Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 446

Network and Security Manager Administration Guide
396
Enable Sending Calling-Station-ID—When selected, the security device transmits the
calling station ID within the access or accounting request to the RADIUS authentication
server. Because the ID identifies the originator of the call (either the IKE IP address for
XAuth or the phone number of the user originating the call), you might not want to
send this information to the server. By default, this option is disabled; the device does
not send the calling station ID to the server.
Length of Account Session ID Attribute—The byte length of the account-session-id,
which uniquely identifies the accounting session. By default, the byte length is 11, and
follows the format NS-xxxxxxxx. Because some RADIUS servers do not properly accept
an 11-byte account session ID, you might want to configure a lower byte length that
does not include the " NS-" prefix. To configure, enter a byte length from 6 to 10.
Separation of Authentication and Accounting Functions — In the XAUTH and L2TP
authentication process, RADIUS Accounting was coupled with RADIUS authentication
resulting in a few issues caused by unavailability of the server's accounting service or
network topology policy limitations leading to aborted authentication processes even
if correct information was provided. You can separate the authentication and accounting
functions by specifying different RADIUS Authentication and Accounting servers. In
ScreenOS devices running 6.2 and later, you can enable or disable the accounting
function, but not the authentication function. You can configure the RADIUS server
accounting port as a value in the range of 1024 - 65535. From the NSM UI,
From Edit device > VPN Settings > Defaults, configure the following in the XAuth
and L2TP sections: Default Accounting Server from the drop-down list, and Disable
Default Accounting checkbox.
From Edit device > VPN Settings > Gateway Entry, configure the following in the IKE
IDs/XAuth tab: Accounting Server Name from the drop-down list, and Disable
Accounting checkbox.
From Edit device > VPN Settings > L2TP Entry, configure the following in the Auth
Server > Use Custom Settings: Accounting Server Name from the drop-down list,
and Disable Accounting checkbox.
From Edit Device > VPN Settings > L2TP Entry, configure the following in Accounting
Settings: Select Accounting server name from the drop down list, and Disable
Accounting checkbox.
Supported User Types
A RADIUS server supports the following user types:
Auth users
L2TP users (authentication and remote settings)
XAuth users (authentication and remote settings)
Admin users (authentication and privilege assignments)
User groups
A RADIUS server does not support IKE users.
Copyright © 2010, Juniper Networks, Inc.