Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Radius Attributes for admin privileges

0

0

Article ID: KB5688 KB Last Updated: 18 Apr 2013Version: 7.0
Summary:
This article provides information about the Radius attributes for admin privileges.
Symptoms:
Information about the Radius attributes for admin privileges.
Cause:

Solution:

In ScreenOS, Radius authentication features support Radius attributes for everything; except usernames, passwords, and IP addresses (this is the standard behavior for XAuth and L2TP). 

The following table lists the supported admin privilege attributes and their values:

Privilege LevelValue
ROOT (Requires VSA#2 VSYS Name 'ROOT' be entered)
(Supported in ScreenOS 6.x only)
   1
All (Read-Write)   2
VSYS_ADMIN (Requires VSA#2 VSYS Name be entered)   3
Read_only   4
VSYS_Read_only (Requires VSA#2 VSYS Name be entered)   5


For RADIUS Server Dictionary files:

For ScreenOS MIBs and dictionary files, refer to the following link:

www.juniper.net/techpubs/software/index_mibs.html


For Funk and Steel Belt Radius, refer to the following link:

http://www.juniper.net/support/files/dictionary/funk_radius.zip

For Cisco ACS, refer to the following link:

http://www.juniper.net/support/files/dictionary/cisco_radius.zip 


Root admin privilege notes
:

  • The root admin privilege level is not supported in ScreenOS 5.4 or earlier. It is supported in ScreenOS 6.0 or later.
  • When using the ScreenOS dictionary files, use the ScreenOS 6.2.0 RADIUS dictionary file (for ScreenOS 6.x), as it has the ROOT attribute.  The ScreenOS 6.0.0 RADIUS dictionary file does not have the ROOT attribute.

    6.2.0.radius.netscreen.zip (netscreen.dct)
    # For Admin Privileges
    # READ_WRITE (ALL): 2, VSYS_ADMIN: 3, READ_ONLY: 4, VSYS_READ_ONLY: 5
    ATTRIBUTE NS-Admin-Privilege 26 [vid=3224 type1=1 len1=+2 data=int4] r
    VALUE NS-Admin-Privilege ROOT 1
    VALUE NS-Admin-Privilege READ_WRITE 2
    VALUE NS-Admin-Privilege VSYS_ADMIN 3
    VALUE NS-Admin-Privilege READ_ONLY 4
    VALUE NS-Admin-Privilege VSYS_READ_ONLY 5

    6.0.0.radius.netscreen.zip
    (netscreen.dct)
    # For Admin Privileges
    # READ_WRITE (ALL): 2, VSYS_ADMIN: 3, READ_ONLY: 4, VSYS_READ_ONLY: 5
    ATTRIBUTE NS-Admin-Privilege 26 [vid=3224 type1=1 len1=+2 data=int4] r
    VALUE NS-Admin-Privilege READ_WRITE 2
    VALUE NS-Admin-Privilege VSYS_ADMIN 3
    VALUE NS-Admin-Privilege READ_ONLY 4
    VALUE NS-Admin-Privilege VSYS_READ_ONLY 5

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search