Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

RADIUS Provider

Remote Authentication Dial-In User Service (RADIUS). See below for limitations.

RADIUS Limitations

  • All password changes should be done on the RADIUS server. You cannot change the user’s password from Apstra once you enable the External Provider.
  • RADIUS authentication does not control Linux user login via SSH.
  • If the user group is changed on the RADIUS server, you will need to change role-mapping in Apstra accordingly.
  • Nested groups are not allowed. You must explicitly assign each group to a role.
  • When a user logs in, only username and password are required for authenticating against the remote RADIUS server. Log in credentials are not cached. Therefore, when a user logs in, a connection between Apstra and the remote RADIUS server is required.

Create RADIUS Provider

  1. From the left navigation menu, navigate to External Systems > Providers and click Create Provider.
  2. Enter a Name (64 characters or fewer), select RADIUS, and if you want RADIUS to be the active provider, toggle on Active?.
  3. For Connection Settings, enter/select the following:
    • Port - The TCP port used by the server, default is 1812 as specified in RFC 2865.
    • Hostname FQDN IP(s) - The fully qualified domain name (FQDN) or IP address of the RADIUS server. For high availability (HA) environments, specify multiple RADIUS servers using the same settings. If the first server cannot be reached, connections to succeeding ones are attempted in order.
  4. For Provider-specific Parameters enter/select the following, as appropriate:
    • Shared Key (64 characters or fewer) - shared key configured on the server

      CAUTION:

      Shared key is not displayed when editing a configured RADIUS provider. If you do not change it, the previously configured shared key is retained. If you test the provider and you have not re-entered the shared key, a null shared key is used for the test and may not work.

      An example of a pre-shared key configuration that tests successfully with Apstra software is from Ubuntu FreeRADIUS (an open source RADIUS server). The Shared Key as given in the RADIUS server configuration must be provided in Apstra.

    • Advanced Config

      • Group Name Attribute Name - To specify a role that a user belongs to, the RADIUS server must specify the users’ group. The user group information must be specified with Framed-Filter-ID as the attribute. It is used to assign users to different RADIUS groups.

        For example, the FreeRADIUS config below specifies the Framed-Filter-ID attribute to be freerad. In this case, when mapping later, you would enter freerad for the Provider Group.

      So that the user can be mapped to an existing group in the Apstra environment, the RADIUS server must return the Apstra group name as part of the authentication response.

      CAUTION:

      If the group is unmapped, users cannot log in.

    • Timeout (seconds) - Increasing timeout above the default 30 seconds may impact API responsiveness for all users. If you need a longer timeout for MFA support, you may increase the timeout up to 60 seconds. If you require a timeout above 60 seconds, contact Juniper Technical Support.

After configuring and activating a provider, you must map that provider to one or more user roles to give permissions to users with those roles.