Learn how to configure Juniper Routers and Switches to authenticate to a radius server and execute the correct privileges.
If you completed the previous lab; Lab 3-1 – Configuring Local User Accounts then you should have a basic understanding of the Junos user classes which define user privileges on the Junos Command Line.
This lab will concentrate on configuring a Juniper Router to authenticate to a FreeRADIUS Server. With that in mind lets dive right in!
Now that you have a good understanding of Junos local user account configuration lets take a look at RADIUS!
RADIUS which stands for “Remote Authentication Dial In User Service” is primarily used as an authentication service to allow for centralized management of authentication, accounting and authorization services. From a birds eye view, radius works by defining each client that will use the service by IP address and a secret key which is used to verify the end device authenticating is authorized to use the service. While this is not the most secure way to ensure only specific devices can authenticate via RADIUS, it does work if managed properly. From a real world perspective, you should ensure that the device keys used to authenticate devices attempting to use the RADIUS server are unique and kept secret. Unauthorized users can easily take a key and spoof an IP address to brute force username and password combinations against the RADIUS server if not managed properly. This of course often never happens but the vulnerability does exist and should be addressed in secure environments.
RADIUS authentication operates by a specific devices which sends an Authentication-Request on the user that is attempting to authenticate to packets to the RADIUS server via UDP Port 1812. The RADIUS Server receives this Authentication-Request and verifies rather or not the device making the request is authorized to use the RADIUS Server. Once verified, the RADIUS Service will then authenticate the user based on parameters stored in the RADIUS Database such as Date-Time, Permissions, etc… If everything checks out the RADIUS Service will respond with an Access-Accept along with other information called A/V Pairs.
A/V Pairs known as Attribute/Value pairs is basically a way that the RADIUS server sends back information to the authenticating device such as User permission information. Example; The Attribute is “User-Perm” and the value is “Read-Only”. When the device receives the information from the RADIUS Server after the user has successfully authenticated, it can then take action based on the information received from the Server such as give that specific user Read-Only access to the device.
The RADIUS configuration on Juniper is actually quite simple however in order to get Junos to authenticate a user and provide them with specific privileges, that requires a little bit more configuration. But lets start with the basics shall we?
First off you must define the radius server in Junos which is done using the set system radius-server address 172.17.98.14
Once the RADIUS Server is defined you must then set the RADIUS Secret which is done using the set system radius-server 172.17.98.14 secret radiussecret1
The last important piece of configuration when defining a RADIUS server in Junos is the source-address which all authentication request comes from on the configured device. Because RADIUS verifies the authenticating device by a secret pass phrase, the IP address and pass phrase must match. If a match is not not found in the RADIUS database than radius will just drop the Access-Request. So ensuring that the Juniper device sends RADIUS authentication packets from the same source IP address every time is crucial to ensure that RADIUS will continue to work when physical links fail.
To set the Junos RADIUS source interface, you’ll use the set system radius-server 172.17.98.14 source-address 10.0.0.1 whereas 10.0.0.1 is the IP address of interface that sources all radius traffic originated by the device. It is recommended that you use a loopback interface as the source-interface for RADIUS this way the traffic will always be sourced from the same IP and can easily be routed even when a physical interface fails on the given device.
Once you have configured the basic RADIUS Server parameters, you must then configure a default remote user with the username “remote”. This user will be the default template for all radius authenticated sessions. It is best practice to only provide the minimal security access by default, in this case “Read-Only”. To configure the default remote user, use the command set login user remote full-name “RADIUS Authenticated” uid 9999 class read-only
After you have configured the default remote user you must then define remote user classes to be used with the RADIUS A/V Pair responses from the RADIUS Server. To do this you’ll create three users with no passwords and assign them the correct corresponding permissions. Example given below;
set system login user RO class read only set system login user OP class operator set system login user SU class super-user
As for the RADIUS configuration goes, the attribute you’ll be using to respond to authenticated request to place specific users in specific permission classes is “Juniper-Local-User-Name”. The value for this attribute must be the corresponding user template defined on the Junos device. In this case, “Juniper-Local-User-Name=SU”
Once you have configured a RADIUS Server on Junos, the default authentication order is RADIUS first then the local user accounts ONLY if the RADIUS server is unreachable. This can be reversed by using the set system authentication-order [password radius] command.
This lab will also include a “FreeRADIUS Configuration” tab which walks you through the basic configuration of a CentOS Free RADIUS Server.
Please review the following lab topology. This topology is used only for this lab and includes a RADIUS Server on SW1 Port Ge-0/0/12.
Prior to attempting this lab you’ll need to zeroize R1. This lab can be performed on the following devices; J Series Router(s), EX Series Switch(s) or SRX platforms. This device can also be a vSRX Firefly.
You must also have a FreeRADIUS Server configured to perform lab verification. Instructions on configuring a basic FreeRADIUS Server on CentOS 6.x is provided in the “FreeRADIUS Configuration” tab.
Prior to starting the lab establish a console session to R1 and log into the device using the root account.
To complete this lab you will perform the following objectives;
It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.
If you are a student preparing for the Juniper JNCIA Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.
The following Lab Instruction is demonstrated using the Juniper vSRX.
In order to verify the Lab objectives, you must have a working RADIUS Server. Instructions on how to configure a basic FreeRADIUS Server on CentOS 6 is provided in the “FreeRADIUS Configuration tab” You can still make the configuration changes to the Juniper device if you do not have a RADIUS server however verification will fail.