Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


RADIUS Provider

Remote Authentication Dial-In User Service (RADIUS). See below for limitations.

RADIUS Limitations

  • No support for changing the RADIUS user's password on a remote RADIUS server.
  • RADIUS authentication does not control Linux user login via SSH.
  • No support for group role-mapping changes.
  • Nested groups are not allowed. You must explicitly assign each group to a role.
  • When a user logs in, only username and password are required for authenticating against the remote RADIUS server. Log in credentials are not cached. Therefore, when a user logs in, a connection between Apstra and the remote RADIUS server is required.

Create RADIUS Provider

  1. From the left navigation menu, navigate to External Systems > Providers and click Create Provider.
  2. Enter a Name (64 characters or fewer), select RADIUS, and if you want RADIUS to be the active provider, toggle on Active?.
  3. For Connection Settings, enter/select the following:
    • Port - The TCP port used by the server, default is 1812 as specified in RFC 2865.
    • Hostname FQDN IP(s) - The fully qualified domain name (FQDN) or IP address of the RADIUS server. For high availability (HA) environments, specify multiple RADIUS servers using the same settings. If the first server cannot be reached, connections to succeeding ones are attempted in order.
  4. For Provider-specific Parameters enter/select the following, as appropriate:
    • Shared Key (64 characters or fewer) - shared key configured on the server


      Shared key is not displayed when editing a configured RADIUS provider. If you do not change it, the previously configured shared key is retained. If you test the provider and you have not re-entered the shared key, a null shared key is used for the test and may not work.

      An example of a pre-shared key configuration that tests successfully with Apstra software is from Ubuntu FreeRADIUS (an open source RADIUS server). The Shared Key as given in the RADIUS server configuration must be provided in Apstra.

    • Advanced Config

      • Group Name Attribute Name - To specify a role that a user belongs to, the RADIUS server must specify the users’ group. The user group information must be specified with Framed-Filter-ID as the attribute. It is used to assign users to different RADIUS groups.

        For example, the FreeRADIUS config below specifies the Framed-Filter-ID attribute to be freerad. In this case, when mapping later, you would enter freerad for the Provider Group.

      So that the user can be mapped to an existing group in the Apstra environment, the RADIUS server must return the Apstra group name as part of the authentication response.


      If the group is unmapped, users cannot log in.

    • Timeout (seconds) - Increasing timeout above the default 30 seconds (as of Apstra version 4.2.1) may impact API responsiveness for all users. If you need a longer timeout for MFA support, you may increase the timeout up to 60 seconds. If you require a timeout above 60 seconds, contact Juniper Technical Support.

After configuring and activating a provider, you must map that provider to one or more user roles to give permissions to users with those roles.