Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I need to have a login group for, as an example, below:
Admins - Super-users
Operational Users - Just monitoring the systems
This needs to be controlled by AAA server. So no local logins.
Is there a way og completing this please?
You create local groups for the desired permissions and then connect Junos login to the external RADIUS server.
Many thanks for the pointer in the right direction. Although I see the access request hit the radius server, it is not finding a group and sending this information back and therefore I believe the user is being logged in with the "remote" class and cannot do anything. I have tested this by setting the following:
I can change Juniper-Local-User-Name to be any of them and it makes no difference. It just does not seem to be functioning correctly.
The RADIUS server has to be setup to return the desired group name that matches the Junos configuration. It sounds like this has not been setup yet.
Many thanks for the response.
I have configured the RADIUS server with the method shown in the documentation. So, for example:
Juniper-Local-User-Name: RO, OP, or SU (I have tried all three and a bespoke class I created).
I have set the "Juniper-Local-User-Name" in the received and sent but it does not seem to make any difference at all.
It makes perfect sense that the Juniper device does not see this returned and therefore rejects it and eventually times out, but I cannot work out why. I am pretty sure it is something to do with the radius config, but where, who knows.
I am using a mysql backend database and not the text files of user and clients.
The config on the Juniper is the basic for testing purposes. I guess I will have to keep trying.
Is there a specific method that I can utilise to see if the access-accept packet is even reaching the Juniper MX device as I do not believe it is.
All working now. It is always something easy.
For some reason the route back to the Juniper MX was missing from the radius server netplan configuration. I have now changed that and it all works. Many thanks for the help.
Although this does work, there seems to be an added issue which I cannot quite work out. I am using freeradius and Radman as the gui front end with a mysql backend DB (I don't use the freeradius plain-text files of users and clients) and have configured the Juniper-Local-User-Name and Service-Type Juniper VSAs (as mentioned it all works, sort of), but, it does not seem to matter if I set the usesr as RO, OP or SU, that user cannot seem to do anything when logged into the Juniper device, as shown below (the same options not matter what I set the Juniper-Local-User-Name to):
Possible completions: file Perform file operations help Provide help information load Load information from file op Invoke an operation script quit Exit the management session request Make system-level requests save Save information to file set Set CLI properties, date/time, craft interface message show Show system information start Start shell test Perform diagnostic debugging
Any idea why if I set the user to SU, they cannot utilise Edit or Conf or anything else other than the above?
Here is the Juniper conf I tested with:
set system login user RO class read-onlyset system login user OP class operatorset system login user SU class super-userset system login user remote full-name "default remote access user template"set system login user remote class read-onlyset system radius-server xxx.xxx.xxx.xxx secret xxxxxxxxset system radius-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx.xxx
Is there any other config required? (I know I can create my own class).
Here is what I see in the radius packet:
pap: Login attempt with passwordpap: Comparing with "known good" Cleartext-Passwordpap: User authenticated successfully
sql: SQL query returned: success
Sent Access-Accept Id 15 from 192.168.1.2:1812 to 126.96.36.199:49668 length 30Juniper-Local-User-Name = "SU"
But then it is sending duplicate access-accepts and this is probably because of the retries, but then the user fails to login because I have removed the "remote" template from the MX device. This proves that although an access-accept is sent, for some reason I do not think the "SU" class, or any of them (OP, RO) are being applied. I also configured a defined class of my own and that also fails.
It almost works. Weirdly, no matter what group I assign to the user, they only ever have read only access as per below:
Any idea why this is please?