Posts Tagged ‘vsa’

A lot of companies run Microsoft's Active Directory AAA infrastructure. A nice add on to AD (apart from my favorite 'Services for UNIX') is the Network and Policy Server (NPS). Using this RADIUS server with any radius speaking client is a nice addon that allows the majority of Network infrastructure to use AD as it's authoriative authentication source. Using NPS as the souce will allow new users to obtain access to the box without the need for configuration on all the infrastrucutre devices individually, scales and disables users access when they leave the organisation (local accounts tend to be forgotten).

Finding documentation on using NPS with JUNOS was difficult, so here is how I have got it to work:

First we need the Juniper Vedor Code and attribute to send to your JUNOS device:

[plain]
Juniper Vendor ID:
2636
RADIUS Attribute to specify account name (id):
Juniper-Local-User-Name (1)
[/plain]

Then we need to configure a RADIUS client in NPS, then configure the JUNOS side and finally define a 'Connection Request Policy' (More information here visit this post)

Once the connection request policy is defined we now need a 'Network Request Policy'. This will allow the use of AD groups (amoungst other attributes) to define which template account that is defined locally on the JUNOS device to map the user to. Please refer to the previous NPS post for more information on configuring a Network request policy.

To add the custom VSA navigate to the "Network Policies'' section in the NPS MMC, go to properties of the policy you wish to add the VSA to and navigate to the 'Settings' tab. 
Select 'Vendor Specific' under attributes and then click add. Then select 'Custom' from the drop down list, select Vendor-Specific and click add:

Now select add and enter the following:

 

The device will now send the defined 'USERNAME' that is required to be defined locally on each JUNOS device that speaks to this radius server.

If there is no match, JUNOS will fall back to the default remote authentication server template user 'remote'. I reccomend setting this to unauthorised so that if a user not in required groups gets authenticated due to bad NPS polices can not obtain any useful access to the JUNOS device.

Please let me know how you go and if I have made any boo boos in my post.
The above was tested with JUNOS 11.2r2.4 and Windows Server 2008 R2.