For When You Can't Have The Real Thing
[ start | index | login ]
start > Juniper > EX2200 > Remote Admin Authentication Via Radius

Remote Admin Authentication Via Radius

Created by dave. Last edited by dave, 7 years and 219 days ago. Viewed 8,155 times. #4
[diff] [history] [edit] [rdf]

On The Switch

This grants all members of an appropriate group super-user level access:

set system authentication-order password
set system authentication-order radius
set system radius-server $RADIUS-SERVER-IP secret "$SECRET"
set system login user remote full-name "All Remote Users"
set system login user remote uid 2000
set system login user remote class super-user

Configuring a Radius server is left as an exercise for the reader.

Windows 2K8 Radius:

This is a horribly brief set of instructions that may not work anywhere other than where I set it up. I'm not a Windows admin.

Give the switch a DNS name and IP (documented elsewhere).

Server Manager -> Roles -> Network Policy and Access -> NPS (local) -> Radius Clients -> Radius Clients

Right-click on the last "Radius Clients" you clicked on and select New.

New Radius Client window:

  • Click "Enable"
  • enter the Friendly name (usually I just use the FQDN name)
  • enter the IP or DNS name (usually I just use the FQDN name)
  • Vendor Name: RADIUS Standard
  • set a Manual secret and remember it
  • OK
There are two types of Policies to be concerned about. My belief is that "Connection Policies" govern whether or not a Radius client (ie switch) can connect to your NPS server; and "Network Policies" are the criteria for granting access that the user on the client is requesting. The way I'm doing things, I require:
  • one Connection Policy for each Radius client (ie one for each switch); and
  • one Network Policy which covers all users which are granted the access permissions.

Policies -> Connection Policies

Right click, select New

  • Policy Name: I usually just put the FQDN
  • Type of network access server: Unspecified
  • Next
  • Add
  • Scroll down to RADIUS Client, and click Client Friendly Name
  • Enter the FQDN (or whatever you entered as the Friendly Name above), OK
  • Next
  • Next
  • Next
  • Next
  • Finish
If this is the first time you've run through this, you still have to set a group membership test to actually grant access. Note you only need one policy like this unless you are getting more complicated than our scenario (ie certain users on certain clients on certain days of the week or whatever). If you've done the below once, the connection policy for your switch will grant it access to the NPS server, which will then test the presented credentials in the already-existing Policy.

Policy -> Network Policies -> Right click and select New

  • Give it a name indicating the test
  • Type of network access server: Unspecified
  • Next
  • In the Groups section, select Windows Groups
  • Select the required group(s)
  • Next
  • Select Access Granted or Denied or Dial-In properties
  • Next
  • Next
  • Clear the Less Secure Authentication Methods, then select Unencrypted Authentication (PAP,SPAP)
  • Next
  • click NO on View The Corresponding Help Topic
  • Next
  • Finish
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt