Table of Contents
Advertisement
Network and Security Manager Administration Guide
68
For remotely authenticated administrators, a RADIUS authentication server handles
authentication. Because the administrator password is stored on the RADIUS server,
you do not need to enter the password again, however, the administrator must enter
the password at the NSM UI login screen.
To configure the RADIUS authentication server for NSM administrators, see the Network
and Security Manager Online Help topic "Editing the Domain Contact."
NOTE: The super administrator has full permissions. You cannot change or delete
permissions for the super administrator; you can only change the password. Because
the super administrator has complete control over NSM functionality, we recommend
that you consider the security of the super administrator password appropriately. If you
forget or lose the super administrator password, please contact the Juniper Technical
Assistance Center (JTAC).
RADIUS Authentication and Authorization
NSM supports both local and RADIUS user authentication. It manages access control
both through the local database and through the RADIUS server.
You are not required to define RADIUS users in the local NSM database. The AUTH
Handler looks at the local database to find the user, and then, if no match is found, to
the RADIUS server. You can also define the role assignment for each user directly from
the RADIUS server.
NOTE: You must configure your RADIUS server individually for each domain.
NSM also supports a secondary RADIUS server for administrator authentication and
authorization when the primary RADIUS server cannot be contacted.
There are two kinds of users: local users and RADIUS users. The local user is created
locally and authentication data is stored in the local database. The default authentication
mode is local mode. The RADIUS user is created only on a RADIUS server and can only
be authenticated using a remote RADIUS server.
There are also two kinds of authentication modes for NSM users: local mode and RADIUS
mode. Both User and Domain can define these modes and Domain's authentication
mode is applied to all the users within it. User's Authentication mode has a higher priority
and can override Domain's mode.
The NSM user is authenticated based on the rules listed in Table 15 on page 68.
Table 15: How to Authenticate Users
User in
User
Local
Auth
Rule
Database
Mode
1
Defined
Local
Domain
Auth
Mode
Authentication Results
Local
Authenticates user locally.
Copyright © 2010, Juniper Networks, Inc.
Authorization
Local
Advertisement
Table of Contents
