[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Authorization Plug-Ins

This section shows how to configure the authorization plug-ins described in Table 17. Because authentication and authorization are similar, the plug-in user interface does not distinguish between them. However, when you configure plug-ins, you need to set them up to perform the correct behavior, either authentication or authorization.

You can configure multiple authorization plug-ins. The plug-ins are called in an arbitrary order, and each plug-in can return authorization values. (If multiple plug-ins return a session-timeout value, the smallest value is used.) Authorization succeeds if all plug-in calls succeed.




Table 17: Authorization Plug-Ins  
Plug-In
Description

Basic RADIUS authentication

Sends authentication information to an external RADIUS authentication server or a group of redundant servers.

Java class name—net.juniper.smgt.sae.plugin.RadiusAuthPluginEventListener

Custom RADIUS authentication

Provides customized functions that can also be found in the flexible RADIUS authentication plug-ins. Custom plug-ins are internal plug-ins that are designed to deliver better system performance than the flexible RADIUS plug-ins. You can extend this plug-in by using the RADIUS client library.

Java class name—net.juniper.smgt.sae.plugin.CustomRadiusAuth

Flexible RADIUS authentication

Performs the same functions as the basic RADIUS authentication plug-in, but also lets you customize RADIUS authentication packets that the SAE sends to RADIUS servers. You can specify which fields are included in RADIUS authentication packets and what information is contained in the fields.

Java class name—net.juniper.smgt.sae.plugin.FlexibleRadiusAuthPluginEventListener

LDAP authentication

Performs authentication against different directories using different authentication methods. There are two LDAP authentication plug-ins: one authenticates subscribers, and the second authenticates SRC administrators so that they can access the SAE Web Admin application.

Java class name of the subscriber authentication plug-in—net.juniper.smgt.sae.plugin.LdapAuthenticator

Java class name of the administrator authentication plug-in—net.juniper.smgt.sae.plugin.adminLdap

Limiting subscribers

Limits the number of authenticated subscribers who connect to an IP interface on the router.

Java class name—net.juniper.smgt.sae.plugin.LimitNumSubscriberPerIntfAuthPluginListener

The overall steps to configure an authorization plug-in are:

  1. Create and configure a plug-in instance in the plug-in pool. The following sections show how to create and configure an instance for each type of authorization plug-in.
  2. Configure an event publisher to publish events to the plug-in instance.

See Configuring Event Publishers.

Limiting Subscribers on Router Interfaces

You can limit the number of authenticated subscribers who connect to an IP interface on the router. This plug-in does not limit the number of unauthenticated subscribers who connect to an IP interface, and does not limit the number of subscribers who connect to a physical or link-layer interface. In the case of subscriber interfaces, the plug-in limits the number of authenticated subscribers on the subscriber interface but not on the underlying primary IP interface.

To set up a plug-in that limits the number of subscribers interfaces:

  1. In the Plug-In Pool area of the Plug-Ins pane, create a Limit number of subscribers on interface plug-in instance as described in Creating Plug-In Instances.

The instance appears in the Plug-In Pool area.

  1. Fill in the number of authenticated subscribers that you want connected to an interface simultaneously.

Number of concurrent users per interface

Configuring Basic RADIUS Authentication Plug-Ins

You can use basic RADIUS authentication plug-ins to send authentication information to an external RADIUS accounting server or a group of redundant servers. To communicate with nonredundant servers, you need to create additional instances of the plug-in.

To set up basic RADIUS authentication plug-ins:

  1. In the Plug-In Pool area of the Plug-Ins pane, create a basic RADIUS authentication plug-in instance as described in Creating Plug-In Instances.

The instance appears in the Plug-In Pool area.

  1. Fill in the fields for the plug-in instance as described in Using RADIUS Plug-In Fields.
  2. In the Peer Group area, create at least one RADIUS peer to use as the default peer. See Creating RADIUS Peers.

Configuring Flexible RADIUS Authentication Plug-Ins

Flexible RADIUS authentication plug-ins provide the same features as basic RADIUS authentication plug-ins. In addition, they allow you to customize RADIUS authentication packets that the system sends to RADIUS servers and specify which fields are included in the RADIUS authentication packets and what information is contained in the fields.

You can also extend custom RADIUS plug-ins to perform the same functions as the flexible RADIUS plug-ins. These custom plug-ins are also internal plug-ins, but are designed to deliver better system performance. See Configuring Custom RADIUS Authentication Plug-Ins.

To set up flexible RADIUS authentication plug-ins:

  1. In the Plug-In Pool area of the Plug-Ins pane, create a flexible RADIUS authentication plug-in instance as described in Creating Plug-In Instances.

The instance appears in the Plug-In Pool area.

  1. Fill in the plug-in instance fields as described in Using RADIUS Plug-In Fields.
  2. In the Peer Group area, create at least one peer to use as the default peer. See Creating RADIUS Peers.
  3. (Optional) Assign a RADIUS packet template to the instance, or create a packet definition for the instance. See Defining RADIUS Packets for Flexible RADIUS Plug-Ins with SDX Configuration Editor.

Configuring Custom RADIUS Authentication Plug-Ins

The custom RADIUS authentication plug-ins provide the same functions as the flexible RADIUS authentication plug-ins, but are designed to deliver better system performance. To use a custom plug-in, you must provide a Java class which implements the SPI defined in the RADIUS client library. Use this SPI to specify which fields and field values to include in RADIUS accounting packets. The RADIUS client library is part of the SAE core API.

See the documentation for the RADIUS client library in the SRC software distribution in the folder SDK/doc/sae/net/juniper/smgt/sae/radiuslib or the SAE core API documentation on the Juniper Networks Web site at

http://www.juniper.net/techpubs/software/management/sdx/api-index.html

For a sample implementation, see the following directory in the SRC software distribution: SDK/plugin/java/src/net/juniper/smgt/sample/radiuslib/RadiusPacketHandlerImpl.java.

To set up custom RADIUS authentication plug-ins:

  1. In the Plug-In Pool area of the Plug-Ins pane, create a custom RADIUS authentication plug-in instance as described in Creating Plug-In Instances.

The instance appears in the Plug-In Pool area.

  1. Fill in the plug-in instance fields as described in Using RADIUS Plug-In Fields.
  2. In the Peer Group area, create at least one peer to use as the default peer. See Creating RADIUS Peers.

Configuring LDAP Authentication Plug-Ins

To create LDAP authentication plug-ins:

  1. In the Plug-In Pool area of the Plug-Ins pane, create an Ldap authenticator plug-in instance as described in Creating Plug-In Instances.

The instance appears in the Plug-In Pool area.

  1. Fill in the plug-in instance fields as described below.

Method

LDAP Server

Bind DN

Bind Password

Search Filter

Secured LDAP protocol

Search Base DN

Name Attribute

Password Attribute

Service Bundle Attribute

Session Volume Quota

Timeout


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]