[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Configuring SecurID User Authentication

This example shows how to configure SecurID as the external authentication server.

Requirements

Before you begin:

Overview

SecurID is an authentication method that allows users to enter either static or dynamic passwords as their credentials. A dynamic password is a combination of a user's PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is set for the user on the SecurID server. For example, the SecurID server administrator might set a temporary static password for a user who lost his or her SecurID token.

When a user attempts to access a resource protected by a policy and SecurID is configured in the profile authentication-order parameter as either the only authentication mode or the first one to be used, the device forwards the user's credentials to the SecurID server for authentication. If the user enters valid values, the user is allowed access to the requested resource.

Configuration

CLI Quick Configuration

To quickly configure SecurID as the external authentication server, copy the following commands and paste them into the CLI:


[edit]


set access profile Profile-2 authentication-order securid


set access profile Profile-2 client Client-1 client-group alpha


set access profile Profile-2 client Client-1 client-group beta


set access profile Profile-2 client Client-1 client-group gamma


set access profile Profile-2 client Client-1 firewall-user password “$9$kq5Ftutb1H”


set access profile Profile-2 client Client-2 client-group alpha


set access profile Profile-2 client Client-2 client-group beta


set access profile Profile-2 client Client-2 firewall-user password “$9$kq5Ftu1cSe”


set access profile Profile-2 client Client-3 firewall-user password “$9$kq556ikcSe”


set access profile Profile-2 client Client-4 firewall-user password “$9$n45Ftu1cSe”


set access profile Profile-2 session-options client-group alpha


set access profile Profile-2 session-options client-group beta


set access profile Profile-2 session-options client-group gamma


set access profile Profile-2 session-options client-idle-timeout 255


set access profile Profile-2 session-options client-session-timeout 4

Step-by-Step Procedure

The following example requires you to navigate levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure SecurID as the external authentication server:

  1. For the Profile-2 profile, configure SecurID as the server to be used for external authentication. This restricts firewall users to authenticate through the SecurID server only. If the SecurID server authentication fails, the firewall user is locked out:

    [edit]


    user@host# set access profile Profile-2 authentication-order securid

    To share a single SecurID server across multiple profiles, for each profile set the authentication-order parameter to include securid as the authentication mode.

  2. Configure Client1-4 firewall users and assign the Client-1 firewall user to client groups alpha, beta, and gamma, and assign the Client-2 firewall user to client groups alpha and beta.

    [edit access profile Profile-2]


    user@host# set client Client-1 client-group alpha


    user@host# set client Client-1 client-group beta


    user@host# set client Client-1 client-group gamma


    user@host# client Client-1 firewall-user password “$9$db8Fgxg64e”


    user@host# set client Client-2 client-group alpha


    user@host# set client Client-2 client-group beta


    user@host# client Client-2 firewall-user password “$9$dmk29xg64e”


    user@host# client Client-3 firewall-user password “$9$dmk28ijt4e”


    user@host# client Client-4 firewall-user password “$9$dmk29km2fe”
  3. Configure client groups in the session options.

    [edit access profile Profile-2]


    user@host# set session-options client-group alpha


    user@host# set session-options client-group beta


    user@host# set session-options client-group gamma


    user@host# set session-options client-idle-timeout 255


    user@host# set session-options client-session-timeout 4

Results

Confirm your configuration by entering the show access profile Profile-2 command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.


user@host# show access profile Profile-2
authentication-order securid;
client Client-1 {
    client-group [ alpha beta gamma ];
    firewall-user {
        password "$9$jpimT9A0REyn6yl"; ## SECRET-DATA
    }
}
client Client-2 {
    client-group [ alpha beta ];
    firewall-user {
        password "$9$IMVRyK7-w4oG-d"; ## SECRET-DATA
    }
}
client Client-3 {
    firewall-user {
        password "$9$GfUkPn/tB1h9C"; ## SECRET-DATA
    }
}
client Client-4 {
    firewall-user {
        password "$9$JuZi.FnC0OR/9"; ## SECRET-DATA
    }
}
session-options {
    client-group [ alpha beta gamma ];
    client-idle-timeout 255;
    client-session-timeout 4;
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication

Purpose

Display firewall authentication user history. Verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

Enter the show security firewall-authentication history command from operational mode. For more information, see the JUNOS Software CLI Reference.


user@host> show security firewall-authentication history
History of firewall authentication data:
Authentications: 2
Id Source Ip Date Time Duration Status User
1 99.99.99.1 2007-10-12 21:24:02 0:00:24 Failed troy
2 99.99.99.1 2007-10-12 21:24:48 0:00:22 Success voyager
user@host>  show security firewall-authentication history identifier 1
Username: troy
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Access start date: 2007-10-12
Access start time: 21:24:02
Duration of user access: 0:00:24
Policy name: lnx2-telnet-lnx1
Source zone: dl2
Destination zone: dl1
Access profile: wonder
Bytes sent by this user: 0
Bytes received by this user: 2660
Client-groups: Sunnyvale Bangalore
user@host>  show security firewall-authentication users
Firewall authentication data:
Total users in table: 1
Id Source Ip Src zone Dst zone Profile Age Status User
3 99.99.99.1     dl2   dl1   wonder   1 Failed TechPubs
user@host>  show security firewall-authentication users identifier 3
Username: TechPubs
Source IP: 99.99.99.1
Authentication state: Failed
Authentication method: Pass-through using Telnet
Age: 1
Access time remaining: 9
Source zone: dl2
Destination zone: dl1
Policy name: lnx2-telnet-lnx1
Access profile: wonder
Interface Name: ge-0/0/1.0
Bytes sent by this user: 0
Bytes received by this user: 1521

Monitoring Users and IP Addresses in the Authentication Table

Purpose

Verify a list of users and IP addresses that are currently authenticated by the device in the authentication table.

Action

Enter these show commands from operational mode.


user@host> show security firewall-authentication users


user@host> show security firewall-authentication users identifier num


user@host> show security firewall-authentication users address ipaddress

where:

Related Topics

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]