Archive for October 2011

The inventor of the C programming language and integral part of UNIX development has past away. RIP Dennis Ritchie.

Thanks for the Uni lectures ...

BoingBoing Article

This letter was sent to the Lions Bay School Principal's office in West Geelong after the school had sponsored a luncheon for seniors. An elderly lady received a new radio at the lunch as a door raffle prize and was writing to say thank you.

This story is a credit to all humankind. Forward this to anyone you know who might need a lift today.

Dear Lions Bay School,

God bless you for the beautiful radio I won at your recent Senior Citizens luncheon. I am 87 years old and live at the West Geelong Home for the Aged. All of my family has passed away so I am all alone. I want to thank you for the kindness you have shown to a forgotten old lady.

My roommate is 95 and has always had her own radio; but, she would never let me listen to it. She said it belonged to her long dead husband, and understandably, wanted to keep it safe. The other day her radio fell off the nightstand and broke into a dozen pieces.. It was awful and she was in tears. She asked if she could listen to mine, and I was overjoyed that I could tell her to fuck off.

Thank you for that wonderful opportunity.

God bless you all.



A lot of companies run Microsoft's Active Directory AAA infrastructure. A nice add on to AD (apart from my favorite 'Services for UNIX') is the Network and Policy Server (NPS). Using this RADIUS server with any radius speaking client is a nice addon that allows the majority of Network infrastructure to use AD as it's authoriative authentication source. Using NPS as the souce will allow new users to obtain access to the box without the need for configuration on all the infrastrucutre devices individually, scales and disables users access when they leave the organisation (local accounts tend to be forgotten).

Finding documentation on using NPS with JUNOS was difficult, so here is how I have got it to work:

First we need the Juniper Vedor Code and attribute to send to your JUNOS device:

Juniper Vendor ID:
RADIUS Attribute to specify account name (id):
Juniper-Local-User-Name (1)

Then we need to configure a RADIUS client in NPS, then configure the JUNOS side and finally define a 'Connection Request Policy' (More information here visit this post)

Once the connection request policy is defined we now need a 'Network Request Policy'. This will allow the use of AD groups (amoungst other attributes) to define which template account that is defined locally on the JUNOS device to map the user to. Please refer to the previous NPS post for more information on configuring a Network request policy.

To add the custom VSA navigate to the "Network Policies'' section in the NPS MMC, go to properties of the policy you wish to add the VSA to and navigate to the 'Settings' tab. 
Select 'Vendor Specific' under attributes and then click add. Then select 'Custom' from the drop down list, select Vendor-Specific and click add:

Now select add and enter the following:


The device will now send the defined 'USERNAME' that is required to be defined locally on each JUNOS device that speaks to this radius server.

If there is no match, JUNOS will fall back to the default remote authentication server template user 'remote'. I reccomend setting this to unauthorised so that if a user not in required groups gets authenticated due to bad NPS polices can not obtain any useful access to the JUNOS device.

Please let me know how you go and if I have made any boo boos in my post.
The above was tested with JUNOS 11.2r2.4 and Windows Server 2008 R2.