Junos
Junos

EX Switch Authentication, RADIUS (IAS) and AD

[ Edited ]
‎11-03-2009 02:27 AM

I have been battling towards a solution to allow our 4200 switches authenticate against IAS using RADIUS. I thought i would post some instructions on how to implement.

 

Switch config

1- Configure  the switch to authenticate using RADIUS and  PASSWORD. I did this via the GUI ensuring that RADIUS entry was above password. If the RADIUS server fails for whatever reason, the username password combo will be compared against the local database. Add your RADIUS server IP addresses.

 

2- Create user accounts for each authentication privilege you require. E.g. if you require some users to login with super-user access and some with read access, you need to create two user accounts, with dummy names that will be used to map the AD user to the authorisation level. I did this via the command line.

 

set system login user lame class read-only

set system login user super class super-user

 

 

IAS Config

3-  Create a new IAS policy. Add your conditions (e.g. windows security group), ensure you enable to grant permission not deny.

4- Set Authentication methods to Unencrypted only. not sure what happens if you enable others too

5- On the Advanced tab remove all those attributes that are present and add the following.

 

  1. Vendor Specific; Vendor Code 2636; Yes it conforms; VSA attribute '1'; format string; attribute value <user class name> (as created in step 2, would be 'lame' or 'super' depending on requirements).
  2. Service-type; attribute value 'Login'

 

And thats it...

 

The article below outlines most steps more thoroughly although there are a few which I skipped

 

http://forums.juniper.net/jnet/attachments/jnet/AAA_802_1x/54/1/RadiusOnJseriesRouter%5B1%5D.pdf

2 REPLIES 2
Junos

Re: EX Switch Authentication, RADIUS (IAS) and AD

‎11-03-2009 07:09 AM

Hey Harry - nice post - just a couple of add-on comments:

 

1- The Windows value of service type, attribute login should be optional. I use radius for auth without it.

 

2- For the authentication methods you can also use mschap-v2 - just add the following command to your JUNOS box:

       set system radius-options password-protocol mschap-v2

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Highlighted
Junos

Re: EX Switch Authentication, RADIUS (IAS) and AD

‎11-05-2009 02:59 PM

Good post Smiley Happy

 

Related question - is there any reason why we wouldn't want to use the builtin "remote" account for RADIUS authentication?  Does one method have a benefit/best practice over the other?

 

Cheers