Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] How to assign a login class to RADIUS authenticated users

0

0

Article ID: KB21685 KB Last Updated: 08 Mar 2017Version: 9.0
Summary:
This article provides information how to assign different user templates and login classes to RADIUS authenticated users. By using this procedure, different RADIUS authenticated users can be granted different administrative permissions on the Junos device.
Symptoms:
  • How to assign different user templates and login classes to RADIUS authenticated users.

  • Via this method, different RADIUS authenticated users can be granted different administrative permissions on the Junos device.
Cause:
 
Solution:
By default, RADIUS authenticated users use the remote user template and get the class assigned, which is specified in the remote user template, if the remote user template is configured.

In the Junos configuration, a user template is configured in the same way as a regular local user account; except that no local authentication (password) is configured. This is due to the authentication being remotely performed on the RADIUS server.


For example:
set system login user remote class read-only
However, if different login classes have to be used for different users, granting them different permissions, then this is possible. It can be achieved by creating multiple user templates in the Junos configuration and have the RADIUS server specify the name of the user template to be applied to the authenticated user. Every user template can be assigned a different login class.

For example:
set system authentication-order [ password radius ]

set system radius-server 10.2.2.1 secret abc

set system login user RO class read-only

set system login user OP class operator

set system login user SU class super-user

set system login user remote full-name "default remote access user template"
set system login user remote class read-only
For a RADIUS server to indicate which user template should to be applied, it needs to include the Juniper-Local-User-Name (Vendor 2636, type 1, string) Juniper VSA (Vendor Specific Attribute)  in the RADIUS Access-Accept message. The string value in the Juniper-Local-User-Name must correspond to the name of a configured user template on the device.

For a list of relevant Juniper RADIUS VSAs, refer to the following link:

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/radius-vendor-specific-attributes-juniper-networks.html

If the Juniper-Local-User-Name is not included in the Access-Accept message or the string contains a user template name that does not exist on the device, then the user is assigned to the remote user template; if configured. If it is not configured, authentication will fail for such a user.

After logging in, the remote authenticated user will keep the same username that was used to login; but they will inherit the user class from the assigned user template.


RADIUS server configuration

For the RADIUS server to include the Juniper-Local-User-Name VSA in the Access-Accept message, the RADIUS server needs to be configured to do it. In a RADIUS server, the users can be assigned a Juniper-Local-User-Name string, which indicates the user template to be used in the Junos device. In the above example, the string would be RO, OP, or SU.

Configuration of the RADIUS server depends on the server being used. For instructions for the Juniper Steel-Belted Radius server, refer to the following link:

http://www.juniper.net/techpubs/en_US/release-independent/sbr/information-products/pathway-pages/sbr-enterprise/product/index.html

For information on using FreeRADIUS, refer to KB19446 - Configuration Example -- How to assign a login class to users that are authenticated using a FreeRADIUS server.

Instead of a RADIUS server, it is also possible to use a TACACS+ server to perform the same function. For more information, refer to the following link:

http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/tacacs-authentication-configuring.html


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search