Created by: Mitchell Griffin

Created on 6/2/2008 3:20:00 PM

Juniper

Radius

Configuration

Page 2 of 15

1. LOG INTO YOUR JUNIPER 3

2. ASSOCIATE USERS TO CLASSES 3

3. CONFIGURE EXTERNAL RADIUS AUTHENTICATION 3

4. CREATE ACTIVE DIRECTORY GROUPS 4

5. CREATE ACTIVE DIRECTORY USER ACCOUNTS 4

6. CREATE REMOTE ACCESS POLICIES 4

7. CREATE RADIUS CLIENTS 5

7-1. ENTER FRIENDLY NAME OR IP ADDRESS 5 7-2. SELECT VENDOR AND ENTER SHARED SECRET 6

8. CREATE A REMOTE ACCESS POLICY 6

8-1. CONFIGURE POLICY CONDITIONS 7 8-2. EDIT PROFILE 9 8-2-1. EDIT THE SERVICE-TYPE 10 8-2-2. ADD VENDOR SPECIFIC ATTRIBUTE 11 8-2-3. CHANGE AUTHENTICATION 12

9. CREATE CONNECTION REQUEST POLICY 13

Page 3 of 15

1. Log into your Juniper Log into your Juniper Device and create user classes. Give the classes permissions.

set system login class tier1 idle-timeout 15 set system login class tier1 permissions view set system login class tier2 idle-timeout 15 set system login class tier2 permissions access set system login class tier2 permissions access-control set system login class tier2 permissions admin set system login class tier2 permissions configure set system login class tier2 permissions interface set system login class tier2 permissions routing set system login class tier2 permissions security set system login class tier2 permissions snmp set system login class tier2 permissions system set system login class tier2 permissions view set system login class tier3 idle-timeout 15 set system login class tier3 permissions all

2. Associate Users to Classes Next create users and associate them to classes.

set system login user tier1 uid 2001 set system login user tier1 class tier1 set system login user tier2 uid 2002 set system login user tier2 class tier2 set system login user tier3 uid 2003 set system login user tier3 class tier3

3. Configure External Radius Authentication Next configure your Juniper to use External Radius Authentication. set system radius-server [ip of radius server] port [default 1812 but can be changed here if needed. I used 1645 because I am also using endpoint server on this machine] set system radius-server 10.10.1.8 secret ############################ set system radius-server 10.10.1.8 timeout 3 set system radius-server 10.10.1.8 retry 3 set system radius-server 10.10.1.8 source-address 1.1.1.1

*Note* Be sure to leave yourself a back door. You need to create a local password for at least one account just in case the radius server is unavailable.

Page 4 of 15

4. Create Active Directory Groups Go to your Active Directory Users and Computers and create Global Groups to be used with your implementation of radius authentication. I used

• VIEW • MAINTENTANCE • SUPER_USER

*Note* Domain Local Groups will not work.

5. Create Active Directory User Accounts If you do not already have accounts created in Active Directory, create some. These will be added to the groups we created in the last step. For testing I used the following.

• testView • testMaintenance • testSuperUser

*Note* Don’t forget to allow the users remote access via the Dial-Inn tab.

6. Create Remote Access Policies Configure your IAS Server to accept your Authentication Requests using policies. To do this you must first associate your IAS Server to Active Directory by right clicking on Internet Authentication Service from the IAS MMC. Next select Register Server in Active Directory. Create Remote Access Policies 1

Page 5 of 15

7. Create Radius Clients Create a new Radius Client; to do so right click on RADIUS Client and select New Radius client. Yes, it is that easy! Create Radius Clients 1

7-1. Enter Friendly Name or IP Address Enter the name of the client in the Friendly name Text Box if DNS is up and running properly. Create Radius Clients 2

*Note* It has been my experience that in the past that, it is always safer to enter the IP Address and click on the verify button. This will ensure that your DNS is in proper working order and that you are not going to conflict with any other Servers currently online.

Page 6 of 15

7-2. Select Vendor and Enter Shared Secret For Juniper, select Radius Standard and enter the Shared secret Password of your choice. Select Finish. Create Radius Clients 3

8. Create a Remote Access Policy Begin by right clicking on Remote Access Policies. Select New Remote Access Policy. Create Remote Access Policy 1

Page 7 of 15

Select the Radio Button <Set up a custom policy> and Give the Policy a Name in the Policy name: Text Box that Matches One of the Active Directory Groups that was created earlier. Click Next. Create Remote Access Policy 2

*Note* You do not have to make the Policy name the same as the group. This is simply recommended for organizational purposes.

8-1. Configure Policy Conditions You should now have a Window that asks for Policy Conditions. Configure Policy Conditions 1

Page 8 of 15

Select Windows Group and Click Add. You will be asked to select the Active Directory. Select a Group, Click OK, Click OK, and Finally Click Next. Configure Policy Conditions 2

Next you will need to select the Radio Button <Grant remote access permission>. This grants the user access if he is in the Active Directory Group that you selected for this policy. Configure Policy Conditions 3

*Note* If you have Policies that deny access, you will be best served by putting those at the top of your list of policies.

Page 9 of 15

8-2. Edit Profile Next you will need to click Edit Profile. Edit Profile 1

This will bring up a new window that looks like Figure Edit Profile 2. Edit Profile 2

Select Framed-Protocol and choose Remove. Edit Profile 3

*Note* The window will normally open to the Authentication tab. I have already selected the advanced tab. You also will have to select this tab before you can continue.

*Note* This step is not a necessity, but I always like to clear anything that could later complicate troubleshooting.

Page 10 of 15

8-2-1. Edit the Service-Type First highlight Service-Type by clicking it. Then select edit. Now choose login from the drop down menu. Edit Service Type 1

*Note* I did not come up with this step, and I have not tested to see if it actually does anything. This step was included in the Radius Authentication tutorial I found for Netscreen Appliances. Feel free to toy with this setting at your leisure.

Page 11 of 15

8-2-2. Add Vendor Specific Attribute Add the vendor specific attribute. This is what associates the Active Directory Username to the Juniper Local User template.

1. first select Add 2. then select Vendor-Specific 3. once again select Add 4. enter 2636 for the Vendor Code 5. check the Radio Button associated to <Yes. It conforms.> 6. click on Configure Attribute… 7. in the field, Vendor-assigned attribute number:, enter the number 1 8. the Attribute format: should be String 9. the Attribute value: should be the Local Juniper Template Name: tier3 10. finally click OK and Close as many times as it takes to get back to the

window Edit Dial-in Profile. Add Vendor Specific Attribute 1

Page 12 of 15

8-2-3. Change Authentication After you have finished specifying the Vendor Specific Attributes you will need to select the Authentication tab and uncheck the Check Boxes associated with the following: [Microsoft Encrypted Authentication version 2 (MS-CHAPv2)] & [Microsoft Encrypted Authentication (MS-CHAP)] You will need to check: [Unencrypted authentication (PAP, SPAP)] Change Authentication 1

*Note* This is one of the major issues with Radius Authentication and Juniper. Passwords and Usernames are transmitted in Plain Text across your network.

Page 13 of 15

If you have followed the steps, this is how your policies should look once you have completed the tutorial. Completed Policy View 1

*Note* Policies are read as they are numbered; thus, if a user is denied in the 3rd policy, but allowed in the 1st, he will have access.

9. Create Connection Request Policy Right click on Connection Request Policies. Select New Connection Request Policy. Create Connection Request Policy 1

Page 14 of 15

Select the Radio Button <A custom Policy> and enter a Policy Name that describes which type of Devices will be using this Connection Request Policy. For instance; I will not be creating a connection request policy for each individual client. I will create one connection request policy for my entire Juniper Population. You could also do this for your entire network architecture if you like. The example that I will show you will actually achieve just that. Create Connection Request Policy 2

*Note* I gave this Connection Request Policy a Juniper Specific title; although, it will work for all Vendors. An explanation is forthcoming. Next you will select Client-Vendor and click on Add. Create Connection Request Policy 3

Page 15 of 15

This will bring up the Client Vendor menu. Select Radius Standard and click Add. Create Connection Request Policy 4

*Note* Because Microsoft IAS does not have built in support for Juniper, we had to select Radius Standard. This creates a policy that will work for all standards based radius authentication applications. Click OK and Next until you reach Finish and click Finish. You are done. Enjoy!