First of all, create a user account on each of your EX switches that has no password, but the class that you want your RADIUS users to match (eg: super-user):
login {
user superUserClass {
uid 2005;
class super-user;
}
}
Now in SBR, you'll need to make sure that the group of users that you're allowing access to the EXs gets the following vendor-specific attribute returned in their access-accept message:
Vendor Code: 2636 (Juniper)
Attribute:1 Juniper-Local-User-Name
Value: "superUserClass"
This allows you to configure a login "Template" which you can assign to users based on their username in RADIUS. And most importantly, it means you don't need to create local accounts for everyone.