This article provides information how to assign different user templates and login classes to RADIUS authenticated users. By using this procedure, different RADIUS authenticated users can be granted different administrative permissions on the Junos device.
By default, RADIUS authenticated users use the
remote user template and get the class assigned, which is specified in the
remote user template, if the
remote user template is configured.
In the Junos configuration, a user template is configured in the same way as a regular local user account; except that no local authentication (password) is configured. This is due to the authentication being remotely performed on the RADIUS server.
For example:
set system login user remote class read-only
However, if different login classes have to be used for different users, granting them different permissions, then this is possible. It can be achieved by creating multiple user templates in the Junos configuration and have the RADIUS server specify the name of the user template to be applied to the authenticated user. Every user template can be assigned a different login class.
For example:
set system authentication-order [ password radius ]
set system radius-server 10.2.2.1 secret abc
set system login user RO class read-only
set system login user OP class operator
set system login user SU class super-user
set system login user remote full-name "default remote access user template"
set system login user remote class read-only
For a RADIUS server to indicate which user template should to be applied, it needs to include the
Juniper-Local-User-Name (Vendor 2636, type 1, string) Juniper VSA (Vendor Specific Attribute) in the
RADIUS Access-Accept message. The string value in the
Juniper-Local-User-Name must correspond to the name of a configured user template on the device.
For a list of relevant Juniper RADIUS VSAs, refer to the following link:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/radius-vendor-specific-attributes-juniper-networks.html If the
Juniper-Local-User-Name is not included in the
Access-Accept message or the string contains a user template name that does not exist on the device, then the user is assigned to the
remote user template; if configured. If it is not configured, authentication will fail for such a user.
After logging in, the remote authenticated user will keep the same username that was used to login; but they will inherit the user class from the assigned user template.
RADIUS server configuration For the RADIUS server to include the
Juniper-Local-User-Name VSA in the
Access-Accept message, the RADIUS server needs to be configured to do it. In a RADIUS server, the users can be assigned a
Juniper-Local-User-Name string, which indicates the user template to be used in the Junos device. In the above example, the string would be
RO,
OP, or
SU.
Configuration of the RADIUS server depends on the server being used. For instructions for the Juniper Steel-Belted Radius server, refer to the following link:
http://www.juniper.net/techpubs/en_US/release-independent/sbr/information-products/pathway-pages/sbr-enterprise/product/index.html For information on using FreeRADIUS, refer to
KB19446 - Configuration Example -- How to assign a login class to users that are authenticated using a FreeRADIUS server.
Instead of a RADIUS server, it is also possible to use a TACACS+ server to perform the same function. For more information, refer to the following link:
http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/tacacs-authentication-configuring.html