Configuring RADIUS Local and Remote Template Accounts in Junos Scope

The Junos Scope software uses local password authentication. You set up a username, password, and permissions for each user allowed to log in to Junos Scope.

However, when you use RADIUS authentication, you must set up single accounts (for authorization purposes) that are shared by a set of users. You create these accounts using the remote and local user template accounts.

A template account is a mapping between Junos Scope and the RADIUS server that allows RADIUS users to get the appropriate permissions. When a user with a RADIUS account logs in to Junos Scope, the software forwards the username and password to the RADIUS server for authentication. If authentication succeeds, the RADIUS server sends the Juniper-Local-User-Name attribute (if present for the user) to Junos Scope. Based on the received Juniper-Local-User-Name attribute and the configured template user accounts, Junos Scope determines the permissions for the user. The RADIUS account user gets the same permissions as the template user.

You set up template accounts the same way you create users in Junos Scope. To add a user in Junos Scope, see Adding a User. See also RADIUS User Login Scenarios.

Local Template Accounts

When you configure a local template and a user logs in, the Junos Scope software sends a request to the authentication server to authenticate the user's login name. When a user is authenticated, the RADIUS server returns the local username to Junos Scope. If a local username (for example, the Juniper-Local-User-Name attribute) is specified for that login name. the appropriate local template is selected. If no local template is returned by the RADIUS server or no corresponding local template exists in Junos Scope, Junos Scope will, by default, use the remote template (see Remote Template Accounts.)

Table 8 shows the user account information that must exist on the RADIUS server and in the local template account or user set up in Junos Scope.

Table 8: Local Template Account

RADIUS Server User Account

Junos Scope Local Template Account

Username: “edward”

Password: ”edward”

Juniper-Local-User-Name= “fritz”

Username: fritz

Password: fritz

Permissions: superuser

If a local user logs in to Junos Scope using username fritz and password fritz, the user will log in successfully with superuser permissions. However, if a RADIUS user “edward” logs in to Junos Scope successfully using username edward, that user gets the same permissions as fritz. In this case, user “edward“ on successful login gets the superuser permissions. If you change the permission for fritz to read-write, user ”edward”, on successful login, will also get read-write permissions.

Remote Template Accounts

There can be only one remote template account in Junos Scope. You configure a remote template in Junos Scope by creating a user with username remote and a password with any secure name. (See Adding a User.)

In Junos Scope, a remote template is for a user with username 'remote' with a RADIUS account when either no Juniper-Local-User-Name attribute is specified for that user or the specified local user does not exist in Junos Scope (see Table 9).

For example:

Username “edward” will get the same permissions as the remote template (for example, the same permissions as user remote) if configured in Junos Scope.

If neither the local nor remote template is configured in Junos Scope (for example, for RADIUS user “edward”, if both users fritz and remote do not exist in Junos Scope), the RADIUS user will not be able to log in.

For a user with an account in RADIUS to be able to successfully log in to Junos Scope, Junos Scope must have at least remote user template configured.