A lot of companies run Microsoft's Active Directory AAA infrastructure. A nice add on to AD (apart from my favorite 'Services for UNIX') is the Network and Policy Server (NPS). Using this RADIUS server with any radius speaking client is a nice addon that allows the majority of Network infrastructure to use AD as it's authoriative authentication source. Using NPS as the souce will allow new users to obtain access to the box without the need for configuration on all the infrastrucutre devices individually, scales and disables users access when they leave the organisation (local accounts tend to be forgotten).

Finding documentation on using NPS with JUNOS was difficult, so here is how I have got it to work:

First we need the Juniper Vedor Code and attribute to send to your JUNOS device:

Juniper Vendor ID:
RADIUS Attribute to specify account name (id):
Juniper-Local-User-Name (1)

Then we need to configure a RADIUS client in NPS, then configure the JUNOS side and finally define a 'Connection Request Policy' (More information here visit this post)

Once the connection request policy is defined we now need a 'Network Request Policy'. This will allow the use of AD groups (amoungst other attributes) to define which template account that is defined locally on the JUNOS device to map the user to. Please refer to the previous NPS post for more information on configuring a Network request policy.

To add the custom VSA navigate to the "Network Policies'' section in the NPS MMC, go to properties of the policy you wish to add the VSA to and navigate to the 'Settings' tab. 
Select 'Vendor Specific' under attributes and then click add. Then select 'Custom' from the drop down list, select Vendor-Specific and click add:

Now select add and enter the following:


The device will now send the defined 'USERNAME' that is required to be defined locally on each JUNOS device that speaks to this radius server.

If there is no match, JUNOS will fall back to the default remote authentication server template user 'remote'. I reccomend setting this to unauthorised so that if a user not in required groups gets authenticated due to bad NPS polices can not obtain any useful access to the JUNOS device.

Please let me know how you go and if I have made any boo boos in my post.
The above was tested with JUNOS 11.2r2.4 and Windows Server 2008 R2.

5 thoughts on “Microsoft NPS Server + Juniper JUNOS VSA”
  1. I trying to use NPS as AAA server for my SRX device. I found your post very useful but still get:
    rad_send_request: No valid RADIUS responses received
    I found in Wireshark that Authorization Request are coming to Windows but it doesn’t send an respone.
    I’m not windows advanced user so it’s hard for me to identify problem. Do you know what can cause this issue or where should I start looking for an answer ?

  2. Hallo,

    great post, helped me a lot of headache as I could not find the vendor code.
    Junos 7.1R5 (build 19757) + NPS WIn 2008 R2 works well with the vendor code and solution you provided.
    By the way, is there an easy way, knowledgebase etc. to find vendor’s ID.


Leave a Reply

Your email address will not be published. Required fields are marked *