[j-nsp] RSA ACE and JUNOS

Ivan Batanov ivanb at corp.earthlink.net
Wed Jun 16 16:49:20 EDT 2004


we have RSA working on our Junipers using the following config:

system {
    authentication-order [ radius password ];

        class operator-local {
            idle-timeout 60;
            permissions [ clear network reset trace view ];
        class read-only-local {
            idle-timeout 60;
            permissions view;
        class superuser-local {
            idle-timeout 60;
            permissions all;
        user r-oper {
            full-name "Remote operator class";
            uid XXXXX;
            class operator-local;
        user r-ro {
            full-name "Remote read-only class";
            uid XXXX;
            class read-only-local;
        user r-super {
            full-name "Remote superuser class";
            uid XXXX;
            class superuser-local;
        user backdoor-user {
            uid XXXX;
            class superuser-local;
            authentication {
                encrypted-password "XXXXXXXXXXXXXXXXXXXX"; # SECRET-DATA

On your RSA RADIUS server you should have the users configured with the
appropriate RADIUS profile for their privilege level (see the above
local users). The RADIUS profile should have the correct Juniper VSA (in
RSA-speak - Vendor-specific Attribute, Value type=String, Value=2636 1

Hope this helps,

Ivan Batanov
Earthlink, Inc
Network Engineering
Phone (626) 296 5444
Email: ivanb at corp.earthlink.net

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Robert Walton
Sent: Wednesday, June 16, 2004 6:36 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] RSA ACE and JUNOS


	Has anyone used the RSA ACE radius server with the Junipers to
much success? I have been assured it works but we only seem to have
minimal success are regards the available features i.e. it just
authorises access, we don't seem to be able to get the full range of
RADIUS capabilities.

If anyone has got it working could they provide me with a none-sensitive
(ofcourse) template of the config they used at both ends... hopefully
some of the Juniper guys have tested it in the lab already and they
coudl find their way to sharing with me... hint hint.. *ahem* Paul G...
Simon C... ;o)


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify
security at ffastfill.com

This email has been scanned for all viruses by the FFastFill Email
Security System.

juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list