Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [NSM] RADIUS authentication server configuration for Microsoft IAS for NSM GUI client user logins

0

0

Article ID: KB28710 KB Last Updated: 18 Oct 2020Version: 3.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.


As the NSM Admin guide says, if you are using a Microsoft Internet Authentication Server (IAS) RADIUS server, there is no dictionary file to load; you must manually define the correct vendor-specific attributes (VSAs) on the server. This article lists the values of those VSAs.

Symptoms:

There is already a Knowledge Base article written for NSMXpress-WebUI login authentication: KB17581 - NSMXpress - How to configure Microsoft Internet Authentication Server (IAS) as a RADIUS Authentication Server for NSMXpress WebUI. This article is similar, but is for NSM GUI client logins and remote authentication at Microsoft IAS Radius server end.

For NSM Client UIs, the list of supported RADIUS servers is as follows, as per KB16842 - NSMXpress - Which radius servers are supported for admin user authentication:

  • Steel-Belted Radius server
  • FREERadius Server

  • Microsoft IAS

  • CISCO RADIUS servers
Solution:

To configure IAS to send the proper RADIUS attribute for NSM GUI client login auth, perform the following steps:




  1. Configure Remote Access Policies:



  2.  
  3. Edit Profile for your defined policy.

  4. Go to the Advanced tab.

  5. Add Vendor-Specific Attribute Information:




  6.  
  7. Enter vendor code 2636 (Juniper).

  8. Select "Yes. It conforms".
  9. Click Configure Attribute.

  10. Specify Vendor-assigned attribute number :

  11. To map user to the global group you would add the following:
    Vendor Assigned Attribute Number - 220
    Attribute Format - String
    Attribute Value - global




    To map a user to the predefined role you would add the following:
    Vendor Assigned Attribute Number - 221
    Attribute Format - String
    Attribute Value – global:System Administrator
    (We could specify Attribute value for pre-defined roles options available on NSM like global:System Administrator, global:Domain Administrator etc)



  12.  
  13. Save this. Delete the user entry locally from the Manage administrators tab within the NSM, if it was added there.


  14.  
Note:

You can do a tail on /usr/netscreen/GuiSvr/var/errorlog/guiDaemon.0

When you go to login, you will see a "Local User Failed" and a "No user found" message. That is because the user does not exist in the NSM DB.

If you have syntax errors in your IAS definition you will get messages about malformed attributes.

If all is correct you will be able to log in.

Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search