Tuesday, June 23, 2015

JUNOS SPACE and free radius Authentication


Today I had the pleasure of setting up freeradius in my lab and having JUNOS Space authenticate to it.

For those of you running 14.1R2.9 be aware of TSB16642

JUNOS Space 14.1R2.9 has issue with some RADIUS/TACACS authentication configuration  

This was just a quick lab test and I used the following:


  • JUNOS SPACE 14.1R3.4
  • Acer Aspire with fresh load of Fedora
    • Linux acer 4.0.4-301.fc22.i686 #1 SMP Thu May 21 13:43:18 UTC 2015 i686 i686 i386 GNU/Linux
    • dnf install freeradius freeradius-utils

        [root@acer raddb]# dnf search freeradius
        ========================================================
    • freeradius.i686 : High-performance and highly configurable free RADIUS server
      freeradius-utils.i686 : FreeRADIUS utilities
Once the package is downloaded navigate to /etc/raddb

# cp clients.conf orig.clients.conf
# vi clients.conf 
  • add the following:
  • client 0/0 { 
  •         # This is the shared secret between the Authenticator (the 
  •         # access point) and the Authentication Server (RADIUS).
  •         secret          = somePassword
  •         shortname       = junosspace
  • ipv4addr = * # any.  127.0.0.1 == localhost
  • }
# cp users orig.users
# vi users

  • add the following:
  • edward Cleartext-Password := "spaceRocks"


# vi dictionary

  • add the following to the bottom of the file
  • ATTRIBUTE Juniper-Junosspace-Profiles 3003 String

# cd /etc/raddb/mods-available
# cp ead orig.ead
# vi ead

  • change the default_eap_type = peap

# service radiusd restart

Everything should be good to go at this point!

Now lets go to Space and configure our remote user:

  • Log into space as super (default password is juniper123) help
  • Navigate to Adminstration -> Authentication Servers
  •     Check the Use Remote Authentication box
  •     Select Remote-Local Authentication radio button
  •     Click the green + icon to add you server
  •     Click OK

  •     Highlight your server and click Test Connection



  • This shows you have a good connection to the radius server and that the passwords are good
  • Next, navigate to Role Based Access Control -> User Accounts
  •     Click User Accounts
  •     Click the green Add button
  •     Fill in the user information
  •     Click Next
  •     Check the GUI Access box and then select a role for the user
  •     Click Next
  •     Select Global domain
  •     Click Finish


  • Now without a password assigned to this user you should be able to authenticate against the free radius server and gain access.
  • First you have to restart radiusd on the server
  •         # service radiusd restart
  • Then get to the https://[space-address]/mainui and enter your credentials
  • You should now be logged in using remote authentication!!




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)