[j-nsp] JUNOS RADIUS Authentication
Eric Van Tol
eric at atlantech.net
Wed Dec 3 12:50:40 EST 2008
argh. Nevermind. As usual, i figured it out shortly after sending out a request for help. The 'user' needs to be the same name as the 'class' in order for this to work. So obvious, yet overlooked.
-evt
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Eric Van Tol
> Sent: Wednesday, December 03, 2008 12:06 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] JUNOS RADIUS Authentication
>
> Hi all,
> I'm trying to configure JUNOS for RADIUS authentication and I've gotten to
> the point where the user is granted access, but for some reason is
> immediately logged out of the router:
>
> -= 11:35:13 - /home/eric =-
> [506 - eric at net1]# ssh -l test1 172.16.200.170
> test1 at 172.16.200.170's password:
> --- JUNOS 8.4R2.3 built 2007-09-18 09:21:59 UTC
>
> This account is currently not available.
> Connection to 172.16.200.170 closed.
>
> My RADIUS and login config:
>
> root at m5-red# show system radius-server
> 10.10.7.210 {
> secret "$9$3UL4ntOhclMLNrewYg4ZG"; ## SECRET-DATA
> source-address 172.16.200.170;
> }
>
> [edit]
> root at m5-red# show system login
> class FullAccess {
> permissions all;
> }
> class PartialAccess {
> permissions [ view view-configuration ];
> }
> user full {
> class FullAccess;
> }
> user partial {
> class PartialAccess;
> }
>
> I'm attempting to authenticate against Windows IAS, and I believe that it
> is setup properly, as I'm passing the 'Juniper-Local-User-Name' attribute
> to the router, per some other posts I've found with similar setup issues.
> The fact that I can get an Access-Accept packet from the RADIUS server
> leads me to believe that there's something up with JUNOS. I'm trying not
> to have to use the 'remote' template because I can't see how I could have
> users with different access classes and setting up different users on the
> router with passwords kind of defeats the purpose of RADIUS.
>
> Anyone else run into this before?
>
> Thanks,
> evt
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list