Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] FreeRADIUS configuration example for Dynamic VPN connections



Article ID: KB17337 KB Last Updated: 30 Dec 2014Version: 3.0

This article provides some tips on configuring FreeRADIUS, so you can use FreeRADIUS to configure authentication for your Dynamic VPN users. 



  • You want to use RADIUS to configure authentication for your Dynamic VPN users.



Juniper does not provide support for FreeRADIUS, but it has been known to work for Dynamic VPN authentication.

The FreeRADIUS website is located at

Below are FreeRADIUS installation and configuration instructions that a customer provided to JTAC.  If you encounter problems with these steps, please contact FreeRadius for support.


In this example Ubuntu Linux is used with FreeRADIUS. The NAS (Network Access Server) is a Juniper SRX210/240.

  • Install FreeRADIUS:
  • sudo apt-get install freeradius*

    This will fully install freeradius and start the service.

  • Configure your NAS.
    For example, in the file /etc/freeradius/clients.conf, add the following:

    client {
    secret = juniper
    shortname = SRX-NAS-test

  • If you want to assign DNS settings to your VPN clients, then do this.  In the file /usr/share/freeradius/, add these lines to the existing attributes:

    ATTRIBUTE Juniper-Primary-Dns 31 ipaddr
    ATTRIBUTE Juniper-Secondary-Dns 33 ipaddr

    This step is not needed if no DNS settings are required.

  • Configure users.
    For example, in file /etc/freeradius/users add the following:

    user1 Cleartext-Password := "user1"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,                           
    Framed-IP-Address =,
    Framed-IP-Netmask =,
    Juniper-Primary-Dns =,
    Juniper-Secondary-Dns =,

    This above defines username user1 with password user1 and a specified IP address. The DNS attributes are optional.

    NOTE: The user defined in the users file corresponds with the user specified in the security dynamic-vpn portion of the config on the SRX (also documented in the Dynamic VPN application note.  For example:
        ipsec-vpn dynamic-vpn-user1; 
         user {       
             user1           <---------This must match user name in RADIUS
  • Restart the FE service to load the new configuration files:
    sudo /etc/init.d/freeradius restart

  • For configuring the SRX device for Dynamic VPN, please refer to Dynamic VPN application note.

  • If the FreeRADIUS service does not start for some reason, you can use the command "sudo freeradius -X" to see the log messages during service start.

  • The RADIUS server can be tested with the radtest tool like in this example:

  • $ radtest user1 user1 localhost 1812 testing123
    Sending Access-Request of id 134 to port 1812
    User-Name = "user1"
    User-Password = "user1"
    NAS-IP-Address =
    NAS-Port = 1812 rad_recv: Access-Accept packet from host, id=134, length=68 Service-Type = Framed-User
    Framed-Protocol = PPP
    Framed-IP-Address =
    Framed-IP-Netmask =
    Juniper-Primary-Dns =
    Juniper-Secondary-Dns =

    The local host should already be configured as a NAS with secret testing123 by default in /etc/freeradius/clients.conf

  • RADIUS packets can be seen using tcpdump. For example:

    $ sudo tcpdump -vvv -i eth0 -s0 -n
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    15:41:12.307859 IP (tos 0x0, ttl 64, id 5705, offset 0, flags [none], proto UDP (17), length 87) > [udp sum ok] RADIUS, length: 59
    Access Request (1), id: 0x95, Authenticator: 9794118f1faa7d3c399742bb6ffe12df
    Username Attribute (1), length: 9, Value: juniper
    0x0000: 6a75 6e69 7065 72
    Password Attribute (2), length: 18, Value:
    0x0000: 879c 848c f903 493a c671 bc0f 296a 1ee8
    NAS ID Attribute (32), length: 6, Value: luna
    0x0000: 6c75 6e61
    NAS Port Type Attribute (61), length: 6, Value: Virtual
    0x0000: 0000 0005
    15:41:12.311950 arp who-has tell
    15:41:12.313197 arp reply is-at 00:24:dc:16:78:41
    15:41:12.313204 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96) > [bad udp cksum 49c4!] RADIUS, length: 68
    Access Accept (2), id: 0x95, Authenticator: c37edfdffbf79ed523743d3df1d042c6
    Service Type Attribute (6), length: 6, Value: Framed
    0x0000: 0000 0002
    Framed Protocol Attribute (7), length: 6, Value: PPP
    0x0000: 0000 0001
    Framed IP Address Attribute (8), length: 6, Value:
    0x0000: ac10 0321
    Framed IP Network Attribute (9), length: 6, Value:
    0x0000: ffff ff00
    Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
    Vendor Attribute: 31, Length: 4, Value: ....
    0x0000: 0000 0a4c 1f06 0101 0101
    Vendor Specific Attribute (26), length: 12, Value: Vendor: Juniper Networks (2636)
    Vendor Attribute: 33, Length: 4, Value: ....
    0x0000: 0000 0a4c 2106 0202 0202

The configurations in this document were performed with FreeRADIUS Version 1.1.7.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search