Page 306 / 469 Scroll up to view Page 301 - 305
Manage Users, Authentication, and VPN
Certificates
306
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Click
Apply
to save your settings. The domain is added to the List of Domains table.
5.
If you use local authentication, make sure that it is not disabled: in the Local Authentication
section of the Domain screen (see
Figure
201
on page
304), select the
No
radio button.
Authentication Type
(continued)
Note:
If you select
any type of RADIUS
authentication, make
sure that one or more
RADIUS servers are
configured (see
RADIUS Client and
Server Configuration
on page
247).
MIAS-PAP
. Microsoft Internet Authentication Service (MIAS) PAP. Complete
the following fields:
-
Authentication Server
-
Authentication Secret
MIAS-CHAP
. Microsoft Internet Authentication Service (MIAS) CHAP.
Complete the following fields:
-
Authentication Server
-
Authentication Secret
NT Domain
. Microsoft Windows NT Domain. Complete the following fields:
-
Authentication Server
-
Workgroup
Active Directory
. Microsoft Active Directory. Complete the following fields, and
make a selection from the LDAP Encryption drop-down list:
-
Authentication Server
-
Active Directory Domain
LDAP
. Lightweight Directory Access Protocol (LDAP). Complete the following
fields, and make a selection from the LDAP Encryption drop-down list:
-
Authentication Server
-
LDAP Base DN
Select Portal
The portal that is assigned to this domain and that is presented to the user to enter
credentials. The default portal is SSL-VPN.
Authentication Server
The server IP address or server name of the authentication server for any type of
authentication other than authentication through the local user database.
Authentication Secret
The authentication secret or password that is required to access the authentication
server for RADIUS, WiKID, or MIAS authentication.
Workgroup
The workgroup that is required for Microsoft NT Domain authentication.
LDAP Base DN
The LDAP distinguished name (DN) that is required to access the LDAP
authentication server. This should be a user in the LDAP directory who has read
access to all the users that you would like to import into the VPN firewall. The Bind
DN field accepts two formats:
A display name in the DN format
. For example:
cn=Jamie Hanson,cn=users,dc=test,dc=com.
A Windows login account name in email format
. For example:
[email protected]. This last type of bind DN can be used only for a
Windows LDAP server.
Active Directory
Domain
The Active Directory domain name that is required for Microsoft Active Directory
authentication.
Table 76.
Add Domain screen settings (continued)
Setting
Description
Page 307 / 469
Manage Users, Authentication, and VPN
Certificates
307
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Note:
A combination of local and external authentication is supported.
WARNING:
If you disable local authentication, make sure that there is at least
one external administrative user; otherwise, access to the VPN
firewall is blocked.
6.
If you do change local authentication, click
Apply
in the Domain screen to save your
settings.
To delete one or more domains:
1.
In the List of Domains table, select the check box to the left of each domain that you
want to delete, or click the
Select All
table button to select all domains.
2.
Click the
Delete
table button.
Note:
You cannot delete the geardomain default domain.
Edit Domains
To edit a domain:
1.
Select
Users > Domains
. The Domains screen displays (see
Figure
201
on page
304).
2.
In the Action column of the List of Domains table, click the
Edit
table button for the domain
that you want to edit. The Edit Domains screen displays. This screen is similar to the Add
Domains screen (see the previous figure).
3.
Modify the settings as described in the previous table. (You cannot modify the Domain
Name and Authentication Type fields.)
4.
Click
Apply
to save your changes. The modified domain is displayed in the List of Domains
table.
Note:
You cannot edit the geardomain default domain.
Configure Groups
The use of groups simplifies the configuration of VPN policies when different sets of users
have different restrictions and access controls. It also simplifies the configuration of web
access exception rules. Like the default domain of the VPN firewall, the default group is also
named geardomain. The default group geardomain is assigned to the default domain
geardomain. You cannot delete the default domain geardomain, nor its associated default
group geardomain.
Page 308 / 469
Manage Users, Authentication, and VPN
Certificates
308
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
IMPORTANT:
When you create a domain on the Domains screen (see the
previous section), a group with the same name as the new domain
is created automatically. You cannot delete such a group. However,
when you delete the domain with which it is associated, the group
is deleted automatically.
Note:
IPSec VPN, L2TP, and PPTP users do not belong to a domain and
are not assigned to a group.
Note:
Groups that are defined on the Groups screen are used for setting
SSL VPN policies. These groups should not be confused with LAN
groups that are defined on the IPv4 LAN Groups screen and that are
used to simplify firewall policies. For information about LAN groups,
see
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
on page
96.
Create Groups
To create a VPN group:
1.
Select
Users > Groups
. The Groups screen displays. (The following figure shows the
VPN firewall’s default group—geardomain—and, as an example, several other groups in
the List of Groups table.)
Figure 203.
The List of Groups table displays the VPN groups with the following fields:
Check box
.
Allows you to select the group in the table.
Name
. The name of the group. The name of the default group (geardomain) that is
assigned to the default domain (also geardomain) is appended by an asterisk.
Page 309 / 469
Manage Users, Authentication, and VPN
Certificates
309
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Note:
When you create a domain on the Domains screen, a group with the
same name as the new domain is created automatically. You cannot delete
such a group on the Groups screen. However, when you delete the domain
with which the group is associated, the group is deleted automatically.
Domain
. The name of the domain to which the group is assigned.
Action
. The Edit table button, which provides access to the Edit Group screen.
2.
Under the List of Groups table, click the
Add
table button. The Add Group screen displays:
Figure 204.
3.
Complete the settings as described in the following table:
4.
Click
Apply
to save your changes. The new group is added to the List of Groups table.
To delete one or more groups:
1.
In the List of Groups table, select the check box to the left of each group that you want
to delete, or click the
Select All
table button to select all groups.
2.
Click the
Delete
table button.
Note:
You can delete only groups that you created on the Groups screen.
Groups that were automatically created when you created a domain
cannot be deleted on the Groups screen. See the Important note at
the beginning of this section.
Table 77.
Add Group screen settings
Setting
Description
Name
A descriptive (alphanumeric) name of the group for identification and management
purposes.
Domain
The drop-down list shows the domains that are listed on the Domain screen. From the
drop-down list, select the domain with which the group is associated. For information
about how to configure domains, see
Configure Domains
on page
303.
Idle Timeout
The period after which an idle user is automatically logged out of the VPN firewall’s
web management interface. The default idle time-out period is 10 minutes.
Page 310 / 469
Manage Users, Authentication, and VPN
Certificates
310
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Edit Groups
For groups that were automatically created when you created a domain, you can modify only
the idle time-out settings but not the group name or associated domain.
For groups that you created on the Add Groups screen, you can modify the domain and the
idle time-out settings but not the group name.
To edit a VPN group:
1.
Select
Users > Groups
. The Groups screen displays (see
Figure
203
on page
308).
2.
In the Action column of the List of Groups table, click the
Edit
table button for the group that
you want to edit. The Edit Groups screen displays. This screen is identical to the Add
Groups screen.
3.
Modify the settings as described in the previous table.
4.
Click
Apply
to save your changes. The modified group is displayed in the List of Groups
table.
Configure User Accounts
When you create a user account, you need to assign the user to a user group. When you
create a group, you need to assign the group to a domain that specifies the authentication
method. Therefore, you should first create any domains, then groups, and then user
accounts.
Note:
IPSec VPN, L2TP, and PPTP users do not belong to a domain and
are not assigned to a group.
There are two default user accounts:
A user with the name
admin
and the password
password
. This is a user who has
read/write access, is associated with the domain geardomain, and is denied login from
the WAN interface by default. The user name is appended by an asterisk. You cannot
delete this user account.
A user with the name
guest
and the password
password
. This is a user who has
read-only access, is associated with the domain geardomain, and is denied login from the
WAN interface by default. The user name is appended by an asterisk. You cannot delete
this user account.
You can create five different types of user accounts by applying one of the predefined user
types:
SSL VPN user
. A user who can log in only to the SSL VPN portal.
Administrator
. A user who has full access and the capacity to change the VPN firewall
configuration (that is, read-write access).

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top