Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Adding a login user group via AAA

    Posted 08-12-2023 02:51

    Hi,

    I need to have a login group for, as an example, below:

    Admins - Super-users

    Operational Users - Just monitoring the systems

    This needs to be controlled by AAA server. So no local logins.

    Is there a way og completing this please?



    ------------------------------
    Clive Gwyther
    ------------------------------


  • 2.  RE: Adding a login user group via AAA

    Posted 08-12-2023 10:28

    You create local groups for the desired permissions and then connect Junos login to the external RADIUS server.

    https://supportportal.juniper.net/s/article/Junos-How-to-assign-a-login-class-to-RADIUS-authenticated-users



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 3.  RE: Adding a login user group via AAA

    Posted 08-14-2023 09:46

    Hi Steve,

    Many thanks for the pointer in the right direction. Although I see the access request hit the radius server, it is not finding a group and sending this information back and therefore I believe the user is being logged in with the "remote" class and cannot do anything. I have tested this by setting the following:

    user: john

    nas: 1.1.1.1

    Juniper-Local-User-Name: RO 

    I can change Juniper-Local-User-Name to be any of them and it makes no difference. It just does not seem to be functioning correctly.



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 4.  RE: Adding a login user group via AAA
    Best Answer

    Posted 08-14-2023 13:16

    The RADIUS server has to be setup to return the desired group name that matches the Junos configuration.  It sounds like this has not been setup yet.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 5.  RE: Adding a login user group via AAA

    Posted 08-14-2023 13:46

    Hi Steve,

    Many thanks for the response. 

    I have configured the RADIUS server with the method shown in the documentation. So, for example:

    Username: John

    Cleartext-password: testing123

    Juniper-Local-User-Name: RO, OP, or SU (I have tried all three and a bespoke class I created).

    I have set the "Juniper-Local-User-Name" in the received and sent but it does not seem to make any difference at all.

    It makes perfect sense that the Juniper device does not see this returned and therefore rejects it and eventually times out, but I cannot work out why. I am pretty sure it is something to do with the radius config, but where, who knows.

    I am using a mysql backend database and not the text files of user and clients.

    The config on the Juniper is the basic for testing purposes. I guess I will have to keep trying.



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 6.  RE: Adding a login user group via AAA

    Posted 08-15-2023 06:31

    Hi Steve

    Is there a specific method that I can utilise to see if the access-accept packet is even reaching the Juniper MX device as I do not believe it is.

    Thanks



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 7.  RE: Adding a login user group via AAA

    Posted 08-15-2023 06:55

    Hi Steve,

    All working now. It is always something easy.

    For some reason the route back to the Juniper MX was missing from the radius server netplan configuration. I have now changed that and it all works. Many thanks for the help.



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 8.  RE: Adding a login user group via AAA

    Posted 08-14-2023 10:30

    Hi Steve,

    Although this does work, there seems to be an added issue which I cannot quite work out. I am using freeradius and Radman as the gui front end with a mysql backend DB (I don't use the freeradius plain-text files of users and clients) and have configured the Juniper-Local-User-Name and Service-Type Juniper VSAs (as mentioned it all works, sort of), but, it does not seem to matter if I set the usesr as RO, OP or SU, that user cannot seem to do anything when logged into the Juniper device, as shown below (the same options not matter what I set the Juniper-Local-User-Name to):

    Possible completions:
      file                 Perform file operations
      help                 Provide help information
      load                 Load information from file
      op                   Invoke an operation script
      quit                 Exit the management session
      request              Make system-level requests
      save                 Save information to file
      set                  Set CLI properties, date/time, craft interface message
      show                 Show system information
      start                Start shell
      test                 Perform diagnostic debugging

    Any idea why if I set the user to SU, they cannot utilise Edit or Conf or anything else other than the above? 

    Here is the Juniper conf I tested with:

    set system login user RO class read-only
    set system login user OP class operator
    set system login user SU class super-user
    set system login user remote full-name "default remote access user template"
    set system login user remote class read-only
    set system radius-server xxx.xxx.xxx.xxx secret xxxxxxxx
    set system radius-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx.xxx

    Is there any other config required? (I know I can create my own class).

    Many thanks



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 9.  RE: Adding a login user group via AAA

    Posted 08-14-2023 10:41

    Here is what I see in the radius packet:

    pap: Login attempt with password
    pap: Comparing with "known good" Cleartext-Password
    pap: User authenticated successfully

    sql: SQL query returned: success

    Sent Access-Accept Id 15 from 192.168.1.2:1812 to 1.1.1.1:49668 length 30
    Juniper-Local-User-Name = "SU"

    But then it is sending duplicate access-accepts and this is probably because of the retries, but then the user fails to login because I have removed the "remote" template from the MX device. This proves that although an access-accept is sent, for some reason I do not think the "SU" class, or any of them (OP, RO) are being applied. I also configured a defined class of my own and that also fails.

    Weird



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message


  • 10.  RE: Adding a login user group via AAA

    Posted 08-14-2023 11:57

    It almost works. Weirdly, no matter what group I assign to the user, they only ever have read only access as per below:

    Possible completions:
      file                 Perform file operations
      help                 Provide help information
      load                 Load information from file
      op                   Invoke an operation script
      quit                 Exit the management session
      request              Make system-level requests
      save                 Save information to file
      set                  Set CLI properties, date/time, craft interface message
      show                 Show system information
      start                Start shell
      test                 Perform diagnostic debugging

    Any idea why this is please?



    ------------------------------
    Clive Gwyther
    ------------------------------

    Original Message