Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Unable to get User Access Privilege working on EX4550 w/ Radius

    Posted 27 days ago
    Hello,
     
    I have a user I need to give read only access too. I've added the following configurations to the Juniper EX4550:
     
    set system radius-server 10.2.2.1
    set system radius-server 10.2.2.1 secret abc 
    set system radius-server 10.2.2.1 source-address 10.0.0.1 
    set system authentication-order [ password radius ]
    set system login user RO class read-only
    set system login user OP class operator
    set system login user SU class super-user
    set system login class networkscan permissions network
    set system login class networkscan permissions system
    set system login class networkscan permissions view
    set system login class networkscan permissions view-configurations
    set system login class networkscan allow-commands "show configuration | no-more"
    set system login class networkscan allow-configuration "show configuration"
    set system login user scan-user full-name "User Scan Network"
    set system login user scan-user uid 2000
    set system login user scan-user class networkscan
     
    When I try to do a simple "show configuration" command when logged into "scan-user" account I get access denied:
     
    scan-user@EX4550> show configuration
    version { /*ACCESS-DENIED*/}
    system { /*ACCESS-DENIED*/}
    chassis { /*ACCESS-DENIED*/}
    interface { /*ACCESS-DENIED*/}
    vlans { /*ACCESS-DENIED*/}
    protocol { /*ACCESS-DENIED*/}
     
    However, all other show commands work successfully on the same account:
     
    scan-user@EX4550> show version
    scan-user@EX4550> show interfaces
    scan-user@EX4550> show chassis
    Etc.....
     
    I see the following output when typing "show cli authorization" command: 
     
    scan-user@EX4550> show cli authorization 
    Current user: 'rad-readonly' login: 'scan-user' class 'read-only'
    Permissions:
     view -- Can view current values and statistics
    Individual command authorization:
     Allow regular expression: none
     Deny regular expression: none
     Allow configuration regular expression: none
     Deny configuration regular expression: none
     
    The radius server is a Windows NPS. The configuration on that server is attached.


    ------------------------------
    T.Tram
    ------------------------------


  • 2.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

     
    Posted 25 days ago

    Unfortunately I don't have an EX4550 to hand, so I just setup a quick test using freeradius, and an SRX, just to see what is needed for just read-only access.

    I put my configuration into an apply group, and the configuration that I used is shown below.

    scan-user@SRX-Node1> show configuration groups global
    system {
        authentication-order [ radius password ];
        radius-server {
            192.168.0.35 {
                port 1812;
                accounting-port 1813;
                secret /* SECRET-DATA */; ## SECRET-DATA
                timeout 3;
                retry 3;
                source-address 192.168.0.212;
            }
        }
        login {
            class networkscan {
                permissions [ view view-configuration ];
            }
            user scan-user {
                uid 2003;
                class networkscan;
            }
        }
    }

    That was the only setup that I required to provide read-only access to the configuration and show commands for the scan-user.

    Only thing I noticed was that in your configuration, you had view-configurations which is incorrect as far as I know, and should be view-configuration.  I had no need to add allow-commands or allow-configuration.

    cli authorization shows the following results.

    scan-user@SRX-Node1> show cli authorization
    Current user: 'scan-user   ' class 'networkscan'
    Permissions:
        view        -- Can view current values and statistics
        view-configuration-- Can view all configuration (not including secrets)
    Individual command authorization:
        Allow regular expression: none
        Deny regular expression: none
        Allow configuration regular expression: none
        Deny configuration regular expression: none

    Let me know if I can assist any further.



    ------------------------------
    Andy Sharp
    ------------------------------



  • 3.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

    Posted 22 days ago

    asharp, thanks for the info.

    I actually checked my configurations and noticed I had the correct config (view-configuration) but I mistyped it in this forum. Thanks for catching that.

    I'm still troubleshooting the issue. This is what I did thus far:

    I removed the configurations from the switch:
     
     
     
    set system login user RO class read-only
     
    set system login user OP class operator
     
    set system login user SU class super-user
     
     
     
    Once I did that the read only account (scan-user) was using super-user privilieges. The reason for that is because there's a configuration on the switch that allows "remote" users to access our network devices via ssh to be super user. That configuration is as follows:
     
     
     
    set system login user remote uid 2002
     
    set system login user remote class super-user
     
    set system login user remote full-name "remote users"
     
     
     
    I then change the Radius configurations by making the scan-user account a operator (OP). When I did that, I logged into the switch with the scan-user account and I still have super user privileges.
     
     
     
    So lets recap, I changed the Radius configuration to allow the scan-user account to have operator (OP) privileges. I also removed the user configurations on the switch itself for RO, OP, and SU. After all of that, the scan-user account was still using super user privileges.
     
     
     
    I then ONLY added the OP and SU user configurations to the switch, but kept the Radius configurations the same. The configuration I added is as follows:
     
     
     
    set system login user OP class operator
     
    set system login user SU class super-user
     
     
     
    When I logged back into the switch with the scan-user account, I still had super user privileges. I then added the RO user configuration back to the switch and kept the Radius configurations the same. But immediately the san-user account had read-only privileges' - and I wasn't able to use the "show configurations" command.


    ------------------------------
    T.Tram
    ------------------------------



  • 4.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

     
    Posted 22 days ago

    Very strange, I'll be the first to admit that my experience with Radius is very very limited, to the point that either someone else has configured it, or it isn't being used!  So it was a fun experience just to spin-up a Docker container with Radius and configure it with an SRX cluster that is on my desk.

    The issue you are getting, especially when an account that starts off with super-user access, is then configured on Radius not to have super-user access, but the account still has super-user access... appears to me that Radius is still working on old data, and when the switch is requesting AAA it's getting the old information back.  What happens if you restart Radius?  Does authentication work as expected or is there still super-user access?

    Regards.



    ------------------------------
    Andy Sharp
    ------------------------------



  • 5.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

    Posted 22 days ago

    Something else interesting happened, when I changed the user 'remote' from super-user to read-only the new user account (scan-user) could not log into the devices.

     

    delete system login user remote class super-user

    set system login user remote class read-only



    ------------------------------
    T.Tram
    ------------------------------



  • 6.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

    Posted 21 days ago

    Andy,

    Unfortunately, the radius server is on production so it can't be restarted without affecting other systems.



    ------------------------------
    T.Tram
    ------------------------------



  • 7.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

     
    Posted 21 days ago

    Understood.   Are you able to run radtest to see what the response is from Radius.  It would be interesting to see what is being sent.

    e.g.  This is just my labsetup here, and I have used vendor specific attributes to include Juniper-Deny-Commands, rather than configure them directly on the Junos device.  I'm just interested to see what type of response you get before and after you have made changes to Radius.

    radtest -x scan-user mypassword 192.168.0.35 0 mysecretpasswd
    Sent Access-Request Id 44 from 0.0.0.0:fe91 to 192.168.0.35:1812 length 79
    	User-Name = "scan-user"
    	User-Password = "mypassword"
    	NAS-IP-Address = 192.168.0.35
    	NAS-Port = 0
    	Message-Authenticator = 0x00
    	Cleartext-Password = "mypassword"
    Received Access-Accept Id 44 from 192.168.0.35:714 to 192.168.0.35:65169 length 51
    	Juniper-Deny-Commands = "configure|start|request"


    ------------------------------
    Andy Sharp
    ------------------------------



  • 8.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

    Posted 21 days ago

    Andy,

    I don't believe I can do 'radtest' on Windows NPS; that is what my radius is on currently. I'll look into it though.



    ------------------------------
    T.Tram
    ------------------------------



  • 9.  RE: Unable to get User Access Privilege working on EX4550 w/ Radius

     
    Posted 21 days ago

    Doh! My mistake, let me check what trace options might be available...



    ------------------------------
    Andy Sharp
    ------------------------------