In Junos it is possible to assign different permissions to different users through a RADIUS server? This article explains how to configure this. In this example a FreeRADIUS server is used.
When a RADIUS server is used for the login user authentication, the RADIUS server is able to assign a login class to the user. This can be done by configuring the RADIUS server to send a Juniper VSA (Vendor Specific Attribute) to the Junos device to indicate which user template is to be applied. The VSA to be used is "Juniper-Local-User-Name" (Vendor 2636, type 1, string).
The user templates on the Junos device are configured with a login class to be used. For more details see
KB21685 - [Junos] How to assign a login class to RADIUS authenticated users .
Predefined login classes are operator, read-only, super-user and unauthorized. Custom defined login classes can be configured as well.
In the following example users are assigned either super-user or read-only permissions by the RADIUS server.
- Junos configuration:
set system authentication-order [ password radius ]
set system radius-server 10.2.2.1 secret abc
set system login user readonly-users class read-only
set system login user super-users class super-user
- RADIUS server configuration:
In this example a freeradius server is used (more info about freeradius at http://freeradius.org/). The following users are configured in the file /etc/freeradius/users
on the freeradius server:
tom Cleartext-Password := "tom123"
Service-Type = Login-User,
Juniper-Local-User-Name := "readonly-users",
jerry Cleartext-Password := "jerry123"
Service-Type = Login-User,
Juniper-Local-User-Name := "super-users",
The VSA (vendor specific attribute) "Juniper-Local-User-Name" is used here. This VSA is already present in file /usr/share/freeradius/dictionary.juniper
by default and does not need to be configured.
On the radius server in file /etc/freeradius/clients.conf
the radius secret and client IP address (in this case 0/0, so any IP address) is configured like this example:
client 0/0 {
secret = juniper
shortname = JUNOS-devices
}
After the configuration change restart the server:
# /etc/init.d/freeradius restart
* Stopping FreeRADIUS daemon freeradius
...done.
* Starting FreeRADIUS daemon freeradius
...done.
- Testing:
Now, when the user logs in with username tom, the class read-only is assigned.
When logging in with jerry, the class super-user is assigned.
===================
login: tom
Password:
tom>
tom> configure
^
unknown command.
tom>
===================
===================
login: jerry
Password:
jerry>
jerry> configure
Entering configuration mode
[edit]
jerry#
===================