Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[WLM] How to configure RingMaster Access Control against a Radius server
Symptoms:
Cause:
Solution:
Step 1 - Configure the User Access groups in the RingMaster WebUI:
The can be configured at Access Control > User Access Groups:
The following groups have been configured:
The privileges are configured as illustrated in the following image:
Step 2 - Configure a local user with Administrative privileges:
This can be configured at Access Control > Settings. The user admin is configured and mapped to the Admin User Access group.
Step 3 - Enable Login Required:
Enable this under Access Control > Settings:
Step 4 - Configure RADIUS Server(s):
This can be configured at Access Control > RADIUS Servers. The Primary and Secondary RADIUS Servers can be configured. The Default User-Group can be enabled, if the RADIUS server does not return any attribute to set the User groups on successful authentication.
Step 5 - Configure RADIUS Client:
Configure the Ringmaster Server as a RADIUS client in IAS with the same Secret Key as the RADIUS standard shared secret. A client-friendly name can be configured for the RADIUS client. In this example, it has been configured to rm-200.
Step 6 Configure a Remote Access Policy:
1. Configure a Remote Access Policy to handle incoming RADIUS authentication requests from the RingMaster server:
The policy conditions can be set accordingly to appropriately match the incoming requests.
In our illustration, the configured conditions are Client-Friendly-Name and Windows User-group
*Multiple Policies may be required to return the corresponding attribute to set privileges for a RingMaster User.
** AD Users may need to belong to different Windows Groups if policy is triggered based on a Windows-Groups
Basically two policies will be required in our illustration. One will return "Admin" attribute and the other will return "Monitor" attribute. As an illustration, we have configured only
one policy.
.
2. Select the Grant remote access permission radio button
3. In the above screenshot, Policy conditions can be added with the Add button
4. Click on Edit Profile to further configure Authentication Methods and Vendor Specific Attributes
5. On the Authentication Tab, select the appropriate inner EAP authentication type (MSCHAP v2) and then click EAP Methods
6. Click Add in the Select EAP Providers Window and select Protected EAP (EAP)
7. Once PEAP is added, Select it and click Edit to confirm if a server certificate is assigned for EAP authentication.
8. Confirm whether the correct EAP type has been selected as well (EAP-MSCHAP v2)
9. Click OK in the above widow and navigate back to the Edit Dial-in Profile Window mentioned in sequence 5.
11. Click Add to open the Add Attribute Window and select Vendor-Specific. Click Add
12. This will open the Multivalued Attribute Information box. Click Add
13. Select the radio buttons as illustrated below and enter 14525 as the Vendor Code.
** For OEM enter the appropriate IANA assigned vendor id. For example Nortel Networks is 562.
14. Click Configure Attribute
15. Configure the attribute as illustrated below.
16. The Attribute value needs to be configured as "nms=<user-access-groupname>"
17. In our example we configure the attribute as nms=Admin where Admin is the User Access Group that has Administrative privileges.
18. This completes the Remote Access Policy Configuration.
19. Click OK and exit out of the Policy Configuration Wizard by clicking OK or Apply on appropriate boxes.
Step 7 Verify User Properties
As a precautionary note, make sure that RingMaster Users have appropriate Dial-in permissions set to Allow access.
The can be configured at Access Control > User Access Groups:
The following groups have been configured:
- Monitor
- Admin
The privileges are configured as illustrated in the following image:
Step 2 - Configure a local user with Administrative privileges:
This can be configured at Access Control > Settings. The user admin is configured and mapped to the Admin User Access group.
Step 3 - Enable Login Required:
Enable this under Access Control > Settings:
Step 4 - Configure RADIUS Server(s):
This can be configured at Access Control > RADIUS Servers. The Primary and Secondary RADIUS Servers can be configured. The Default User-Group can be enabled, if the RADIUS server does not return any attribute to set the User groups on successful authentication.
Internet Authentication Service (IAS) on Windows Server 2003
Step 5 - Configure RADIUS Client:
Configure the Ringmaster Server as a RADIUS client in IAS with the same Secret Key as the RADIUS standard shared secret. A client-friendly name can be configured for the RADIUS client. In this example, it has been configured to rm-200.
Step 6 Configure a Remote Access Policy:
1. Configure a Remote Access Policy to handle incoming RADIUS authentication requests from the RingMaster server:
The policy conditions can be set accordingly to appropriately match the incoming requests.
In our illustration, the configured conditions are Client-Friendly-Name and Windows User-group
*Multiple Policies may be required to return the corresponding attribute to set privileges for a RingMaster User.
** AD Users may need to belong to different Windows Groups if policy is triggered based on a Windows-Groups
Basically two policies will be required in our illustration. One will return "Admin" attribute and the other will return "Monitor" attribute. As an illustration, we have configured only
one policy.
.
2. Select the Grant remote access permission radio button
3. In the above screenshot, Policy conditions can be added with the Add button
4. Click on Edit Profile to further configure Authentication Methods and Vendor Specific Attributes
5. On the Authentication Tab, select the appropriate inner EAP authentication type (MSCHAP v2) and then click EAP Methods
6. Click Add in the Select EAP Providers Window and select Protected EAP (EAP)
7. Once PEAP is added, Select it and click Edit to confirm if a server certificate is assigned for EAP authentication.
8. Confirm whether the correct EAP type has been selected as well (EAP-MSCHAP v2)
9. Click OK in the above widow and navigate back to the Edit Dial-in Profile Window mentioned in sequence 5.
10. Click on the Advanced Tab to add the Vendor Specific Attribute to return the RM User Access Group name.
11. Click Add to open the Add Attribute Window and select Vendor-Specific. Click Add
12. This will open the Multivalued Attribute Information box. Click Add
13. Select the radio buttons as illustrated below and enter 14525 as the Vendor Code.
** For OEM enter the appropriate IANA assigned vendor id. For example Nortel Networks is 562.
14. Click Configure Attribute
15. Configure the attribute as illustrated below.
16. The Attribute value needs to be configured as "nms=<user-access-groupname>"
17. In our example we configure the attribute as nms=Admin where Admin is the User Access Group that has Administrative privileges.
18. This completes the Remote Access Policy Configuration.
19. Click OK and exit out of the Policy Configuration Wizard by clicking OK or Apply on appropriate boxes.
Step 7 Verify User Properties
As a precautionary note, make sure that RingMaster Users have appropriate Dial-in permissions set to Allow access.
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search