Admin Access Lock Setting - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Admin Access Lock Setting

152
Use password authentication for device administrators who need to configure or monitor
the managed device. You can use this authentication method for device administrators
on ScreenOS 5.x devices.
NOTE: All passwords handled by NSM are case-sensitive.
To configure authentication, enter a username, password, and privilege level for the
device administrator account, and then select SSH Password Authentication.
To connect using an SSH-aware application, the device administrator (the SSH client)
initiates an SSH connection to the managed device (the SSH server). When SSH is
enabled on the interface receiving the connection request, the managed device prompts
the admin for username and password, and then compares that information to the
information in the device admin account. If the username and passwords match, the
device authenticates the connection; if they do not match, the device rejects the
connection request.
Use Public Key Authentication (PKA) for greater security or to run automated scripts.
You can use this authentication method for device administrators on a ScreenOS 5.x
device.
To configure PKA, generate the PKA public/private key pair using the key generate
program in an SSH client application (see the SSH client application documentation
for more information). The key pair is RSA for SSHv1 and DSA for SSHv2. Assign the
private key to the device administrator account, and then load the public key on the
managed device using a TFTP server or SSP (ScreenOS 5.1 and later only).
To connect using an SSH-aware application, the device administrator (the SSH client)
initiates an SSH connection to the managed device (the SSH server). When SSH is
enabled on the interface receiving the connection request, the managed device prompts
the admin for username and public key (of a public/private key pair), and then compares
that information with up to four public keys for that device admin account. If one of
the keys matches, the device authenticates the connection; if no keys match, the device
rejects the connection request.
When the managed device receives the connection request, it first checks the device
administrator account for a public key bound to that administrator. If a matching key is
found, the managed device authenticates the administrator using PKA; if no matching
key is found, the managed device prompts for a username and password. You can store
up to four PKA keys for each device administrator.
You must enable SSH on the interface through which the device administrator connects
to the managed device using an SSH connection.
Admin access lock configuration locks out the administrator who fails to authenticate
before the configured timeout from the specified account. If this option is disabled, you
cannot set the authentication failure length and the default value is set to 1. If this option
Copyright © 2010, Juniper Networks, Inc.