Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Admin Authentication for VSYS from IAS RADIUS server



Article ID: KB16204 KB Last Updated: 25 Feb 2020Version: 2.0
Steps on configuring a VSYS admin from a IAS RADIUS server are provided.
How to authenticate VSYS Admin from IAS RADIUS server
  1. Configure Radius server on Root VSYS for Admin user on firewall:

set auth-server "Radius" id 2
set auth-server "Radius" server-name ""
set auth-server "Radius" account-type admin
set auth-server "Radius" radius secret "$ABC123"
set auth default auth server "Local"
set auth radius accounting port 1646

Note: is IP address of Radius server.

Use the following setting for Radius authentication on the root VSYS:

set admin auth server "Radius"
set admin privilege get-external


From WebUI:

  • Configuration> Admin> Administrators > click “admin Privilege” and choose “Get privilege from Radius Server”.
  • Configuration> Admin> Administrators > choose Radius server from Drop down option
  1. Configure VSYS:

set vsys "<user>" zone 19 vrouter id 3
set vsys-id 1
set admin vsys name "<user>"
set admin vsys password "$ABC123"

  1. Configure IAS RADIUS server as follows:
  • Configure IP address and Secret Key on IAS server. This step will be common for Admin user and Vsys Admin user.

  • Friendly name: Enter the name of the NetScreen device.

  • Addresss:- Local IP adddress of the Device from where the request forwards to Radius server

  • Click Ok.

  1. Configure Policy for Authentication.
  • Click on Remote Access Policies. Right Click and Choose “New Remote Access Policy”.

  • From the Remote Access Policy dialog box, enter a policy friendly name, and then click Next.

  • From the Add Remote Access Policy dialog box, click Add.

  • Select the Client IP address. Enter the IP address of Local Device and click OK. Choose Grant Remote Access Permission to allow.

  1. Edit the Profile and choose the Advanced tab:

  1. Specify the VSYS name as one of the attributes as follows:
  • Click on Add and Add Vendor Code as “3224” and select the Radio Button as “Yes. It conforms”.

  1. Click on Configure Attribute, and specify Type “2” for VSA. In the Attribute Value Field, put the vsys name which was configured in Device.

Note:- Ensure that name should be configured same as what configured on the device.

  1. Specify whether VSYS_ADMIN or VSYS_READ_ONLY.

    Follow Step No. 6 and Add VSA Flied “1”, then specify attribute value of 3 for VSYS_ADMIN (read-write) or 5 for VSYS_READ_ONLY.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search