Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration Example - How to assign a login class to users that are authenticated using a FreeRADIUS server



Article ID: KB19446 KB Last Updated: 29 Jun 2020Version: 5.0

In Junos it is possible to assign different permissions to different users through a RADIUS server? This article explains how to configure this. In this example a FreeRADIUS server is used.

When a RADIUS server is used for the login user authentication, the RADIUS server is able to assign a login class to the user. This can be done by configuring the RADIUS server to send a Juniper VSA (Vendor Specific Attribute) to the Junos device to indicate which user template is to be applied. The VSA to be used is "Juniper-Local-User-Name" (Vendor 2636, type 1, string).

The user templates on the Junos device are configured with a login class to be used. For more details see KB21685 - [Junos] How to assign a login class to RADIUS authenticated users .
Predefined login classes are operator, read-only, super-user and unauthorized. Custom defined login classes can be configured as well.

In the following example users are assigned either super-user or read-only permissions by the RADIUS server.

- Junos configuration:
set system authentication-order [ password radius ]
set system radius-server secret abc
set system login user readonly-users class read-only
set system login user super-users class super-user

- RADIUS server configuration:
In this example a freeradius server is used (more info about freeradius at The following users are configured in the file /etc/freeradius/users on the freeradius server:

tom Cleartext-Password := "tom123"
Service-Type = Login-User,
Juniper-Local-User-Name := "readonly-users",

jerry Cleartext-Password := "jerry123"
Service-Type = Login-User,
Juniper-Local-User-Name := "super-users",

The VSA (vendor specific attribute) "Juniper-Local-User-Name" is used here. This VSA is already present in file /usr/share/freeradius/ by default and does not need to be configured.

On the radius server in file /etc/freeradius/clients.conf the radius secret and client IP address (in this case 0/0, so any IP address) is configured like this example:

client 0/0 {
secret = juniper
shortname = JUNOS-devices

After the configuration change restart the server:

# /etc/init.d/freeradius restart
* Stopping FreeRADIUS daemon freeradius
* Starting FreeRADIUS daemon freeradius

- Testing:
Now, when the user logs in with username tom, the class read-only is assigned.
When logging in with jerry, the class super-user is assigned.

login: tom
tom> configure
unknown command.

login: jerry
jerry> configure
Entering configuration mode
Modification History:
2019-06-29: Removed J-Series reference.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search