Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example Configuration - SmartPass using external RADIUS Authentication with Windows 2008 NPS Server in an Active Directory Environment



Article ID: KB32523 KB Last Updated: 24 Feb 2020Version: 2.0

This article explains how to configure SmartPass server with a Windows 2008 NPS server to allow SmartPass administrators and provisioning users to log into the SmartPass server via an external RADIUS server.  The instructions that follow assume there is a working Windows Active Directory environment and Windows 2008 server in place and that you have a working knowledge of both.

Example environment used:
  • Windows 2003 AD with Windows 2008 NPS on separate machines in the same domain. 
  • SmartPass was installed on a separate Windows 2008 server.



Configuration from the controller:

set service-profile test-web ssid-name TAC-test
set service-profile test-web ssid-type clear
set service-profile test-web auth-fallthru web-portal
set service-profile test-web psk-encrypted <pass>
set service-profile test-web web-portal-form
set service-profile test-web web-portal-acl testacl
set service-profile test-web rsn-ie auth-psk enable
set service-profile test-web attr vlan-name default 
set security acl name testacl permit udp eq 68 eq 67
set security acl name testacl permit ip
set security acl name testacl deny capture 
set radius server smartpass address auth-port 1818 timeout 5 retransmit 3 deadtime 0 encrypted-key <pass>
set server group smartpass-grp members smartpass
set radius dac smartpass address replay-protect disable encrypted-key 0119130a521b031d701e1d
set authentication web ssid TAC-test ** smartpass-grp
set authorization dynamic ssid TAC-test smartpass
  1. Create User Groups in AD for both SmartPass Administrators and Provisioning Users

    1. Go to Active Directory Users and Computers
    2. Select your domain
    3. Go to Users
    4. Right Click Users
    5. Select New > Group
    6. Give your User Group a name (Example: SP-Admins and SP-Provisioning)
    7. Add existing users or create new users and add to the respective group. (Note: Verify the user has "Allow access" selected for Remote Access Permissions.  This is found under the Dial-in Tab of the User Properties (Example: User name Smartpass Admin)

  2. Modify your SmartPass Server

    1. Log into your SmartPass Server as Admin.
    2. Go to Setup and select Radius Servers Management
    3. Under Radius Servers, click Add
    4. Enter the Name and IP Address of your NPS Server along with the Shared Secret.  (NOTE:  Make a note of the Shared Secret.  You will need it later when configuring the NPS Server.) 
    5. Click Save
    6. Under Radius Server Groups, click Add
    7. Enter a name for your Server Group, click Next 
    8. Under Available RADIUS Servers, select your NPS Server and Move to Selected RADIUS Servers, click Finish 
    9. Back at the Setup Screen, Select Access Control
    10.  Under External RADIUS Authentication, check Enable
    11. Select your Authentication Type.  (Example:  MSCHAPv2)
    12. Select the Radius Server Group you configured in Steps 2.6-2.8
    13. Select the Default User Role of None
    14.  Click Save 
  3. Configure Windows 2008 NPS

    1. Go to Network Policy and Access Services
    2. Select NPS (Local)
    3. Select RADIUS Clients and Servers
    4. Select RADIUS Clients
    5. Right-click RADIUS Clients and select New RADIUS Client
    6. Enter all the SmartPass Server details here: Friendly name (Example:  smartpass), IP address and shared secret key (exactly the same as the one configured in SmartPass Server) 
    7. Click OK to finish
    8. Select NPS (Local) again
    9. In the middle, notice the Getting started screen. Select RADIUS Server for 802.1X Wireless or Wired Connections from the drop-down list   
    10. Click on Configure 802.1X
    11. Select Secure Wired (Ethernet) Connections and give the policies a friendly name, click Next 
    12. Make sure the Radius client configured previously appears here, then click Next
    13. In Configure an Authentication Method, select Protected EAP (PEAP) from the drop-down list
    14. Click Configure and make sure you have a certificate to be used for EAP, then click OK 
    15. In Specify User Groups window select Add and find and select the User group created at step 1.6 
    16. In Configure a Virtual LAN (VLAN) window select Configure
    17. Go to the Vendor Specific attributes
    18. Click Add, select Vendor Specific, and click Edit
    19. Click Add, select Vendor Code 14525 (Trapeze), check “Yes, It conforms” button
    20. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Administrator
    21. Click OK, OK, OK, Close, and OK until you are back at Configure a Virtual LAN (VLAN)
    22. After getting back, click Next
    23. Notice 2 policies are created: one Connection Request policy (example:  SP-External Radius-Connection) and one Network policy (example:  SP-External Radius-Connection) NOTE:  These can be renamed to be more descriptive, such as SP-Admin-Access
    24.  Click Finish
    25. Edit the Connection Request policy that was just created
    26. Select NPS(Local), Policies, Connection Policies
    27. Find the Policy that was just created (example:  SP-External Radius-Connection) and go to Properties 
    28. Go to the Conditions Tab, then click Add
    29. Scroll down until you find Day and Time Restrictions, then click Add
    30. Select Permitted, then click OK 
    31. Select and Remove the Condition "NAS Port Type" so that only "Day and time restrictions remain", click OK
    32. This Connection Request Policy can be used for multiple Network Policies.  If you stop now, you will allow SmartPass Administrators to log in via External Radius Authentication.  Continue to the next step to allow Provisioning Users.

  4. Network Policy for Provisioning Users

    1. Select NPS (Local), Policies, Connection Policies
    2. Find the Network Policy (example:  SP-External Radius-Connection) created earlier, right-click and select Duplicate Policy.  You will see the new Network Policy created. 
    3. Select and Go to Properties of the new Network Policy (Example:  Copy Of SP-Externat-Radius-Connection)
    4. In Overview enter a new Policy Name (Example:  SP-Provisioning-Access)
    5. Go to the Conditions Tab, remove the current Windows Group (Example:  SP-Admins)
    6. Click Add, select Windows Group, click Add, and click Add Groups
    7. Enter the name of the Windows Group you created in AD for Provisioning Users (Example:  SP-Provisioning). 
    8. Click OK until you are back at Conditions Tab showing only the new Condition 
    9. Select the Settings Tab
    10. Under RADIUS Attributes, select Vender Specific 
    11. Select the Current Attribute (Value Administrator) and Edit
    12. Edit this Attribute
    13. Verify the Vender Code is 14525 and “Yes. It conforms” radio button is selected
    14. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Provisioning 
    15. Click OK, click OK again.  You will be at the Attribute Information screen 
    16. Click Add, select Vendor Code 14525, and check “Yes, It conforms”
    17. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value of the User Type found in SmartPass you wish the Provisioning User to create.  Below is an example of all the default User Types in SmartPass. 
      1-Hour Duration; 12-Hours Duration; 24-Hours Duration; 5-Days; 5-Days Business Hours 
    18. Click OK, click OK again.  You will be at the Attribute Information screen with two attributes listed 
    19. Click OK to go back to the Settings Tab.
    20. Click OK to go to the Network Policies Screen.
    21. “Enable” the new policy.  Right-click the policy and select Enable
    22. You are now Finished.
Modification History:

2020-02-23: Changed encrypted password to <pass>.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search