Configuring Authorization Plug-Ins
This section shows how to configure the authorization plug-ins described in Table 17. Because authentication and authorization are similar, the plug-in user interface does not distinguish between them. However, when you configure plug-ins, you need to set them up to perform the correct behavior, either authentication or authorization.
You can configure multiple authorization plug-ins. The plug-ins are called in an arbitrary order, and each plug-in can return authorization values. (If multiple plug-ins return a session-timeout value, the smallest value is used.) Authorization succeeds if all plug-in calls succeed.
The overall steps to configure an authorization plug-in are:
- Create and configure a plug-in instance in the plug-in pool. The following sections show how to create and configure an instance for each type of authorization plug-in.
- Configure an event publisher to publish events to the plug-in instance.
See Configuring Event Publishers.
Limiting Subscribers on Router Interfaces
You can limit the number of authenticated subscribers who connect to an IP interface on the router. This plug-in does not limit the number of unauthenticated subscribers who connect to an IP interface, and does not limit the number of subscribers who connect to a physical or link-layer interface. In the case of subscriber interfaces, the plug-in limits the number of authenticated subscribers on the subscriber interface but not on the underlying primary IP interface.
To set up a plug-in that limits the number of subscribers interfaces:
- In the Plug-In Pool area of the Plug-Ins pane, create a Limit number of subscribers on interface plug-in instance as described in Creating Plug-In Instances.
The instance appears in the Plug-In Pool area.
![]()
- Fill in the number of authenticated subscribers that you want connected to an interface simultaneously.
Number of concurrent users per interface
- Number of authenticated subscribers who can connect to an IP interface on the router simultaneously.
- Value—Integer in the range 0-2147483647
- Default—1
- Property name—max_user
Configuring Basic RADIUS Authentication Plug-Ins
You can use basic RADIUS authentication plug-ins to send authentication information to an external RADIUS accounting server or a group of redundant servers. To communicate with nonredundant servers, you need to create additional instances of the plug-in.
To set up basic RADIUS authentication plug-ins:
- In the Plug-In Pool area of the Plug-Ins pane, create a basic RADIUS authentication plug-in instance as described in Creating Plug-In Instances.
The instance appears in the Plug-In Pool area.
![]()
- Fill in the fields for the plug-in instance as described in Using RADIUS Plug-In Fields.
- In the Peer Group area, create at least one RADIUS peer to use as the default peer. See Creating RADIUS Peers.
Configuring Flexible RADIUS Authentication Plug-Ins
Flexible RADIUS authentication plug-ins provide the same features as basic RADIUS authentication plug-ins. In addition, they allow you to customize RADIUS authentication packets that the system sends to RADIUS servers and specify which fields are included in the RADIUS authentication packets and what information is contained in the fields.
You can also extend custom RADIUS plug-ins to perform the same functions as the flexible RADIUS plug-ins. These custom plug-ins are also internal plug-ins, but are designed to deliver better system performance. See Configuring Custom RADIUS Authentication Plug-Ins.
To set up flexible RADIUS authentication plug-ins:
- In the Plug-In Pool area of the Plug-Ins pane, create a flexible RADIUS authentication plug-in instance as described in Creating Plug-In Instances.
The instance appears in the Plug-In Pool area.
![]()
- Fill in the plug-in instance fields as described in Using RADIUS Plug-In Fields.
- In the Peer Group area, create at least one peer to use as the default peer. See Creating RADIUS Peers.
- (Optional) Assign a RADIUS packet template to the instance, or create a packet definition for the instance. See Defining RADIUS Packets for Flexible RADIUS Plug-Ins with SDX Configuration Editor.
Configuring Custom RADIUS Authentication Plug-Ins
The custom RADIUS authentication plug-ins provide the same functions as the flexible RADIUS authentication plug-ins, but are designed to deliver better system performance. To use a custom plug-in, you must provide a Java class which implements the SPI defined in the RADIUS client library. Use this SPI to specify which fields and field values to include in RADIUS accounting packets. The RADIUS client library is part of the SAE core API.
See the documentation for the RADIUS client library in the SRC software distribution in the folder SDK/doc/sae/net/juniper/smgt/sae/radiuslib or the SAE core API documentation on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx/api-index.html
For a sample implementation, see the following directory in the SRC software distribution: SDK/plugin/java/src/net/juniper/smgt/sample/radiuslib/RadiusPacketHandlerImpl.java.
To set up custom RADIUS authentication plug-ins:
- In the Plug-In Pool area of the Plug-Ins pane, create a custom RADIUS authentication plug-in instance as described in Creating Plug-In Instances.
The instance appears in the Plug-In Pool area.
![]()
- Fill in the plug-in instance fields as described in Using RADIUS Plug-In Fields.
- In the Peer Group area, create at least one peer to use as the default peer. See Creating RADIUS Peers.
Configuring LDAP Authentication Plug-Ins
To create LDAP authentication plug-ins:
- In the Plug-In Pool area of the Plug-Ins pane, create an Ldap authenticator plug-in instance as described in Creating Plug-In Instances.
The instance appears in the Plug-In Pool area.
![]()
Method
- search—SAE searches the directory for the username that the subscriber enters, retrieves the found object, and compares the password stored in the object with the provided password.
You can store passwords in clear text or encrypted (hashed) format by using the crypt (UNIX /etc/passwd), SHA, or MD5 algorithms. The format for a hashed password is:
{crypt}hashed password, {sha}base64 SHA password, or {md5}base64 MD5 password.- bind—SAE performs a directory search, retrieves the DN of the found object, and tries to bind this DN and the password that the subscriber provides.
If you specify the bind method, the plug-in uses the provided username and password to authenticate the directory (bind).
You can store passwords in clear text or encrypted (hashed) format by using the crypt (UNIX /etc/passwd), SHA, or MD5 algorithms. You must use an encryption method that the directory supports.
- Guidelines—Both search and bind have different implications for system security and performance. When you design the system, consider:
- search—Because the SAE retrieves passwords from the directory, the directory must allow read access to the password. Allowing read access can be a security risk because an attacker may be able to read passwords in subscriber profiles. However, to lower the risk of password exposure, you can store passwords in encrypted (hashed) form.
- bind—SAE sends the password to the directory for authentication. The advantage is that passwords never need to be read from the directory. However, passwords are sent in clear text, and an attacker could intercept them.
Bind is a relatively expensive operation that can affect system performance.LDAP Server
- Comma-separated list of IP addresses or hostnames of the LDAP authentication server.
- Value—IP address
- Default—127.0.0.1
- Property name—host
Bind DN
- DN used to authenticate access to the directory.
- Value—DN
- Default—cn=ssp, ou=Components, o=Operators, <base>
- Property name—bindDN
Bind Password
- Password that the SAE uses to authenticate its access to the directory to search for the subscriber profile. If you do not specify a bind DN or bind password, the SAE uses anonymous access.
- Value—Characters that make up the password; SDX Configuration Editor encodes the secret using base64
- Default—ssp
- Property name—bindPW
Search Filter
- Additional LDAP search filter that the SAE uses to search the directory for the subscriber profile. The initial search uses a search filter in the form (&(nameAttribute=userName) filter). The search is successful when the username and the filter match.
- Value—Search filter syntax defined in RFC 2254—The String Representation of LDAP Search Filters (December 1997)
- Default—(objectClass=umcSubscriber)
- Property name—filter
Secured LDAP protocol
- Secure protocol used for LDAP connections with the directory. LDAPS, the only protocol supported, causes communication with the directory to be encrypted with Secure Sockets Layer (SSL).
- Value—LDAPS
- Default—LDAPS
- Property name—securityProtocol
Search Base DN
- Base DN for searching entries in the directory. If you do not specify a base DN, the SAE uses the DN of the associated retailer object.
- If you do not specify the base DN, the SAE takes a username in the form subscriber@domain and maps domain to a retailer object by comparing domain with the domain names stored in the retailer object. There are two special cases:
- If domain is empty, first the virtual router name and then the name default are tried.
- If a retailer defines * (asterisk) as a domain name, it is used to map all domains that cannot be mapped directly.
Name Attribute
- Name of the directory attribute that holds the username.
- Value—Attribute name
- Default—uniqueID
- Property name—nameAttr
Password Attribute
- Name of the directory attribute that stores the password.
- Value—Directory attribute name
- Default—userPassword
- Property name—pwdAttr
Service Bundle Attribute
- Name of the directory attribute that contains the name of the service bundle that is used for subscriber authentication. This value is made available to the subscriber classification process and can be used to select the subscriber profile to load.
- Value—Directory attribute name
- Default—No value
- Property name—serviceBundleAttr
Session Volume Quota
- Name of the LDAP attribute that contains the value of the session volume quota. The LDAP plug-in sets the session volume quota to this value.
- Value—Name of LDAP attribute.
- Default—No value
- Property name—sessionVolumeQuotaAttr
Timeout