Creating Access Profiles

Access Profile Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters.

Description

Enter a description for the access profile; maximum length is 255 characters.

Device Type

Select the device type as either Root or Tenant Systems (TSYS).

Device

Select these devices from the Available column and move them to the Selected column.

You can also search for the devices in the search field in both the Available and Selected columns. You can search these devices by entering the device name, device IP address, or device tag.

Local

Select Local to configure local authentication services.

Select an address pool for allocation to users.

An address pool is a set of Internet Protocol (IP) addresses available for allocation to users, such as in host configurations with the DHCP. An address-assignment pool supports IPv4 address. You can create centralized IPv4 address pools independent of the client applications that use the pools.

To create an address pool:

1. Click Create Address Pool.

   The Create Address Pool page is displayed.

2. Enter the following details:

   • Pool Name—Enter the name of the address pool.

   • Network Address—Enter the network address used by the address pool.

   • Primary DNS Server-Enter the primary DNS IP address.

   • Secondary DNS Server—Enter the secondary DNS IP address.

   • Primary WINS Server—Enter the primary Windows IP address.

   • Secondary WINS Server—Enter the secondary Windows IP address.

   Click the + icon to configure a named range of IPv4 addresses, used within an address-assignment pool. Enter the lower and upper limit of an address range.

To create a new local authentication user:

1. Click +.

   The Create Local Authentication User page appears.

2. Enter the following details:

   • User Name—Enter the user name of the user requesting access.

   • Password—Enter the user password.

   • XAUTH IP Address—Enter the IPv4 address for the client.

   • Group—Enter the group name to store several user accounts together.

3. Click OK to save changes.

To edit, select the local authentication user configuration and click the pencil icon.

To delete, select the local authentication user configuration and click the delete icon.

RADIUS

Select RADIUS to configure RADIUS authentication services.

To create a new RADIUS server:

1. Click +.

   The Create RADIUS Server page appears.

2. Enter the following details:

   • Address—Enter the IPv4 address of the RADIUS server.

   • Secret—Enter the secret password to access the RADIUS server.

   • Port—Enter the port number on which to contact the RADIUS server.

     Range is 1 through 65535. Default is 1812.

   • Retry—Enter the number of retries that a device can attempt to contact a RADIUS server.

     Range is 1 through 100 seconds.

   • Routing Instance—Enter the routing instance name.

   • Source Address—Enter a source IP address configured on one of the device’s interfaces.

   • Timeout—Enter the amount of time that the local device waits to receive a response from a RADIUS authentication server.

     Range is 1 through 1000 seconds.

3. Click OK to save changes.

To edit, select the RADIUS server configuration and click the pencil icon.

To delete, select the RADIUS server configuration and click the delete icon.

LDAP

Select LDAP to configure LDAP authentication services.

To create a new LDAP server:

1. Click +.

   The Create LDAP Server page appears.

2. Enter the following details:

   • Address—Enter the IPv4 address of the LDAP server.

   • Port—Enter the port number on which to contact the LDAP server.

     Range is 1 through 65535. Default is 389.

   • Retry—Enter the number of retries that a device can attempt to contact an LDAP server.

     Range is 1 through 10 seconds.

   • Routing Instance—Enter the routing instance name.

   • Source Address—Enter a source IP address configured on one of the device’s interfaces.

   • Timeout—Enter the amount of time that the local device waits to receive a response from an LDAP authentication server.

     Range is 3 through 90.

3. Click OK to save changes.

To edit, select the LDAP server configuration and click the pencil icon.

To delete, select the LDAP server configuration and click the delete icon.

Base Distinguished Name

Specify the base distinguished name that defines the user.

Revert Interval

Specify the amount of time that elapses before the primary server is contacted if a backup server is being used.

LDAP Option Type

Select assemble or search.

Assemble specifies that a user’s LDAP distinguished name (DN) is assembled using a common name identifier, the username, and base distinguished name.

Search specifies that a search is used to get a user's LDAP distinguished name (DN). The search is performed based on the search filter and the part typed in by the user during authentication.

Authentication Order

Order 1

Configure the order in which the different user authentication methods are tried when a user attempts to log in. For each login attempt, the method for authentication starts with the first one, until the password matches.

The method can be one or more of the following:

• NONE—No authentication for the specified user.

• Local—Use local authentication services.

• LDAP—The SRX Series device uses this protocol to get user and group information necessary to implement the integrated user firewall feature.

• Radius—Use RADIUS authentication services.

  If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

Order 2

Configure the next authentication method if the authentication method included in the authentication order option is not available, or if the authentication is available but returns a reject response.