Hey all - not sure if this belongs here or not - but I will give it a shot.
In my organization we have RADIUS authentication setup for our Juniper devices. Our devices (SRX & EX) fall into 2 categories - CORE and BRANCH. RADIUS is setup using a Windows 2012R2 Network Policy Server.
We have RADIUS set up in 2 tiers. ADMIN and OPERATOR. We have Active Directory Security Groups setup "Juniper Admins" and "Juniper Operators". Juniper Admins are administrators on both CORE and BRANCH devices. Juniper Operators are only operators on the BRANCH devices.
Here is the config that makes this all work:
set system radius-server x.x.x.x port 1812
set system radius-server x.x.x.x accounting-port 1813
set system radius-server x.x.x.x secret "secret"
set system radius-server x.x.x.x source-address 192.168.1.1
set system radius-options password-protocol mschap-v2
set system radius-options attributes nas-ip-address x.x.x.x
set system login class read-reboot permissions maintenance
set system login class read-reboot permissions network
set system login class read-reboot permissions view
set system login class read-reboot allow-commands "request|system|reboot"
set system login class read-reboot deny-commands "request system power-off|request system halt|request system zeroize|request system configuration|request system storage|request system snapshot|request system firmware|request system autorecovery|request system commit|request system software|request system certificate|request system scripts|start shell"
set system login user su uid 2000
set system login user su class super-user
set system login user operator uid 101
set system login user operator class read-reboot
All of this works fine.
Now I have a situation where I need to have 3 tiers of RADIUS. I need to have Juniper Admin (Admin on CORE and BRANCH), Juniper Operator (Operator on BRANCH), Juniper Branch Admin (Admin on BRANCH, but not CORE).
I tried to create a new policy on my NPS server, correlating to a user "super" that would exist on the CORE devices and not the BRANCH. And I removed the su login from the CORE devices.
This *sort of * worked. My Juniper Branch Admin is denied login to the CORE devices, but allowed and admin on the BRANCH devices. I then noticed that my Juniper Admin account was admin on the CORE devices, but denied from the BRANCH.
This appears to be due to the ordering of the network policy on my NPS server?? I'm not really sure if I am going about this the correct way - but I would love to hear about how someone else has approached this.
I don't have any experience with NPS, but on other NAC systems you can achieve what you are looking to do via the logic in the NAC policy. 1 way to do this would be by creating device groups in combination with your AD groups. So in your case you could have 1 device group for Juniper Admins, 1 for Branch Admins and 1 for Branch Operators with similar AD groups. Then you would add the appropriate EX's and SRX's to each group. Then your NAC logic would look something like this: if device = Juniper Admin and authenticating user's AD Group = Juniper Admin return RADIUS attribute su. You would add your other 2 use cases/combinations and that should get you across the finish line.
Your post put me on the right path. I had to add an additional condition to my Network Policy for the devices. I added the Client IPv4 address - and put in a regular expression matching the group of devices that I wanted to restrict / filter out.