We are looking at the ROLE part.
This is part of the Authorization. What is the role Authorized to...
- Enable or disable the type of access you can have Pulse,OAC,clientless
- You can limit the type of access for the role.
For example if the role is accounting, then you must use Junos Pulse
and do not get that role if you are agentless. - Personalize your User Interface
- Set up user session parameters for the role.
A user role does not mean access to resources YET!!
You can create users manually in the Local Database of the MAG.
You can set a
start time
end time {these are for access times}
one time use {} the account will be disabled when he logs out.
enabled/disabled/quarantined {}
require user to change password {} must set up so users must change passwords
Creating ROLES
USERS>> user role >> new role.
If you leave the checkbox cleared it will take the default option.
{research this part}}
AGENT tab
In the agent tab you specify
- Should the MAG install an agent
- Junos
- odyssey
- Should you install java
- Should you enable the host enforcer
In the AGENTLESS tab
You can enable the Agentless for this role
You can also disable the AJAx heartbeats.
In the GENERAL tab
You can set up
session options are for the session length + timeouts.
roaming session means they can change IP .
- enable
- disable
- Limit to subnet This is ok for the LAN only
Persistent session adds a cookie to HD.
So when you close the explorer tab you can still reconnet.
Junos Pulse only disconnects when you log out.
{{All of the above says for example Employee role you can access only with OAC, depending
on what you chose}}
Customize UI.
You can change the Juniper LOGO to corporate logo background and add
session counter that says how much time you have left to the user in his pulse.
show notification message on the welcome page
show instructions for the users
Show copyright by juniper.
Role restriction
You can restrict the role to only IP network X.
You can restrict Browser type
You can restrict Certificate
You can restrict based on the result of the host checker.
Ok now you have role
The way of signing on.
The UI for hi
and restrictions of the role.
Verify the roles are set up in the User roles main window.
Role Mapping rules
Username - we did this above.
Group membership - ldap
Certificate attributes - expression
Custom Expressions- you can custom choose.
Role-mapping is in the Authentication Realm.
User realms >> users >> role mapping
You set up rules.
New Rule - When user meet these conditions assign these roles rulename stop
when username is ***** assign role contractor STOP will stop processing rules
or move to the next rule.
When you create the Role Mapping Rule. Your choices are based depending on the
servers that is the Authentication Realm.
For example for the local one - username, certificate and custom expressions are only available.
For example RULE = if username is ss*
then assign these roles
{available roles select}
{} stop
When you go back to the screen that shows all the rules you can select what happens
when more than one rule matches
Then
- Merge the settings
- User must select from among the assigned roles
Users that do not meet any of the rules - will not be able to sign-in to the realm.
reorder rules using the up down arrows.
Sign In policy.
You can create a few policies
You can create different sign in pages with images,error messages, help files.
you can create a custom notification for each role
Creating the actual policy.
URL Sign-in page authentication Realms Enabled
*/admin/ Admin-page Admin Users V
*/ User-sign-in Users (802.1x) V
There is a NEW policy screen where the above will be selected from tabs.
specific rules come before rules
No comments:
Post a Comment