authentication >> auth servers
select the type
local - we used this
ldap -
NIS
ACE
RADIUS
AD - windows LDAP
anonymous Server
SiteMinder
Certificate
MAC address authentication which we used before.
So when the user SIGNS in he will specify which REALM to use
a REALM is associated with an Authentication Server
The Authentication server will very the user exists and give approval
The Authentication server will also send group attributes.
The Junos Pulse Access Control will evaluate role-mapping rules to see what role to apply to the group.
LDAP
NAME : # Give this server a name
LDAP server # give it an IP
LDAP port #give it a port 389 usually or 636 ssl
Backup Ldap1
Backup LDap2 #backup servers
LDAP server type
connection of Unencrypted/ LDAPS / TLS
Connection timeout
Search timeout
Active Directory is annoying in that it requires a username with permissions to search the ActiveDirectory.
So for AD mark the check box for Authentication and provide a user and password.
If you want to allow users to change their LDAP/AD passwords from the MAG you must
provide an Administrator account in this too.
You will specify a Base DN to start from
dc=sales,dc=bobcat,dc=com
You will specify a Filter like cn-user
Strip domain from users so users can use bobcat/David format.
It will remove the Bobcat and use it as the Domain.
You can determine group membership by setting up the
BASE DN
Filter
member attribute
query and 2 nested levels is the best practice.
Static or Dynamic.
RADIUS 1812 183
In this scenario the MAG is a client of the BIG radius
Name
NAS_identifier - is the name that the MAG will use when courting the RADIUS
Server IP
Port 1812
backup server if you want.
Radius Accounting
RADIUS authntication can be enhanced by using RADIUS accounting.
This is when you tell the RADIUS the user just logged in
You do this by sending a Start message after success singing in
and a STOP message after logging out/denied/tiemout/admin intervention.
This is the template you send that data as
You set up a template for returning the data
<USER>(<REALM>)|<ROLE SEP=
so user domain then the roles separated by a comma.
Active Directoy and NY authentication
Name
Primary Active Directory
backup
Domain
administrator
password for administrator to the AD.
Authentication using
Kerberos NTLM v2 NTLMv1
only Active Groups.
anonymous authentication
This is for guests.
You use this to limit resources for them.
only define the NAME
users >> user realm > new user realm
assign a server to it.
You can have different ones for each item.
authentication let's say Radius
directory/attribute: let's say AD
accounting : let's say Radius.
refresh the roles if you want every 60 minutes to see if there was any change.
{}So refresh role will be for new sessions
{}refresh resource policies might kill current sessions.
Create a policy
ip limit
user realms> AD realm >> authentication policy >:>>SSO
single sign on a checkbox.
Stations must be members of the domain.
You sign in to the workstation and your credentials will be used for the Junos Pulse.
Creating Role-mapping RULES
First one is Username so you can manually map usernames to roles.
like fred, bob, muhammad role IT engineers.
User Attribute is from the LDAP or Radius - Click update to see the attributes you can select
Certificate - map them based on scertificate attributes.
Group Membership - this is only for LDAP or AD.
o= organization
cn=container
ou=organizational unit
Try remembering AD and LDAP from Microsoft.
also o can be used for organization
C for country
The Rules are. IF user has any of the following attribute values.
The value can be IS or ISNOT
THEN assign him the role.
(select a role)
No comments:
Post a Comment