Junos OS

Hi,

I need to configure a bunch of EX switches and SRX to use our RADIUS server (steel-belted RADIUS)

I have the following config on the devices

 radius-server {
        10.1.1.1 {
            port 1812;
            secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            source-address 10.255.255.11;

When i try to authenticate i get the following error

"Mar  3 09:25:47  AUDCULTCS001 sshd: User 'remote' authenticated successfully but no local login-id configured.
Mar  3 09:25:47  AUDCULTCS001 sshd[39885]: Failed password for my_username from 10.176.192.102 port 1390 ssh2"

From my research it seems i need to add my username into the device and specify the appropriate class.... is this correct?

thanks,

Hi,

I believe so.  I had a similar issue with EX and Cisco TACACS.  Once I added the local account the issue was resolved.

John

Hi,

have a look at these KB article:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16607

Regards

Klaus

First of all, create a user account on each of your EX switches that has no password, but the class that you want your RADIUS users to match (eg: super-user):

login {
    user superUserClass {
        uid 2005;
        class super-user;
    }
}

 Now in SBR, you'll need to make sure that the group of users that you're allowing access to the EXs gets the following vendor-specific attribute returned in their access-accept message:

Vendor Code: 2636 (Juniper)

Attribute:1 Juniper-Local-User-Name

Value: "superUserClass"

This allows you to configure a login "Template" which you can assign to users based on their username in RADIUS.  And most importantly, it means you don't need to create local accounts for everyone.

Yep thanks dfex... thats the way to go.