Managing Access Profiles
Creating an Access Profile
Specifying Basic Settings for an EX Series Switching Access Profile
Specifying RADIUS Accounting Settings for an EX Switching Access Profile
Specifying Basic Settings for a Campus Switching ELS Access Profile
Specifying RADIUS and LDAP Settings for Campus Switching ELS
Reviewing and Modifying the Access Profile Settings
What To Do Next

Creating and Managing Access Profiles

Access profiles enable authentication configuration for both methods and servers. Network Director supports the configuration of RADIUS, Lightweight Directory Access Protocol (LDAP), and local authentication as authentication methods, and RADIUS as an accounting method.

Use the Manage Access Profiles page to create new Access profiles and manage existing Access profiles.

This topic describes:

Managing Access Profiles

From the Manage Access Profiles page, you can:

Create a new Access profile by clicking Add. For directions, see Creating an Access Profile.
Modify an existing profile by selecting it and clicking Edit.
View information about an Access profile, including the interfaces it is associated with, by either clicking the profile name or by selecting the profile and clicking Details.
Delete an Access profile by selecting the Access profile and clicking Delete.

Tip:
You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for an Access profile, select the Access profile and click Details.
Clone a profile by selecting a profile and clicking Clone.

Tip:

The default Access profile named Juniper Networks-access-profile is always available.

Table 1 describes the information provided about Access profiles on the Manage Access Profiles page. This page lists all Access profiles defined for your network, regardless of the scope you selected in the network view.

Table 1: Manage Access Profile Fields
Field	Description
Profile Name	Name given to the profile when the profile was created.
Description	Description of the profile that was entered when the profile was created. Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it.
Family Type	The device family on which the profile was created: EX Switching or Campus Switching ELS.
Creation Time	Date and time when the profile was created.
Last Updated Time	Date and time when the profile was last modified.
User Name	The username of the person who created or modified the profile.

Tip:

All columns might not be displayed. To show or hide fields listed in the table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.

Creating an Access Profile

In Network Director, you create an Access profile that is then used to authenticate network users. You can also specify servers to be used for user accounting purposes. You can create Access profiles for these kinds of hardware devices:

EX Series Switches—configure Basic Settings and optional Accounting Settings.
EX Series switches with ELS—configure Basic Settings and Server Settings.

To create an Access profile, follow these steps:

Under Views, select one of these options: Logical View, Location View, Device View or Custom Group View.
Tip:
Do not select Dashboard View , or Topology View.
Click in the Network Director banner.
Under Select View, select either Logical View, Location View, Device View or Custom Group View.
Tip:
Do not select Dashboard View or Topology View.
From the Tasks pane, select the type of network (Wired), the appropriate functional area (System or AAA), and select the name of the profile that you want to create. For example, to create a port profile for a wired device, click Wired > Profiles > Port. The Manage Profile page opens.
Click Add to add a new profile.
If you chose to create a profile for the wired network, Network Director opens the Device Family Chooser window.
1. From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software) and Data Center Switching ELS.
2. Click OK.
  
  The Create Access Profile page for the selected device family is displayed.
Click Add.
The Device Family Chooser window opens.
From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching EX and Campus Switching ELS.
Click OK.
The Create Access Profile wizard for the selected device family opens—it consists of two sections: Basic Settings and RADIUS and LDAP configuration.
Specify the access settings for the Access profile by doing one of the following:
- For EX Series switches, specify the access settings described in online help, or in Specifying Basic Settings for an EX Series Switching Access Profile and Specifying RADIUS Accounting Settings for an EX Switching Access Profile.
- For Campus Switching ELS, specify the access settings as described in Specifying Basic Settings for a Campus Switching ELS Access Profile and Specifying RADIUS and LDAP Settings for Campus Switching ELS.
Click either Next or Review. The Review page appears.
You can either save your profile or make changes to your profile from the Review page. For directions, see Reviewing and Modifying the Access Profile Settings.
Click Done to save the Access profile.
The system saves the Access profile and then displays the Manage Access Profiles page. Your new or modified Access profile is listed in the table of Access profiles.

Specifying Basic Settings for an EX Series Switching Access Profile

Basic settings for EX Series switching Access profile include the profile name, authentication server order, and the RADIUS authentication details.

To configure the basic settings for an EX Series switch Access profile, enter the settings described in Table 2. Required settings are indicated in the user interface by a red asterisk (*) that appears next to the field label.

Table 2: Access Profile Basic Settings for EX Series Switches
Field	Action
Access Profile Details
Profile Name	Type a unique name that identifies the profile. You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character.
Description	Type the description of the profile.
Revert Interval	Specify the number of seconds the switch waits after an authentication server becomes unreachable. The switch rechecks the connection to the server when the specified interval expires. Default is 3 seconds.
RADIUS Servers: Authentication
View	Select a server entry from the list and then click View to see the details of that entry.
Task: Create and add a new RADIUS server configuration	To both create and add a RADIUS server configuration to this Access profile for authentication: Click Add > Create RADIUS. The Create RADIUS Server window opens. Complete these fields: Server Name—Type the name of the RADIUS server that you want to create. Server Address—Type the IP address of the RADIUS server. Authentication Port—The default RADIUS authentication port is 1812. You can change the port number by using the up and down arrows. Secret—Provide a password. If the password contains spaces, enclose it in quotation marks. The secret password used by the switch must match the one used by the server. Expand the RADIUS server and change any of these configurations: Accounting Port—You can change the default port number (1813) by using the up and down arrows. Retry Count—Specify the number of times that a device attempts to contact the LDAP authentication server. The default retry count is 3. You can change this value by using the up and down arrows to 1 through 10 times. Timeout (seconds)—Specify the number of seconds the switch waits to receive a response from a RADIUS server. The default timeout is 5 seconds. You can change this value, using the up and down arrows, to 1 through 90 seconds. Click OK. The RADIUS server is automatically added to the list of authentication servers assigned to this Access profile. If you have more than one RADIUS server listed, you can use the arrows to reorder the list priority so that the most preferred RADIUS server is listed first.
Task: Add a previously configured RADIUS server for authentication	The RADIUS tab is selected by default for server configuration and configured RADIUS servers are listed on this Server Settings page. To add a previously configured RADIUS server to this Access profile for authentication: Click Add > Select RADIUS. A list of available configured RADIUS servers is displayed. Servers in this list were either automatically discovered or created by using the directions in Creating and Managing RADIUS Profiles . Select one or more RADIUS servers from the list of Available servers and use the arrows to move the server to the Selected list. Click OK. The RADIUS server is added to the list of authentication servers to be used with this Access profile. If you have more than one RADIUS server listed, you can use the arrows to reorder the login priority so that the most preferred RADIUS server is listed first.
Task: Delete a server	To delete a RADIUS server from this Access profile: Select a RADIUS server from the list. Click Delete. The RADIUS server is removed from the list of authentication servers to be used with this Access profile.

Proceed to the RADIUS Accounting settings for EX Switching Access profiles by clicking either Accounting Settings or Next. These settings are described in Specifying RADIUS Accounting Settings for an EX Switching Access Profile.

Specifying RADIUS Accounting Settings for an EX Switching Access Profile

Configure the settings listed in Table 3 for the Access profile Accounting Settings page. Accounting settings are optional in an Access profile. You can also specify accounting settings later by modifying an existing Access profile.

Table 3: Accounting Settings for an EX Switching Access Profile
Task	Description
View	Select a RADIUS server entry from the list and then click View to see the details of that entry.
Create a new RADIUS server for both authentication and accounting	To both create and add a RADIUS server configuration to this Access profile for both authentication and accounting: Note: A RADIUS profile must be configured for authentication in addition to accounting. Click Add > Create RADIUS. The Add RADIUS Server window opens. Complete these settings: Server Name—Type the name of the RADIUS server that you want to create. Server Address—Type the IP address of the RADIUS server. Authentication Port—The default RADIUS authentication port is 1812. You can change the port number by using the up and down arrows. Secret—Provide a password. If the password contains spaces, enclose it in quotation marks. The secret password used by the switch must match that used by the server. Expand the Advanced Settings section and change any default settings, including the accounting port: Note: If you do not change the accounting configuration, default values are used. Accounting Port—The default RADIUS accounting port is 1813. You can change the port number by using the up and down arrows. Retry Count—Specify the number of times that a device attempts to contact the RADIUS server. The default retry count is 3. You can change this value by using the up and down arrows to 1 through 10 times. Timeout (seconds)—Specify the number of seconds the switch waits to receive a response from the RADIUS server. The default timeout is 5 seconds. You can change this value, using the up and down arrows, to 1 through 90 seconds. Click OK. The RADIUS server is automatically added to the list of RADIUS accounting servers assigned to this Access profile. If you have more than one RADIUS server listed, you can use the arrows to reorder the list priority so that the most preferred RADIUS server is listed first.
Add a previously configured RADIUS server for accounting	A RADIUS server must already be configured before you can add that server for accounting. If the server was previously configured only for authentication, default accounting settings are applied. To add a RADIUS server for accounting: Expand the Accounting Settings section of the Server Settings page. This is where RADIUS accounting is configured. A list of configured RADIUS servers is displayed. Click Add > Select RADIUS. A list of eligible RADIUS servers is displayed. Servers on this list were either automatically discovered, created following the directions Creating and Managing RADIUS Profiles , or created on this page following the directions Create and add a new RADIUS server configuration. If the server was configured only for authentication, default accounting settings were applied—you can use those default settings. Select a RADIUS server from the list of Available servers and then use the arrows to move it to the list of Selected servers. Click OK. The RADIUS server is added to the list of accounting servers to be used with this Access profile. If the RADIUS server was previously configured only for authentication, default accounting settings are applied. If you have more than one RADIUS server listed, you can use the arrows to reorder the login priority so that the most preferred RADIUS server is listed first for accounting.
Delete a server	To delete a server from this Access profile: Select a server from the list. Click Delete. The server is removed from the list of servers to be used with this Access profile.

Proceed to the Access profile review by clicking either Review or Next.

Specifying Basic Settings for a Campus Switching ELS Access Profile

To configure the basic settings for a Campus Switching ELS Access profile:

Complete the basic settings and authentication order on the Create Access Profile for Campus Switching ELS page, as described in both the online help and in Table 4. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

Table 4: Access Profile Basic Settings for Campus Switching ELS
Field	Action
Access Profile Details
Profile Name	Type a unique name that identifies the profile. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character.
Description	Type the description of the profile.
Authentication Order Server settings depend on which authentication is done first, RADIUS or LDAP.
Authentication Order	Indicate whether to authenticate first with configured RADIUS servers or with configured LDAP servers by selecting the method from Based On. By default, RADIUS authentication using no password is selected for initial authentication. You can change this to RADIUS authentication with a password by selecting Password. Select LDAP to authenticate first with configured LDAP servers. Tip: LDAP is not supported for EX Switching devices.

Proceed to the Server Settings for Campus Switching ELS Access profiles by clicking either Server Settings or Next. The settings are described in Specifying RADIUS and LDAP Settings for Campus Switching ELS.

Specifying RADIUS and LDAP Settings for Campus Switching ELS

Configure either a RADIUS server, an LDAP server, or both, on the Server Settings page. A RADIUS server can provide both user accounting services and user authentication but you must be using the RADIUS server for authentication in order to use it for accounting. An LDAP server provides only user authentication. The server settings in this section determine the options used for the access servers in this Access profile.

Configure the Server settings for a Campus Switching ELS Access profile by following the directions in Table 5.

Table 5: Authentication and Accounting Server Settings for ELS Campus Switching
Task	Action
AAA: Authentication Server RADIUS servers are selected for configuration by default. RADIUS servers can do both authentication and accounting.
View configured servers in this profile	Select a server entry from the list and then click View to see the details of that entry.
Create and add a new RADIUS server for authentication	The RADIUS tab is selected by default for AAA Authentication Server configuration. To configure a RADIUS accounting server and add it to this Access profile: Click Add > Create RADIUS on the RADIUS tab. The Create RADIUS Server window opens. Provide the following RADIUS authentication server information: Server Name Server Address Authentication Port—The default RADIUS authentication port is 1812. You can change the port number by using the up and down arrows. Secret—Provide the authentication secret password. If the password contains spaces, enclose it in quotation marks. The secret password used by the local router must match the one used by the server. Optionally, expand the Advanced Settings for a RADIUS server and change any of these configurations: Accounting Port—You can change the default accounting port number (1813) by using the up and down arrows. Retry Count—Specify the number of times that a device attempts to contact the LDAP authentication server. The default retry count is 3. You can change this value by using the up and down arrows to 1 through 10 times. Timeout (seconds)—Specify the number of seconds the switch waits to receive a response from a RADIUS server. The default timeout is 5 seconds. You can change this value, using the up and down arrows, to 1 through 90 seconds. Click OK. The Create RADIUS Server window closes and the RADIUS server is automatically added to the list of RADIUS servers assigned to this Access profile. If you have more than one RADIUS server listed, you can use the arrows to reorder the list priority so that the most preferred RADIUS server is listed first.
Add a previously configured RADIUS server for authentication	The RADIUS tab is selected by default for server configuration and configured RADIUS servers are listed on this Server Settings page. To add a previously configured RADIUS server to this Access profile: Click Add > Select RADIUS on the RADIUS tab. The Select RADIUS Server window opens, displaying a list of available RADIUS servers is displayed. Servers on this list were either automatically discovered, created following the directions Creating and Managing RADIUS Profiles , or created on this page following the directions in Create and add a new RADIUS server configuration. Select one or more RADIUS servers from the list of previously configured RADIUS servers. Click OK. The Select RADIUS Server window closes and the RADIUS server is added to the list of RADIUS authentication servers to be used with this Access profile. Optionally, if you have more than one RADIUS server listed, use the arrows to reorder the login priority so that the most preferred RADIUS server is listed first.
Add a previously configured RADIUS server for accounting	A RADIUS server can provide both authentication and accounting. To configure accounting settings for a RADIUS server: Tip: In order to provide accounting, authentication must also be configured. Expand the RADIUS Accounting Servers section of the Server Settings. A list of RADIUS servers configured for accounting is displayed. Click Add > Select RADIUS. The Select RADIUS Server window opens, displaying a list of eligible RADIUS servers is displayed. Servers on this list were either automatically discovered, created following the directions Creating and Managing RADIUS Profiles , or created on this page following the directions Create and add a new RADIUS server configuration. Select one or more RADIUS servers from the list of previously configured RADIUS servers. Click OK. The Select RADIUS Server window closes and the RADIUS server is added to the list of RADIUS Accounting Servers to be used with this Access profile. Optionally, if you have more than one RADIUS server listed, use the arrows to reorder the login priority so that the most preferred RADIUS server is listed first.
Create and add a new RADIUS server for both authentication and accounting	RADIUS is the only server selection available for accounting. To configure a RADIUS server for both authentication and accounting, and add it to this Access profile: Under RADIUS Accounting Server, click Add > Create RADIUS. The Create RADIUS Server window opens. Provide the following RADIUS authentication server information: Server Name Server Address Authentication Port—The default RADIUS authentication port is 1812. You can change the port number by using the up and down arrows. Secret—Provide the authentication secret password. If the password contains spaces, enclose it in quotation marks. The secret password used by the local router must match that used by the server. Expand the Advanced Settings and change any of these configurations: Accounting Port—You can change the default port number (1813) by using the up and down arrows. Retry Count—Specify the number of times that a device attempts to contact the LDAP authentication server. The default retry count is 3. You can change this value by using the up and down arrows to 1 through 10 times. Timeout (seconds)—Specify the number of seconds the switch waits to receive a response from a RADIUS server. The default timeout is 5 seconds. You can change this value, using the up and down arrows, to 1 through 90 seconds. Click OK. The Create RADIUS Server window closes and the RADIUS server is automatically added to the list of RADIUS Accounting Servers assigned to this Access profile. If you have more than one RADIUS accounting server listed, you can use the arrows to reorder the list priority so that the most preferred RADIUS server is listed first.
Create and add a new LDAP authentication server	Tip: LDAP servers can be configured for Campus Switching ELS. To configure a new LDAP authentication server and add it to this Access profile: Click the LDAP tab to display the LDAP settings. Provide a Base Distinguished Name for the LDAP server. LDAP APIs reference an LDAP object by its distinguished name (DN), which is a sequence of relative distinguished names (RDN) connected by commas—for example, DC=eng, DC=Juniper Networks, DC=com. You can do an LDAP query to determine the DN for the LDAP server. Click Add > Create LDAP. The Create LDAP Server window opens. Provide the following LDAP server information: Server Name Server Address Server Port—The default LDAP server port is 389. You can change the port number by using the up and down arrows. Optionally provide the following Advanced LDAP server information after expanding the Advanced Settings section: Timeout (seconds)—Specify the number of seconds the switch waits to receive a response from a RADIUS server. The default timeout is 5 seconds. You can change this value, using the up and down arrows, to 1 through 90 seconds. Retry—Specify the number of times that a device attempts to contact the LDAP authentication server. The default retry count is 5. You can change this value by using the up and down arrows to 1 through 10 times. Click OK. The Create LDAP Server window closes and the LDAP server is added to the list of LDAP servers.
Add a previously configured LDAP server for authentication	Tip: LDAP servers can be configured for Campus Switching ELS. To add a previously configured LDAP authentication server to this Access profile: Click the LDAP tab to display the LDAP settings. Provide a Base Distinguished name for the LDAP server. LDAP APIs reference an LDAP object by its distinguished name (DN), which is a sequence of relative distinguished names (RDN) connected by commas. You can do an LDAP query to determine the DN for the LDAP server. Click Add > Select LDAP. The Select LDAP Server window opens, displaying a list of configured LDAP servers displayed. Servers on this list were either automatically discovered, or created following the directions Creating and Managing LDAP Profiles, or created by clicking Add > Create LDAP on this page. Select one or more LDAP servers from the list. Click OK. The Select LDAP Server window closes and selected LDAP servers are added to the list of LDAP authentication servers to be used with this Access profile. Optionally, use the arrows to reorder the LDAP servers so that the most preferred LDAP server is listed first. Tip: LDAP is not supported for EX Switching devices.
Delete a server	To delete any server from this Access profile: Select a server from the list. Click Delete. The server is removed from the list of servers to be used with this Access profile.

Reviewing and Modifying the Access Profile Settings

From this page, you can save or make changes to a Access profile:

To make changes to the profile, click Edit associated with the configuration to be changed.

Alternatively, you can click the appropriate sections in the profile workflow at the top of the page that corresponds to the configuration to be changed.

When you are finished with your modifications, click Review to return to this page.
To save a new profile or to save modified settings to an existing profile, click Finish.

You will be returned to the Manage Access Profiles page. Your new or modified Access profile is listed in the table of Access profiles.

What To Do Next

After you create an Access profile, you can do one of the following:

For switching devices, configure Access profile as a attribute while assigning Port profiles to interfaces. For more information see Creating and Managing Port Profiles.