Hey all - not sure if this belongs here or not - but I will give it a shot.
In my organization we have RADIUS authentication setup for our Juniper devices. Our devices (SRX & EX) fall into 2 categories - CORE and BRANCH. RADIUS is setup using a Windows 2012R2 Network Policy Server.
We have RADIUS set up in 2 tiers. ADMIN and OPERATOR. We have Active Directory Security Groups setup "Juniper Admins" and "Juniper Operators". Juniper Admins are administrators on both CORE and BRANCH devices. Juniper Operators are only operators on the BRANCH devices.
Here is the config that makes this all work:
set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x accounting-port 1813
set system radius-server x.x.x.x secret "secret"
set system radius-server x.x.x.x source-address 192.168.1.1
set system radius-options password-protocol mschap-v2
set system radius-options attributes nas-ip-address x.x.x.x
set system login class read-reboot permissions maintenance
set system login class read-reboot permissions network
set system login class read-reboot permissions view
set system login class read-reboot allow-commands "request|system|reboot"
set system login class read-reboot deny-commands "request system power-off|request system halt|request system zeroize|request system configuration|request system storage|request system snapshot|request system firmware|request system autorecovery|request system commit|request system software|request system certificate|request system scripts|start shell"
set system login user su uid 2000
set system login user su class super-user
set system login user operator uid 101
set system login user operator class read-reboot
All of this works fine.
Now I have a situation where I need to have 3 tiers of RADIUS. I need to have Juniper Admin (Admin on CORE and BRANCH), Juniper Operator (Operator on BRANCH), Juniper Branch Admin (Admin on BRANCH, but not CORE).
I tried to create a new policy on my NPS server, correlating to a user "super" that would exist on the CORE devices and not the BRANCH. And I removed the su login from the CORE devices.
This *sort of * worked. My Juniper Branch Admin is denied login to the CORE devices, but allowed and admin on the BRANCH devices. I then noticed that my Juniper Admin account was admin on the CORE devices, but denied from the BRANCH.
This appears to be due to the ordering of the network policy on my NPS server?? I'm not really sure if I am going about this the correct way - but I would love to hear about how someone else has approached this.
Thanks
Steve