Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive][ScreenOS] Configuring Microsoft 2003/2008 as a RADIUS server for external admin authentication

0

0

Article ID: KB7304 KB Last Updated: 20 Mar 2020Version: 6.0
Summary:

This article provides information about configuring Microsoft 2003/2008 as a RADIUS server for external admin authentication. When this setup is complete, users can log in by using the same credentials as are already set up.

The article also illustrates how to extract privileges from the external RADIUS server, instead of locally specifying admin privileges.

 

Solution:

Configuring ScreenOS to use Microsoft IAS as a RADIUS server

 

 

ScreenOS Configuration

 
 
  1. Log in to the WebUI as a root user.

  2. Go to Configuration > Auth > Auth Servers and click New.

    • Name: Radius

    • IP/Domain Name: 10.1.1.10

    • Account Type: Select Admin.

    • Select RADIUS, and enter Shared Secret as <password>

    • Click OK.

  3. Go to Admin > Administrators.

    • Under External Database Admin Settings, for Admin Privileges, select Get Privilege from RADIUS server.

    • For Admin Auth Server, select Radius from the drop-down menu.

    • Click Apply.

 

 

Microsoft 2003 IAS Configuration

 

Note: It is assumed that the user database is already populated and the IAS option is already installed on the Microsoft server.

  1. Launch the Internet Authentication Service.

  2. Right-click RADIUS Clients and select New RADIUS Client:



  3. In the window that opens, enter the following:
    • Friendly Name: NS-50

    • Protocol: RADIUS

    • Click Next.

    • Client Address: 10.1.1.1 (the ScreenOS interface)

 
 

Note: If you are using a management IP address, the client address will be the management IP address.

  1. Type the shared secret as <password> and confirm the shared secret.

  2. Click Finish.

 
 
  1. Right-click Remote Access Policies and select New > Remote Access Policy.

  • Policy Friendly Name: External Admin Auth

  • Click Next.

  • Click Add.

  • Click Client-IP-Address, and then Add, type the IP address as 10.1.1.1, and click OK.

  • Click Next.

  • Select "Grant remote access permission."

  • Click Next.

 

 

 
 

 
  • Click Edit Profile.

 

 
  • Click the Authentication tab, de-select the Microsoft MS-CHAP options, and enable PAP and SPAP.
 

 

 
  • Click the Advanced tab and click Add:

 

r8.png

 
  • Select Vendor-Specific, and then click Add.

 

r9.png

 
  • Click Add again.

  • Click Enter Vendor Code and type 3224.

  • Under "Specify whether the attribute conforms to the RADIUS RFC specification for vendor specific attributes," click Yes. Click Configure Attribute:

 

r10.png

 

 

 
  • Vendor-assigned attribute number: 1

 

 

Note: The possible  Vendor Specific Attributes (VSA) for ScreenOS are as follows:

1 - NS-Admin-Privilege
2 - NS-VSYS-Name
3 - NS-User-Group
4 - NS-Primary-DNS
5 - NS-Secondary-DNS
6 - NS-Primary-WINS
7 - NS-Secondary-WINS

  • Attribute Format: Decimal

  • Attribute Value: 4

Note: The possible attribute values for Admin-Privilege are as follows:

2 - All VSYS Root Admin
3 - VSYS Admin Admin (Requires VSA#2 VSYS Name to be entered)
4 - Read-only Admin
5 - Read-Only VSYS Admin (Requires VSA#2 VSYS Name to be entered)

  • Click OK.

  • Click Close.

 

Windows 2008 Network Policy Server 

 
  1. Launch NPS.

 

 
  1. Click RADIUS Clients and Servers > Radius Clients. Right-click it and select New RADIUS Client.

 

 
  1. Specify the following:

  • Friendly Name : ScreenOS

  • Address : 10.1.1.1 (Firewall IP)

  • Shared Secret: <password>

 

 
  1. Click OK.

  2. Go to NPS > Policies > Network Policies. Right-click it and select New.

 

 
  1. In the Specify Network Policy Name and Connection Type window, under Policy name, enter ScreenOS, and then click Next. See the following example:

 

 
  1. In the Specify Conditions window, mention all the conditions that must be checked by NPS.

  2. Click Next three times.

  3. In the Completing New Network Policy window, click Finish.

  4. Edit the existing Network Policy named "ScreenOS" by right-clicking it, and then selecting Properties.

 

 
  1. Click the Settings tab > Vendor Specific. Then click the Add button.

 

 
  1. Scroll down the Attributes box and select Vendor-Specific.

 

 
  1. Click the Add button.

 

r32.png

 
  1. In the Vendor-Specific Attribute Information window, select Enter Vendor Code, then enter 3224 in the field to the right (as seen below). Select "Yes, It conforms," and then click "Configure Attribute…".

 

 
  1. In the next window, enter the vendor-assigned attribute number from the first part of this document. The attribute format should be string. The attribute value will depend on the configuration.

Note: The possible Vendor Specific Attributes (VSA) for ScreenOS are as follows:

1 - NS-Admin-Privilege
2 - NS-VSYS-Name
3 - NS-User-Group
4 - NS-Primary-DNS
5 - NS-Secondary-DNS
6 - NS-Primary-WINS
7 - NS-Secondary-WINS

Note: The possible attribute values for Admin-Privilege are as follows:

2 - All VSYS Root Admin
3 - VSYS Admin Admin (Requires VSA#2 VSYS Name to be entered)
4 - Read-only Admin
5 - Read-Only VSYS Admin (Requires VSA#2 VSYS Name to be entered)

 

 
  1. Click OK.

 

Modification History:

2020-03-20: Minor, non-technical edits.
2018-08-28: Config for 2008 NPS and screenshots for 2003 IAS updated; content reviewed for accuracy and re-organized with formatting

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search