Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

authentication-order (Access Profile)

Syntax

Hierarchy Level

Description

Configure the order of authentication, authorization, and accounting (AAA) methods to use while sending authentication messages.

Default

Not enabled

Options

none—No authentication for specified users.

When you enable none authentication option, the SRX Series Firewall no longer requires the RADIUS server to authenticate the initiator again with the common shared password used for IKEv2 configuration payload. This is because, the SRX Series Firewall already authenticates the remote peer using a certificated-based authentication. You can use this AAA profile in different combinations, but ensure that it is not used where you do not use a pre-authentication.

For example: Consider a scenario, where to establish a connection from a client to secure gateway IPsec tunnels, client is authenticated using certificates method as per IKE protocol. For simplicity, if you do not prefer dependency on RADIUS server and use local pool for address acquisition without any additional authentication, you can configure the “aaa” profile in IKE gateway hierarchy and set the authentication-order value as none in the access profile, as follows:

To start the Radius Accounting, use the following commands:

ldap—Light weight directory access protocol.

password—Locally configured password in access profile.

radius—RADIUS authentication.

s6a—S6a authentication

saml—Security Assertion Markup Language

securid—RSA Secure ID authentication.

Required Privilege Level

admin—To view this statement in the configuration. admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.0.

none option introduced in Junos OS Release 20.3R1.

saml option added in Junos OS Release 24.4R1.