Device Administrator Authentication Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation

Device Administrator Authentication Overview

Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
NOTE: The Import Admin directive lists only ScreenOS devices.
Device Administration Options for ScreenOS Devices Overview on page 148
Device Administrator Authentication Overview on page 149
Device Administrator Account Configuration Overview on page 150
To authenticate device administrators when they attempt to connect to the security
device, you can use the default authentication server (on the device) or an external
authentication server.
The root device administrator is always stored and authenticated using the local database;
however, for non-root read/write and read-only device admins (including vsys device
admins), you can specify an external auth server (RADIUS, SecurID, or LDAP server) that
stores device administrator accounts. To select an external server from the auth server
list, you must have already created and configured an Authentication Server object in
the NSM UI.
By default, authentication and accounting are performed in the RADIUS auth server. You
can configure separate RADIUS servers for accounting and authentication for XAuth and
L2TP user types (in ScreenOS 6.2). XAUTH and L2TP users can disable the default
accounting and configure a different RADIUS server for accounting.
After the device administrator is authenticated, the auth server checks the privilege level
of the device admin. A privilege level defines the privileges that are accessible to the
device admin after successful logging in to the device. They are:
For device administrators stored in the local database, the security device uses the
privilege level specified in the local device administrator account.
For device administrators stored on an external auth server, select one of the following
privilege settings:
Get privilege from RADIUS server—Select this option to query a RADIUS server for
all external device administrator privileges. The RADIUS server must contain the
device administrator accounts and netscreen.dct (Juniper Networks dictionary file).
Read-Write, Read-Only—Select a privilege level that applies to all external device
administrators. Although the device administrator accounts are stored on the external
server, the security device provides the device administrator privilege level. Use this
option when storing accounts on a SecurID or LDAP server, or when using a RADIUS
server that does not contain the Juniper Networks dictionary file. By default, the
external device administrator privilege level is set to Read-Only.
Device Administrator Account Configuration Overview on page 150
Supporting Admin Accounts for Dialup Connections on page 153
Chapter 5: Administration
149