Linking JunOS authentication to Active Directory using RADIUS

2012/08/05

This post shows how to create two roles in JunOS: ‘read-only’ and ‘super-user’ and to give AD users access to these roles via groups. The Juniper vendor-specific information comes from here: http://www.juniper.net/techpubs/software/junos/junos94/swconfig-system-basics/configuring-juniper-networks-vendor-specific-radius-attributes.html

The Windows Server 2008R2 bit (server IP address 10.233.0.52):

1. Add the “Network Policy and Access Services” role, and the “Network Policy Server” role service. Then start the “Network Policy Service” MMC snap-in.

2. Select “Templates Management”, right-click “Shared Secrets” and select “New”.
3. Give the template a name like “JunOS”, select “Generate” and then click the “Generate” button to create the shared secret.
4. Copy the shared secret to a text file for later use, then click OK

5. Click “Policies”, right-click on “Network Policies” and choose “New”
6. Choose a name for the SuperUser policy like “JunOS SuperUser”
7. The type of network access server should be “Unspecified”

8. Add a new “Condition” matching “Windows Groups” and add the groups from AD that should have SuperUser access

9. On the “Specify Access Permission” page leave “Access granted” selected

10. On the “Configure Authentication Methods” page unselect everything except “Microsoft Encrpyted Authentication version 2 (MS-CHAP-v2)

11. On the “Configure Constraints” page there are no changes.
12. On the “Configure Settings” page delete the “Standard” RADIUS attributes

13. Select “Vendor Specific” under the RADIUS Attributes
14. Click Add, change the Vendor dropdown to “Custom” and click “Vendor-Specific” from the attributes

15. Click “Add”, then “Add” on the “Attribute Information” dialog
16. Select “Enter Vendor Code” from the “Specify network access server vendor” section and enter the Juniper vendor code “2636”
17. Select “Yes. It conforms” to specify that the attribute conforms to the RADIUS RFC

18. Click “Configure Attribute” and set the “Vendor-assigned attribute number” to “1”, which represents “Juniper-Local-User-Name”
19. Set the “Attribute format” to “String”
20. Set the “Attribute value” to “su”. This is the local username passed to JunOS

21. Click OK buttons to get back to the “Configure Settings” screen, and select “Encryption”
22. Unselect everything except “Strongest Encryption”

23. Click “Next”, then “Finish”

24. Repeat instructions 5-23 for the “JunOS ReadOnly profile”, setting the RADIUS attribute value to “ro” to match the JunOS config below.
25. Make sure the order of the Policies is as in the next screenshot

26. Expand “RADIUS Clients and Servers”, right-click “RADIUS Clients” and click “New”
27. Enter the details of the JunOS router, selecting “JunOS” from the Shared Secrets template dropdown

28. Click “OK”

The JunOS bit (router IP address 10.233.0.42), add this configuration changing the secret key that Windows created. This sets up two user ‘roles’ – ‘ro’ and ‘su’ and configures the radius server shared secret.

set system authentication-order [ password radius ]
set system radius-server 10.233.0.52 secret "0C&2eTVBv8SMXwq1eo5!3fyBhh!u2gcBjGLcz@jIC4LPj8slrBC9V^j&0hMXUHRe"
set system radius-options password-protocol mschap-v2
set system login user ro class read-only
set system login user su class super-user
set system services ssh

Then “show | compare” should look something like this:

[edit system]
+  authentication-order [ password radius ];
+  radius-server {
+      10.233.0.52 secret "$9$pml/uIEyrKx7-yrWx7-Y2F36CAuEcleWLUj3/9t1IwYgoUHqmf3nCHqBIEhyr24oZUHz39tpOikz69CpuxNdw4aHkPQz6CtclM8N-ZGDkqfCtOB1EfTAu1ISy24oaUiHqPTz6f5RSyKx7jHqPfQn6CtO1Vw9t01yr8Xx7bsGUHfTFKMGjiq5TREcylM"; ## SECRET-DATA
+  }
+  radius-options {
+      password-protocol mschap-v2;
+  }
+  login {
+      user ro {
+          class read-only;
+      }
+      user su {
+          class super-user;
+      }
+  }
[edit system services]
+    ssh;

[edit]

After ‘commit’, JunOS will start the SSH daemon. If everything worked, then you can log in as any AD user that’s in the groups selected above:

Superuser group:

macbook:/Users/chrisl/ 12$ ssh chrisl@junos
chrisl@junos's password: 
--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC
chrisl@junos> configure 
Entering configuration mode

[edit]
chrisl@junos# 

Readonly group:

macbook:/Users/chrisl/ 13$ ssh hermioneg@junos
hermioneg@junos's password: 
--- JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC
hermioneg@junos> conf
                 ^
unknown command.

hermioneg@junos> 

Comments