Welcome after a long absence. I’m back with the living. The recent lack of new entries on the blog has been caused by my recent involvement in a new project. This was a pure Juniper deployment, and during that time we’ve deployed several features that I decided to share with you.
This isn’t a rocket science thing but I’m doing this mostly for myself – so in case I ever need to use or deploy it again, I’ll have all of the “how to’s” in one place. Maybe someone will find it useful as well :-). There will be a few such posts in future. During the above mentioned deployment we’ve enabled a device authentication with the radius server. The main benefit, from the administrative perspective, is a central user database and management. Below I’ll walk you through a few basic steps to implement this feature. It’s neither fancy nor sophisticated – just the basics. The obvious choice for the radius server is freeradius. The documentation of the freeradius is not the best that I’ve seen but the installation part of the basics does its job. The freeradius installation is described here. If you’ll follow it carefully, there is a high chance of success :-P.
After you’re finished with the installation, it’s time to configure it, as well as Juniper devices. The freeradius configuration is all about two files (I know I’m simplifying a bit too much, but as I said – just the basics):
[cc lang=”bash” escaped=”true” width=”670″ theme=”default” tab_size=”4″]
/etc/freeradius/3.0/mods-config/files/authorize
tomek Cleartext-Password := “password”
Juniper-Junosspace-Profiles = radius_profile (1)
admin Cleartext-Password := “password”
Service-Type = Login-User, (2)
Juniper-Local-User-Name = admins (3)
(1) #VSA used by Junos Space – check screenshot below
(2) #this parameter in my opinion isn’t required
(3) #VSA used by Junos
[/cc]
[cc lang=”bash” escaped=”true” width=”670″ theme=”default” tab_size=”4″]
/etc/freeradius/3.0/clients.conf
client space {
ipaddr = 10.1.1.199
secret = xxxxxxxx
}
client EX2200 {
ipaddr = 172.28.28.115
secret = xxxxxxxx
}
[/cc]
or with entire network:
[cc lang=”bash” escaped=”true” width=”670″ theme=”default” tab_size=”4″]
client EX2200 {
ipaddr = 172.28.28.0/24
secret = xxxxxxxx
}
[/cc]
and alternatively every device:
[cc lang=”bash” escaped=”true” width=”670″ theme=”default” tab_size=”4″]
client 0/0 {
secret = xxxxxxxx
}
[/cc]
Junos config:
[cc lang=”text” escaped=”true” width=”670″ theme=”default” tab_size=”4″]
authentication-order [ radius password ];
radius-server {
10.1.1.202 {
secret “xxxxxxxxx”; ## SECRET-DATA
source-address 172.28.28.115;
}
}
login {
user admins {
class super-user;
[/cc]
Junos Space config:
…and that’s it.
The more detailed authentication order explanation can be found here. If the device has multiple L3 interfaces, a source-address statement is required. For the pure L2 switch with in band management ip on a vlan – it’s not required.
Note that the configuration has the user group defined with the class associated with it – on that basis the device will grant privileges to the user that logged in. The main point that I always forget is that sentence:
The VSA (vendor specific attribute) “Juniper-Local-User-Name” is used here. This VSA is already present in a file /usr/share/freeradius/dictionary.juniper by default and doesn’t need to be configured.
The same applies to the Juniper-Junosspace-Profiles VSA used by Junos Space. Of course the freeradius configuration isn’t “just” that. There is a lot more possible ways to tune the radius server ( e.g. hashed based passwords not the clear text ones). It may look like I’m trivialising that setup, but my point is just to deploy the central authentication service as the basis for something more to play with.