Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring RADIUS and LDAP User Authentication

    This example shows how to configure a device for external authentication.

    Requirements

    Before you begin, create an authentication user group.

    Overview

    You can put several user accounts together to form a user group, which you can store on the local database or on a RADIUS, an LDAP, or a SecurID server. When you reference an authentication user group and an external authentication server in a policy, the traffic matching the policy provokes an authentication check.

    This example shows how access profile Profile-1 is configured for external authentication. Two RADIUS servers and one LDAP server are configured in the access profile. However, the order of authentication specifies RADIUS server only, so if the RADIUS server authentication fails, then the firewall user fails to authenticate. The local database is not accessed.

    Note: If the firewall clients are authenticated by the RADIUS server, then the group-membership VSA returned by the RADIUS server should contain alpha, beta, or gamma client groups in the RADIUS server configuration or in the access profile, Profile-1. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set access profile Profile-1 authentication-order radius
    set access profile Profile-1 client Client-1 client-group alpha
    set access profile Profile-1 client Client-1 client-group beta
    set access profile Profile-1 client Client-1 client-group gamma
    set access profile Profile-1 client Client-1 firewall-user password pwd
    set access profile Profile-1 client Client-2 client-group alpha
    set access profile Profile-1 client Client-2 client-group beta
    set access profile Profile-1 client Client-2 firewall-user password pwd
    set access profile Profile-1 client Client-3 firewall-user password pwd
    set access profile Profile-1 client Client-4 firewall-user password pwd
    set access profile Profile-1 session-options client-group alpha
    set access profile Profile-1 session-options client-group beta
    set access profile Profile-1 session-options client-group gamma
    set access profile Profile-1 session-options client-idle-timeout 255
    set access profile Profile-1 session-options client-session-timeout 4
    set access profile Profile-1 ldap-options base-distinguished-name CN=users,DC=junos,DC=juniper,DC=net
    set access profile Profile-1 ldap-options search search-filter sAMAccountName=
    set access profile Profile-1 ldap-options search admin-search distinguished-name cn=administrator,cn=users,dc=junos,dc=juniper,dc=net
    set access profile Profile-1 ldap-options search admin-search password juniper
    set access profile Profile-1 ldap-server 3.3.3.3
    set access profile Profile-1 radius-server 4.4.4.4 secret juniper
    set access profile Profile-1 radius-server 4.4.4.4 retry 10
    set access profile Profile-1 radius-server 5.5.5.5 secret juniper

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure a device for external authentication:

    1. Specify the RADIUS server for external authentication order.
      [edit]
      user@host# set access profile Profile-1 authentication-order radius
    2. Configure Client1-4 firewall users and assign the Client-1 firewall user and Client-2 firewall user to client groups.
      [edit access profile Profile-1]
      user@host# set client Client-1 client-group alpha
      user@host# set client Client-1 client-group beta
      user@host# set client Client-1 client-group gamma
      user@host# set client Client-1 firewall-user password pwd
      user@host# set client Client-2 client-group alpha
      user@host# set client Client-2 client-group beta
      user@host# set client Client-2 firewall-user password pwd
      user@host# set client Client-3 firewall-user password pwd
      user@host# set client Client-4 firewall-user password pwd
    3. Configure client groups in the session options.
      [edit access profile Profile-1]
      user@host# set session-options client-group alpha
      user@host# set session-options client-group beta
      user@host# set session-options client-group gamma
      user@host# set session-options client-idle-timeout 255
      user@host# set session-options client-session-timeout 4
    4. Configure the IP address for the LDAP server and server options.
      [edit access profile Profile-1]
      user@host# set ldap-options base-distinguished-name CN=users,DC=junos,DC=juniper,DC=net
      user@host# set ldap-options search search-filter sAMAccountName=
      user@host# set ldap-options search admin-search password juniper
      user@host# set ldap-options search admin-search distinguished-name cn=administrator,cn=users,dc=junos,dc=juniper,dc=net
      user@host# set ldap-server 3.3.3.3
    5. Configure the IP addresses for the two RADIUS servers.
      [edit access profile Profile-1]
      user@host# set radius-server 4.4.4.4 secret juniper
      user@host# set radius-server 4.4.4.4 retry 10
      user@host# set radius-server 5.5.5.5 secret juniper

    Results

    From configuration mode, confirm your configuration by entering the show access profile Profile-1 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    user@host# show access profile Profile-1
    authentication-order radius;
client Client-1 {
    client-group [ alpha beta gamma ];
    firewall-user {
        password "$9$jpimT9A0REyn6yl"; ## SECRET-DATA
    }
}
client Client-2 {
    client-group [ alpha beta ];
    firewall-user {
        password "$9$IMVRyK7-w4oG-d"; ## SECRET-DATA
    }
}
client Client-3 {
    firewall-user {
        password "$9$GfUkPn/tB1h9C"; ## SECRET-DATA
    }
}
client Client-4 {
    firewall-user {
        password "$9$JuZi.FnC0OR/9"; ## SECRET-DATA
    }
}
session-options {
    client-group [ alpha beta gamma ];
    client-idle-timeout 255;
    client-session-timeout 4;
}
ldap-options {
    base-distinguished-name CN=users,DC=junos,DC=juniper,DC=net;
    search {
        search-filter sAMAccountName=;
        admin-search {
            distinguished-name cn=administrator,cn=users,dc=junos,dc=juniper,dc=net;
            password "$9$PfF/O1hleWB1X7"; ## SECRET-DATA
        }
    }
}
ldap-server {
    3.3.3.3;
}
radius-server {
    4.4.4.4 {
        secret "$9$Q5WMF3/At0IRc"; ## SECRET-DATA
        retry 10;
    }
    5.5.5.5 {
        secret "$9$YUg4JUDHmPT"; ## SECRET-DATA
    }
}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Troubleshooting with Logs

    Purpose

    Use these logs to identify any issues.

    Action

    From operational mode, enter the show log messages command and the show log dcd command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page