SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Radius Authentication on SRX

    Posted 03-20-2013 04:57

    Hello,

    I need some help with the radius configuration on the SRX boxes. I have the following configuration on the SRX and when login with a user name which is not locally defined, it get authenticated via RADIUS but only with the "operator" privilages as it is the defined calss for "remote". I have following queries and really appreciate if got an answer.

    - Is It necessary to have a remote user defined in order to get authenticated from RADIUS or there are other options?

    - I want the users to get authenticated from the RADIUS server and got the privilages defined for them on the   server. If it is required to define multiple user with different privilages, does this require to define  multiple "remote" users?


    -    In Cisco, we have “line con 0” for Console specific logins and we can define a different authentication/authorization order than the default for the rest of the box. What is equivalent for this on Juniper? Lets say I wan the authentication order of [ password radius ]  for the user who access the router via Console and for the rest of the connections, it should use[ radius password ].


    Thanks for your help in advance,

    MSC


    test@SRX> show configuration system radius-server
    X.X.X.X secret  "; ## SECRET-DATA
    X.X.X.X secret ; ## SECRET-DATA

    test@SRX> show configuration system authentication-order
    authentication-order [ radius password ];

    test@SRX> show configuration system login user remote
    full-name "all remote users";
    uid 2002;
    class operator;

    test@SRX>

     

     

     



  • 2.  RE: Radius Authentication on SRX

    Posted 03-20-2013 10:49

    No reply after so many viewing 😞

     



  • 3.  RE: Radius Authentication on SRX
    Best Answer

    Posted 03-20-2013 11:11

    There are a few ways you can do this...

     

    You can use login classes (groups) and then have the RADIUS server return a value for which group (login class) a user belongs to when they log in.  This is how I normally do it.

     

    You can also get really granular and define specific commands that users may or may not run via RADIUS, but I find login classes to be a cleaner way to do it.

     

    You have to configure your RADIUS server to return a VSA (Vendor-Specific Attribute) with the correct value.

     

    This KB article gives a good overview of how it works and has links to the pages that document the VSAs in more detail.

     


    -    In Cisco, we have “line con 0” for Console specific logins and we can define a different authentication/authorization order than the default for the rest of the box. What is equivalent for this on Juniper? Lets say I wan the authentication order of [ password radius ]  for the user who access the router via Console and for the rest of the connections, it should use[ radius password ]. 


    That one I honestly don't know, but I don't think you can do that on Junos.  I know what you're talking about, I've just never seen it or done it on Junos.  Perhaps someone wiser than I will have an answer for that one.  Smiley Happy

     



  • 4.  RE: Radius Authentication on SRX

    Posted 03-25-2013 11:32

    Thanks, that helps.



  • 5.  RE: Radius Authentication on SRX

    Posted 03-25-2013 11:33

    It will be good if some one can shed some light on how the management access in Junos is different than in Cisco (taking the example of line console 0).