[ScreenOS] Radius Attributes for admin privileges

  [KB5688] Show Article Properties


Summary:
This article provides information about the Radius attributes for admin privileges.
Symptoms:
Information about the Radius attributes for admin privileges.
Cause:

Solution:

In ScreenOS, Radius authentication features support Radius attributes for everything; except usernames, passwords, and IP addresses (this is the standard behavior for XAuth and L2TP). 

The following table lists the supported admin privilege attributes and their values:

Privilege LevelValue
ROOT (Requires VSA#2 VSYS Name 'ROOT' be entered)
(Supported in ScreenOS 6.x only)
   1
All (Read-Write)   2
VSYS_ADMIN (Requires VSA#2 VSYS Name be entered)   3
Read_only   4
VSYS_Read_only (Requires VSA#2 VSYS Name be entered)   5


For RADIUS Server Dictionary files:

For ScreenOS MIBs and dictionary files, refer to the following link:

www.juniper.net/techpubs/software/index_mibs.html


For Funk and Steel Belt Radius, refer to the following link:

http://www.juniper.net/support/files/dictionary/funk_radius.zip

For Cisco ACS, refer to the following link:

http://www.juniper.net/support/files/dictionary/cisco_radius.zip 


Root admin privilege notes
:

  • The root admin privilege level is not supported in ScreenOS 5.4 or earlier. It is supported in ScreenOS 6.0 or later.
  • When using the ScreenOS dictionary files, use the ScreenOS 6.2.0 RADIUS dictionary file (for ScreenOS 6.x), as it has the ROOT attribute.  The ScreenOS 6.0.0 RADIUS dictionary file does not have the ROOT attribute.

    6.2.0.radius.netscreen.zip (netscreen.dct)
    # For Admin Privileges
    # READ_WRITE (ALL): 2, VSYS_ADMIN: 3, READ_ONLY: 4, VSYS_READ_ONLY: 5
    ATTRIBUTE NS-Admin-Privilege 26 [vid=3224 type1=1 len1=+2 data=int4] r
    VALUE NS-Admin-Privilege ROOT 1
    VALUE NS-Admin-Privilege READ_WRITE 2
    VALUE NS-Admin-Privilege VSYS_ADMIN 3
    VALUE NS-Admin-Privilege READ_ONLY 4
    VALUE NS-Admin-Privilege VSYS_READ_ONLY 5

    6.0.0.radius.netscreen.zip
    (netscreen.dct)
    # For Admin Privileges
    # READ_WRITE (ALL): 2, VSYS_ADMIN: 3, READ_ONLY: 4, VSYS_READ_ONLY: 5
    ATTRIBUTE NS-Admin-Privilege 26 [vid=3224 type1=1 len1=+2 data=int4] r
    VALUE NS-Admin-Privilege READ_WRITE 2
    VALUE NS-Admin-Privilege VSYS_ADMIN 3
    VALUE NS-Admin-Privilege READ_ONLY 4
    VALUE NS-Admin-Privilege VSYS_READ_ONLY 5

Related Links: