Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add an Access Profile

You are here: Security Services > Firewall Authentication > Access Profile.

To add an access profile:

  1. Click + on the upper-right corner of the Access Profile page.

    The Create Access Profile page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Access Profile Page

Field

Description

Access Profile Name

Enter a name for the access profile. The name must be a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 64 characters.

Address Assignment

Select an address pool from the list that can be used by different client applications.

Click Create Address Pool to add a new address pool. For more information on creating a new address pool, see Add an Address Pool.

Authentication

Local

Select Local to configure local authentication services.

To create a new local authentication user:

  1. Click +.

    The Create Local Authentication User page appears.

  2. Enter the following details:

    • Username—Enter the user name of the user requesting access.

    • Password—Enter the user password.

    • XAUTH IP Address—Enter the IPv4 address for the client.

    • Group—Enter the group name to store several user accounts together.

  3. Click OK to save changes.

To edit, select the local authentication user configuration and click the pencil icon.

To delete, select the local authentication user configuration and click the delete icon.

RADIUS

Select RADIUS to configure RADIUS authentication services.

To create a new RADIUS server:

  1. Click +.

    The Create RADIUS Server page appears.

  2. Enter the following details:

    • Address—Enter the IPv4 or IPv6 address of the RADIUS server.

    • Secret—Enter the secret password to access the RADIUS server.

    • Port—Enter the port number on which to contact the RADIUS server.

      Range is 1 through 65535. Default is 1812.

    • Retry—Enter the number of retries that a device can attempt to contact a RADIUS server.

      Range is 1 through 100 seconds.

    • Routing Instance—Select the routing instance from the list for managing the routing instance.

    • Source Address—Enter a source IP address configured on one of the device’s interfaces.

    • Timeout—Enter the amount of time that the local device waits to receive a response from a RADIUS authentication server.

      Range is 1 through 1000 seconds.

  3. Click OK to save changes.

To edit, select the RADIUS server configuration and click the pencil icon.

To delete, select the RADIUS server configuration and click the delete icon.

LDAP

Select LDAP to configure LDAP authentication services.

To create a new LDAP server:

  1. Click +.

    The Create LDAP Server page appears.

  2. Enter the following details:

    • Address—Enter the IPv4 or IPv6 address of the LDAP server.

    • Port—Enter the port number on which to contact the LDAP server.

      Range is 1 through 65535. Default is 389.

    • Retry—Enter the number of retries that a device can attempt to contact an LDAP server.

      Range is 1 through 10 seconds.

    • Routing Instance—Select the routing instance from the list for managing the routing instance.

    • Source Address—Enter a source IP address configured on one of the device’s interfaces.

    • Timeout—Enter the amount of time that the local device waits to receive a response from an LDAP authentication server.

      Range is 3 through 90.

  3. Click OK to save changes.

To edit, select the LDAP server configuration and click the pencil icon.

To delete, select the LDAP server configuration and click the delete icon.

LDAP Options

Base Distinguished Name

Enter the base distinguished name that defines user’s basic properties.

For example, in the base distinguished name o=juniper, c=us, where c stands for country, and o for organization.

Revert Interval

Specifies the amount of time that elapses before the primary server is contacted if a backup server is being used.

Use top/bottom arrows to provide the revert interval.

Range is 60 through 4294967295.

LDAP Option Type

Select an LDAP option from the list:

  • None—No user LDAP distinguished name (DN).

  • Assemble—Indicates that a user’s LDAP DN is assembled through the use of a common name identifier, the username, and base distinguished name.

  • Search—Indicates that a search is used to get a user's LDAP DN. The search is performed based on the search filter and the search text typed in by the user during authentication.

Common Name

Enter a common name identifier used as a prefix for the username during the assembly of the users distinguished name.

This option is available when you select Assemble LDAP option type.

Search Filter

Enter the name of the filter to find the users LDAP distinguished name.

This option is available when you select Search LDAP option type.

Admin Search

Enable this option to perform an LDAP administrator search. By default, the search is an anonymous search.

This option is available when you select Search LDAP option type.

Distinguished Name

Enter the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search.

This option is available when you select Admin Search is enabled.

Secret

Enter the plain-text password for the administrative user.

This option is available when you select Admin Search is enabled.

Authentication Order

Order 1

Select one or more of the following authentication methods:

  • NONE—No authentication for the specified user.

  • Local—Use local authentication services.

  • LDAP—Use LDAP. The SRX Series Firewall uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

  • Radius—Use RADIUS authentication services.

    If RADIUS servers fail to respond or return a reject response, try local authentication, because it is explicitly configured in the authentication order.

Order 2

Select the authentication method from the list.