Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLM] How to configure RingMaster Access Control against a Radius server

0

0

Article ID: KB24512 KB Last Updated: 12 Jul 2012Version: 2.0
Summary:
The article provides information on how to configure Radius authentication, when a User logs on to RingMaster.

Symptoms:
  • To configure Internet Authentication Service (IAS) on Windows Server 2003, perform the following procedure.

  • Two user access groups have been configured on RingMaster:

    • Admin - This group has administrative privileges

    • Monitor - This group has only monitoring privilege

  • The Remote Access Policy on the Radiuse server returns one of the two above groups as a attribute, when a user logs on to RingMaster.

  • The Windows2008 NPS Radius server can be configured similarly by configuring the Connection Request Policy and the Network Policy.
Cause:
 
Solution:
Step 1 - Configure the User Access groups in the RingMaster WebUI:

The can be configured at Access Control > User Access Groups:

The following groups have been configured:
  • Monitor

  • Admin

The privileges are configured as illustrated in the following image:





Step 2 - Configure a local user with Administrative privileges:

This can be configured at Access Control > Settings. The user admin is configured and mapped to the Admin User Access group.

Step 3 - Enable Login Required:

Enable this under Access Control > Settings:



Step 4 - Configure RADIUS Server(s):

This can be configured at Access Control > RADIUS Servers. The Primary and Secondary RADIUS Servers can be configured. The Default User-Group can be enabled, if the RADIUS server does not return any attribute to set the User groups on successful authentication.



Internet Authentication Service (IAS) on Windows Server 2003


Step 5 - Configure RADIUS Client:

Configure the Ringmaster Server as a RADIUS client in IAS with the same Secret Key as the RADIUS standard shared secret. A client-friendly name can be configured for the RADIUS client. In this example, it has been configured to rm-200.

 
Step 6 Configure a Remote Access Policy:

1. Configure a Remote Access Policy to handle incoming RADIUS authentication requests from the RingMaster server:







The policy conditions can be set accordingly to appropriately match the incoming requests.

In our illustration, the configured conditions are Client-Friendly-Name and Windows User-group

*Multiple Policies may be required to return the corresponding attribute to set privileges for a RingMaster User. 

** AD Users may need to belong to different Windows Groups if policy is triggered based on a Windows-Groups

Basically two policies will be required in our illustration. One will return "Admin" attribute and the other will return "Monitor" attribute. As an illustration, we have configured only
one policy.

.

2. Select the Grant remote access permission radio button

3. In the above screenshot, Policy conditions can be added with the Add button

4. Click on Edit Profile to further configure Authentication Methods and Vendor Specific Attributes

5. On the Authentication Tab, select the appropriate inner EAP authentication type (MSCHAP v2) and then click EAP Methods



6. Click Add in the Select EAP Providers Window and select Protected EAP (EAP)



7. Once PEAP is added, Select it and click Edit to confirm if a server certificate is assigned for EAP authentication. 

8. Confirm whether the correct EAP type has been selected as well (EAP-MSCHAP v2)




9. Click OK in the above widow and navigate back to the Edit Dial-in Profile Window mentioned in sequence 5.

10. Click on the Advanced Tab to add the Vendor Specific Attribute to return the RM User Access Group name.




11. Click Add to open the Add Attribute Window and select Vendor-Specific. Click Add



12. This will open the Multivalued Attribute Information box. Click Add



13. Select the radio buttons as illustrated below and enter 14525 as the Vendor Code. 

** For OEM enter the appropriate IANA assigned vendor id. For example Nortel Networks is 562.

14. Click Configure Attribute



15. Configure the attribute as illustrated below. 

16. The Attribute value needs to be configured as "nms=<user-access-groupname>"

17. In our example we configure the attribute as nms=Admin where Admin is the User Access Group that has Administrative privileges.

18. This completes the Remote Access Policy Configuration.

19. Click OK and exit out of the Policy Configuration Wizard by clicking OK or Apply on appropriate boxes.





Step 7 Verify User Properties

As a precautionary note, make sure that RingMaster Users have appropriate Dial-in permissions set to Allow access.




Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search