Junos OS

Expand all | Collapse all

How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches

Jump to Best Answer
  • 1.  How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches

    Posted 02-26-2019 08:43

    Hi,

    today we are logging in to our juniper switches via SSH with local user, as an IT Security requirement we need each IT employee who manages the switches to have its own user name for login.   It is impossible to manage local users manually on each individual switch since we have dozens of them.

     

    How can I use my AD user to login to the switches ? Is there a step-by-step guide of how to configure this both on the switches and on the windows domain controller in case a RADIUS server is needed ?

     

    Our switches are: EX4550 JUNOS 12.3R6.6 and EX3300 JUNOS 15.1R6.7

     

    Thanks

     



  • 2.  RE: How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches

    Posted 02-26-2019 09:02


  • 3.  RE: How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches

     
    Posted 02-26-2019 14:28

    You will have to add RADIUS role from the NPS on windows for authentication not AD directly.

     

    On the junos site you would setup the device to be a RADIUS client.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/security-radius-server-system-authe...

     

    On the MS NPS server the RADIUS setup involves creating the client group, policy and matching authentication method with shared secret that you configure on the Junos device.

     

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server

     

    Naturally the network path from the Junos device to the RADIUS server has to be open and allowed through all the firewalls as well.



  • 4.  RE: How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches

    Posted 04-04-2019 02:49

    Hi and thank you for your response.

    You have not provided any information on how to configure the RADIUS/NPS/Client settings on the windows side.

    Is there a a Juniper guide with a step-by-step instructions on how and what to configure exactly on the RADIUS/NPS side ?

     

    For example, for CISCO switches - there's an option to choose under "Vendor name" : "Cisco" , but there's no Juniper.

    Also, there are authentication methods and a lot of other settings on the RADIUS/NPS side which should match and be compatible for Juniper specifically, and there's no information from Juniper side on how to configure these.



  • 5.  RE: How to configure AD / Radius authentication for login via SSH to EX3300/EX4550 switches
    Best Answer

     
    Posted 04-06-2019 05:17

    Right, Juniper does not produce instructions on how to configure the MS RADIUS side.  And there are a lot of steps in the process.  This would be an outline and the details are in the MS documentation I listed above.

     

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server

     

    • Add the RADIUS Role in NPS on the windows server
    • Create a RADIUS client group for the Juniper devices
      • secret will match your Junos config
      • authentication method match your junos config example: PEAP MS-CHAP v2
    • Add the junos ip addresses that are the source of the RADIUS requests