Table of Contents
Advertisement
Network and Security Manager Administration Guide
402
For server port, enter 4500 (default is 1645)
For secret, enter A56hYY97kl
For retry timeout, select 4.
Click OK to save the RADIUS authentication server object.
7.
Load the Juniper Networks dictionary file on the RADIUS server.
8.
Configuring a SecurID Authentication Server
Security devices also support the RSA SecurID system. The device acts as a SecurID
client, forwarding authentication requests to the external server for approval and relaying
login information between the user and the server. Each SecurID user has three
authentication credentials:
User Name
Personal identification number (PIN)
Authenticator—a SecurID issued device with an LCD screen that displays a token code,
a randomly generated string of numbers that changes every minute. The authenticator
uses an algorithm known only by RSA to create the token code that appears in LCD
screen; when users enter their username, their PIN, and the token code from their
authenticator, the RSA ACE server also performs the same algorithm, generating a
match between the server and the user.
When users log in, the SecurID client (the security device) prompts them for their user
name, their PIN, and the current token code. The device compares the user input against
value generated by the RSA ACE server algorithm. If the values match, the authentication
is successful.
For a SecurID authentication server object, you must configure the following:
Authentication Port—The port number on the SecurID ACE server to which the security
device sends authentication requests. The default port number is 5500.
Encryption Type—The algorithm used for encrypting communication between the
security device and the SecurID ACE server (SDI or DES).
Client Retries—The number of times that the SecurID client (the security device) tries
to establish communication with the SecurID ACE server before aborting the attempt.
Client Timeout—The length of time in seconds that the security device waits between
authentication retry attempts.
Use Duress—An option that prevents or allows use of a different PIN number. When
this option is enabled, and a user enters a previously determined duress PIN number,
the security device sends a signal to the SecurID ACE server, indicating that the user is
performing the login against his or her will, possible under duress. The SecurID ACE
server permits access that one time, then denies any further login attempts by that
user until he or she contacts the SecurID administrator. Duress mode is available only
if the SecurID ACE server supports this option.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
