Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add an Access Profile

You are here: Security Services > Firewall Authentication > Access Profile.

To add an access profile:

  1. Click + on the upper-right corner of the Access Profile page.

    The Create Access Profile page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Access Profile Page

Field

Description

Name

Enter a name for the access profile. The name must be a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 64 characters.

Address assignment

Select an address pool from the list that can be used by different client applications.

Click Create Address Pool to add a new address pool. For more information on creating a new address pool, see Add an Address Pool.

Note:

If you have selected an address pool in Address Assignment, you need not assign an address pool for LDAP while creating allowed groups.

Note:

For junos-ike package installed platforms, address assignment supports IPv6 address in Juniper Secure Connect > Local Gateway > User Authentication > Create Access Profile > Create Address Pool.

Authentication

Local

Select Local to configure local authentication services.

To create a new local authentication user:

  1. Click +.

    The Create Local Authentication User page appears.

  2. Enter the following details:

    • Username—Enter the user name of the user requesting access.

    • Password—Enter the user password.

    • XAUTH IP Address—Enter the IPv4 address for the client.

    • Group—Enter the group name to store several user accounts together.

  3. Click OK to save changes.

To edit, select the local authentication user configuration and click the pencil icon.

To delete, select the local authentication user configuration and click the delete icon.

RADIUS

Select RADIUS to configure RADIUS authentication services.

To create a new RADIUS server:

  1. Click +.

    The Create RADIUS Server page appears.

  2. Enter the following details:

    • Address—Enter the IPv4 or IPv6 address of the RADIUS server.

    • Secret—Enter the secret password to access the RADIUS server.

    • Port—Enter the port number on which to contact the RADIUS server.

      Range is 1 through 65535. Default is 1812.

    • Source virtual router—Select the source virtual router from the list.

    • Source interface—Select a source interface (with IP configured) from the list. The IP address of the interface is configured as source address.

    • Timeout—Enter the amount of time that the local device waits to receive a response from a RADIUS authentication server.

      Range is 1 through 1000 seconds. Default is 3.

    • Retry—Enter the number of retries that a device can attempt to contact a RADIUS server.

      Range is 1 through 100 seconds. Default is 3.

  3. Click OK to save changes.

To edit, select the RADIUS server configuration and click the pencil icon.

To delete, select the RADIUS server configuration and click the delete icon.

LDAP

Select LDAP to configure LDAP authentication services.

To create a new LDAP server:

  1. Click +.

    The Create LDAP Server page appears.

  2. Enter the following details:

    • Address—Enter the IPv4 or IPv6 address of the LDAP server.

    • Port—Enter the port number on which to contact the LDAP server.

      Range is 1 through 65535. Default is 389.

    • Source virtual router—Select the source virtual router from the list.

    • Source interface—Select a source interface (with IP configured) from the list. The IP address of the interface is configured as source address.

    • Timeout—Enter the amount of time that the local device waits to receive a response from an LDAP authentication server.

      Range is 3 through 90. Default is 5.

    • Retry—Enter the number of retries that a device can attempt to contact an LDAP server.

      Range is 1 through 10 seconds.

      Default is 5.
  3. To configure LDAP over TLS/SSL, enter the following:

    1. Start TLS— Enable to configure LDAP over StartTLS.

    2. Peer name— Enter peer hostname in FQDN format.

    3. Timeout— Enter the number of of seconds to wait for the secure handshake to be initiated and to complete.

      Range is 3 through 90 seconds. Default is 5.

    4. Minimun version— Select the minimum version of TLS protocol enabled in connections to negotiate the TLS connection with the LDAP server. Default is v1.2.
    5. Certification check— Enable certification check to validate LDAP server's certificate.

  4. Click OK to save changes.

To edit, select the LDAP server configuration and click the pencil icon.

To delete, select the LDAP server configuration and click the delete icon.

LDAP Options

Base Distinguished Name

Enter the base distinguished name that defines user’s basic properties.

For example, in the base distinguished name o=juniper, c=us, where c stands for country, and o for organization.

Revert Interval

Specifies the amount of time that elapses before the primary server is contacted if a backup server is being used.

Use top/bottom arrows to provide the revert interval.

Range is 60 through 4294967295.

LDAP Option Type

Select an LDAP option from the list:

  • None—No user LDAP distinguished name (DN).

  • Assemble—Indicates that a user’s LDAP DN is assembled through the use of a common name identifier, the username, and base distinguished name.

  • Search—Indicates that a search is used to get a user's LDAP DN. The search is performed based on the search filter and the search text typed in by the user during authentication.

Common Name

Enter a common name identifier used as a prefix for the username during the assembly of the users distinguished name.

This option is available when you select Assemble LDAP option type.

Search Filter

Enter the name of the filter to find the users LDAP distinguished name.

This option is available when you select Search LDAP option type.

Admin Search

Enable this option to perform an LDAP administrator search. By default, the search is an anonymous search.

This option is available when you select Search LDAP option type.

Distinguished Name

Enter the distinguished name of an administrative user. The distinguished name is used in the bind for performing the LDAP search.

This option is available when you select Admin Search is enabled.

Secret

Enter the plain-text password for the administrative user.

This option is available when you select Admin Search is enabled.

Allowed groups

Note:

Starting in Junos OS Release 23.2R1, J-Web supports Allowed Groups option for Access Profile page. This option is not supported for SRX300 line of Firewalls and SRX550HM Firewall.

Configure groups that are allowed to sign in. Users can configure maximum of 32 groups and group lists are limited to 255 bytes.

The order in which the membership attribute is received from the LDAP server determines how a user is associated with the configured (allowed) groups. To match the user, the first group in the list received from the LDAP server that matches any of the configured groups is used.

Any user who is a member of more than one group can obtain resources from either group, depending on the order of the LDAP server's response. To ensure that the user is assigned the intended resource with certainty, it is recommended that the user belong to only one group.

To configure allowed groups:

  1. Click + available above the allowed groups grid.

  2. Enter a group name.

  3. Select an address pool from the list. If you want to create a new address pool, click Create Address Pool. See Add an Address Pool.

    Note:

    This step is optional if you have already selected an address pool in the Address Assignment option.

  4. Click the tick icon to save changes. If you want to discard changes, click X instead.

You can also edit and delete allowed groups using the edit icon and delete icon respectively.

Authentication Order

Order 1

Select one or more of the following authentication methods:

  • NONE—No authentication for the specified user.

  • Local—Use local authentication services.

  • LDAP—Use LDAP. The SRX Series Firewall uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

  • Radius—Use RADIUS authentication services.

    If RADIUS servers fail to respond or return a reject response, try local authentication, because it is explicitly configured in the authentication order.

Order 2

Select the authentication method from the list.