Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[BTI] Configure PSM server's internal RADIUS for BTI Network Element user login authentication

0

0

Article ID: KB34125 KB Last Updated: 26 Mar 2020Version: 2.0
Summary:

This article will show you how to configure ProNX Service Manager (PSM server) internal RADIUS server for Juniper BTI equipment to authenticate user login requests for applications like SSH, Telnet, and ProNX900.

For instructions on how to use an external RADIUS server for PSM client authentication, see KB32730 - Configure the PSM server to use External RADIUS for PSM Client login authentication.

Solution:

By default, the RADIUS service is already running on the PSM server. For devices to use PSM's RADIUS server for user authentication, a new RADIUS server profile needs to be defined in the PSM Override configuration file and client profiles added in the RADIUS Clients file. Each managed BTI node, i.e. network element, will then be configured to use RADIUS authentication in place of its local user database.  

  1. Configure the PSM server to be a RADIUS server.

    Login to the PSM server via SSH with root user. Edit the file override-common.properties located in /var/local/ems9001/conf/ and add the RADIUS server configuration specified in the example below.

    vi /var/local/ems9001/conf/override-common.properties

    Note: See the instructions for the vi editor by typing "man vi" at the command line. 

    Note: The RADIUS secret can be any string. We recommend using a shared secret that is at least 8 characters long and composed of upper case letters, lower case letters, and numbers.

    Example Server Configuration:
    auth.radius.server.1=localhost
    auth.radius.port.authentication.1=1812
    auth.radius.port.accounting.1=1813
    auth.radius.timeout.1=2
    auth.radius.retryCount.1=2
    auth.radius.secret.1=NewSecret12
        

    Once you have completed the changes, save the file and restart the PSM services.

    psm-restart

    When the EMS processes indicate "running", enter ctrl+C to exit the status page.

  2. Add the network elements as RADIUS clients.

    The client profiles are located in /etc/raddb/clients.conf. The existing default clients.conf file contains several pages of comments and examples, as well as some default configuration settings. To make the editing easier, we recommend renaming the default clients.conf file and creating a new one to include only the necessary client configuration. Add the client profiles following the example below.

    At the command line rename the default file and create a new one:

    mv /etc/raddb/clients.conf /etc/raddb/clients.conf.default
    vi /etc/raddb/clients.conf
      (to create and edit a new clients.conf file)

    Note:  The secret must match the secret used in the Server profile configured in step 1.    

    Example Client Profiles:

    client psmclient{
            ipaddr        = 127.0.0.1
            proto         = *
            nas_type      = other        
            secret        = NewSecret12
            require_message_authenticator = no
    }
    client networkhost   {
            ipaddr        = 172.27.90.3
            secret        = NewSecret12
            shortname     = BTI
    )
    client networksubnet
            ipaddr        = 172.27.100.0/24
            secret        = NewSecret12
            shortname     = BTI
    )

    Save the changes, and restart the radiusd process.

    systemctl restart radiusd

    Note:  The ipaddr can be a specific host, IP range using a network mask (for example /24), or all IP addresses 0.0.0.0/0.

    Use the command 'radiusd -XC ' to pre-check your RADIUS configuration, if troubleshooting is needed.   
  3. Use the PSM client GUI to create individual usernames or a shared username profile. 

    Login to PSM via the PSM client, using the admin user. 

    Go to Edit->User Management, right click in the blank area, and select "add user". 

    Enter a username, password, and select the role, e.g. permission level.


  4. Configure the network elements to use RADIUS authentication.   

    The PSM server includes scripts to configure RADIUS Authentication for the various BTI Juniper product types.  

    Login with the PSM client.  

    Right click on a node element.  Go to Scripts->Network Elements->Configure Radius Server.


    Enter the IP address of the RADIUS Server (which is the IP address of the PSM server), and enter the RADIUS secret key.  The name of the RADIUS server is optional.  When the OK button is clicked, the PSM server will initiate a script that will configure the required parameters on the managed BTI node.  The task needs to finish with a result of "success".

    Note:  Hold down the control key to select multiple network elements.

    Note:  The PSM server script will use the "admin" user in the PSM client local RADIUS user DB to login to the managed BTI nodes and perform the config changes. The local admin password on each node needs to be the same as the admin password used by the PSM Client. The configuration can also be added directly on a network element via command line. See the CLI user guide for each product. 

  5. Test the RADIUS authentication. 

    Login to the managed node with the RADIUS user you just created via the PSM client. You should able to login even though the account has not been created on the local managed node. The managed node will contact the RADIUS server to authenticate the user.  
  6. Modify monit deamon configuration file:

    In case the monit daemon running on the server with PSM application has a version higher than 5.14, there is a need to check and modify the monit configuration file to maintain RADIUS service.

    Check monit daemon version:

    # monit -V
    This is Monit version 5.25.1


    Check monit configuration file which maintains RADIUS service:

    # cat /etc/monit.d/radiusd.inc
    check process radiusd with pidfile /var/run/radiusd/radiusd.pid
        start program = "/usr/bin/systemctl start radiusd"
        stop program = "/usr/bin/systemctl stop radiusd"
    if failed host 127.0.0.1 port 1812 type udp protocol radius secret Testing123 then alert
    if 5 restarts within 5 cycles then timeout


    Modify the monit RADIUS configuration file:

    Match the secret phrase entered at step 1 and 2 to secret phrase entered at radiusd.inc configuration file.

    " secret        = NewSecret12 "
    " if failed host 127.0.0.1 port 1812 type udp protocol radius secret NewSecret12 then alert "


    Reload monit daemon:

    # monit reload
    Reinitializing monit daemon
Modification History:
2020-03-25 - Added step 6 in the solution to modify monit deamon configuration file.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search