Configuring the RADIUS Server

The sections that follow describe how to modify specific RADIUS server configuration files with Juniper Networks vendor-specific attributes and user account information. All RADIUS servers should comply with RFC 2865.

For other RADIUS servers, modify the configuration files required for that server according to RFC 2138.

Configuring an AAA Merit RADIUS server

This section describes how to configure the clients, dictionary, users, and vendors configuration files on an authentication, authorization, and accounting (AAA) Merit RADIUS server. To do so, follow these steps:

  1. Modify the RADIUS server ‘client’ configuration file as follows:
    Junos Scope.server.name   secret        type=Juniper:nas
    

    Replace Junos Scope.server.name with the name of the Junos Scope software server to which you want users to log in. Replace secret with the shared secret between the RADIUS server and the client. The Network Access Server (NAS) type is Juniper.

  2. Modify the RADIUS server ‘dictionary’ configuration file as follows:
    # Juniper Extensions
    Juniper.attr    Juniper-Local-User-Name         1       string (1, 0)
    

    Where Juniper-Local-User-Name is a RADIUS vendor-specific attribute used by Juniper Networks.

  3. Modify the RADIUS server 'users' configuration file used to maintain the permitted users list. For example, to add user 'edward' with password 'edward' and local user template 'fritz', change the 'users' configuration file as follows:
    edward Password = "edward"
            Juniper:Juniper-Local-User-Name = "fritz"
    

    The Juniper:Juniper-Local-User-Name is optional.

  4. Modify the RADIUS server ‘vendors’ configuration file as follows:
    Juniper.attr Juniper.value 2636 Juniper
    

    The Juniper Networks RADIUS Vendor ID attribute is 2636.

Configuring an SBR Server

This section describes how to configure a Steel-Belted RADIUS (SBR) server version 4.7 and other versions of the server.

Configuring an SBR Server Version 4.7

To modify an SBR server version 4.7, follow these steps:

  1. Start the Steel-Belted RADIUS Enterprise Edition Administrator program. The Steel-Belted Radius Administrator window appears.
  2. Click the Servers option button.
  3. Click either the Local option button (if the server is running locally) or the Remote option button, and specify the IP address of the remote server.
  4. Click the Connect option button. A message is displayed in the Status field indicating that the server started and displaying information about the server.
  5. Click the RAS Clients option button.
  6. Click Add.
  7. In the Client Name text box, type a unique client name for the Junos Scope server. You can also use the Junos Scope server DNS name as the client name.
  8. Click OK.
  9. Type the IP address of the Junos Scope server in the IP Address text field.
  10. Select the Juniper M/T Series Make/Model value.
  11. Click Edit Authentication Shared Secret, and type the shared RADIUS server secret.
  12. Click Set.
  13. To add new user accounts, modify the RADIUS server 'users' configuration. For example, to add a user 'edward' with password 'edward' and local user template 'fritz', follow these steps:
    1. Click the Users option button in the SBR Administration window.
    2. Click the Add option button, and type the RADIUS username edward.
    3. Click OK.
    4. Click the Set Password option button, and type the password edward.
    5. Make sure that the Allow PAP or CHAP option button is selected.
    6. Click OK.
    7. Click the Return List Attributes tab from the table.
    8. Click the Ins option button at the bottom of the table. The Add New Attribute window appears.
    9. Select the Juniper-Local-User-Name from the Attribute list, and type the corresponding local user template name fritz in the text field. The attribute is added to the Return List Attribute table.
  14. Click Save to save the configuration.

Configuring Other SBR Server Versions

Note: If the RADIUS server you are configuring is other than SBR server version 4.7, perform the steps in this section before configuring the server as described in Configuring an SBR Server Version 4.7.

To configure an SBR server version other than 4.7 (if that version does not already support Juniper vendor-specific attributes) to make it capable of returning Juniper vendor-specific attributes in an “access-accept” packet, follow these steps:

  1. Copy the custom dictionary text into the “radius/service/Juniper.dct” file:
    ################################################################################
    #
    # This dictionary contains Juniper Vendor Specific Attributes
    #
    # (See README.DCT for more details on the format of this file)
    ################################################################################ 
    # Use the Radius specification attributes
    #
    @radius.dct
    #
    # Juniper specific parameters
    #
    MACRO Juniper-VSA(t,s) 26 [vid=2636 type1=%t% len1=+2 data=%s%]
    ATTRIBUTE Juniper-Local-User-Name Juniper-VSA(1, string) r
    ATTRIBUTE Juniper-Allow-Commands Juniper-VSA(2, string) r
    ATTRIBUTE Juniper-Deny-Commands Juniper-VSA(3, string) r
    ATTRIBUTE Juniper-Allow-Configuration Juniper-VSA(4, string) r
    ATTRIBUTE Juniper-Deny-Configuration Juniper-VSA(5, string) r
    ################################################################################ 
    # Juniper.dct - Juniper Networks dictionary
    ################################################################################
    
  2. Copy the following text into the “radius/service/vendor.ini” file:
    vendor-product = Juniper M/T Series
    dictionary = Juniper
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000
    
  3. Add the following line to the “radius/service/dictiona.dcm ‘file:
    @juniper.dct
    
  4. Restart the RADIUS server to add the changes. A new Juniper RAS client model appears in the Steel-Belted Radius Administrator window. The Juniper vendor-specific attributes are available in the Return List Attributes list under a particular user.

Configuring a FreeRADIUS Server

To configure a FreeRADIUS server, follow these steps:

  1. Modify the RADIUS server ‘clients.conf’ configuration file as follows:
    client Junos Scope.server.IPAddress  {
     secret = Junos Scope
     shortname = Junos Scope.server.name
    }
    

    Replace Junos Scope.server.IPAddress with the IP address of the Junos Scope software server to which you want users to log in. Replace Junos Scope with the shared secret between the RADIUS server and the client. Replace Junos Scope.server.name with the DNS name of the Junos Scope software server to which you want users to log in.

  2. Modify the RADIUS server 'dictionary.juniper' configuration file as follows:
    # Juniper Extensions
    ATTRIBUTE    Juniper-Local-User-Name         1       string  Juniper
    

    Where Juniper-Local-User-Name is a RADIUS vendor-specific attribute used by Juniper Networks.

  3. Modify the RADIUS server 'users' configuration file for maintaining the permitted users list. For example, to add user 'Edward' with password 'Edward' and local user template 'fritz', change the 'users' configuration file as follows:
    Edward Auth-type:=Local, User-Password = "Edward"
    Juniper-Local-User-Name = "fritz"
    

    The Juniper-Local-User-Name is optional.

  4. Modify the RADIUS server 'dictionary.juniper' configuration file as follows:
    VENDOR Juniper 2636 
    

    The Juniper Networks RADIUS Vendor ID attribute is 2636.