optional) Configure the password that the SAE uses to authenticate its access to the directory to search for the subscriber profile. If you do not specify a bind DN or bind password, the SAE uses anonymous access.
  10. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set bind-password bind-password
    
    
    
  11. (Optional) Configure the additional LDAP search filter that the SAE uses to search the directory for the subscriber profile.
  12. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set search-filter search-filter
    
    
    
  13. (Optional) Enable the secure protocol used for LDAP connections with the directory. LDAPS, the only secure protocol supported, causes communication with the directory to be encrypted with Secure Sockets Layer (SSL).
  14. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set ldaps
    
    
    
  15. (Optional) Configure the base DN for searching entries in the directory.
  16. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set search-base-dn search-base-dn
    
    
    
  17. (Optional) Configure the name of the directory attribute that holds the username.
  18. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set name-attribute name-attribute
    
    
    
  19. (Optional) Configure the name of the directory attribute that stores the password.
  20. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set password-attribute password-attribute
    
    
    
  21. (Optional) Configure the name of the directory attribute that contains the name of the service bundle that is used for subscriber authentication. This value is made available to the subscriber classification process and can be used to select the subscriber profile to load.
  22. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set service-bundle-attribute service-bundle-attribute
    
    
    
  23. (Optional) Configure the name of the LDAP attribute that contains the value of the session volume quota. The LDAP plug-in sets the session volume quota to this value.
  24. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set session-volume-quota session-volume-quota
    
    
    
  25. (Optional) Configure the maximum time the SAE waits for a response from a directory server.
  26. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# set timeout timeout
    
    
    
  27. (Optional) From operational mode, verify your configuration.
  28. [edit shared sae group west-region configuration plug-ins pool ldapAuth
    ldap-authentication]
    
    user@host# show
    
    method search;
    
    search-filter (objectClass=umcSubscriber);
    
    name-attribute uniqueId;
    
    timeout 5000;
    

Related Information

For additional information, see the following source:


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]