JunOS & FreeRADIUS binding\configuration.

[vintovkin]

I did not find a good quick guide of the subj. so i put here some notes & instructions on how it works maybe it will be helpful for others.
we won't explain basic radius and juniper configuration, we assume that they are already configured UP&RUNNING, pingable, and ready for use,
i.e. you can google freeradius installation for your OS.

RADIUS has 2 users "a" & "b" which belong to different classes, users and classes were taken to show differences itself:

Код: Выделить всё

root@ubuntu:~# vi /etc/freeradius/3.0/users
...omitted...
"a" Cleartext-Password := "a"
        Service-Type = Login-User,
        Juniper-Local-User-Name := "class_A"
"b" Cleartext-Password := "b"
        Service-Type = Login-User,
        Juniper-Local-User-Name := "class_B"
"/etc/freeradius/3.0/users" 248L, 7842B written

JUNOS config:

Код: Выделить всё

a@vMX2> show configuration system login | display set
set system login class admin permissions all
set system login user class_A uid 2003
set system login user class_A class admin
set system login user class_B uid 2004
set system login user class_B class admin

a@vMX2> show configuration system radius-server | display set
set system radius-server 192.168.0.165 secret "hello_secret"
set system radius-server 192.168.0.165 timeout 3
set system radius-server 192.168.0.165 retry 3
set system radius-server 192.168.0.165 source-address 192.168.255.2

a@vMX2>

as you can see string from radius server "Juniper-Local-User-Name := "class_A""
matches local user "set system login user class_A " which is bound to "admin" class with configured permissions

VERIFICATION:

Код: Выделить всё

a@vMX2> show cli authorization | match "Current user"
Current user: 'class_A' login: 'a' class 'admin'

a@vMX2>
a@vMX2> show system users
 2:21PM  up 6:23, 2 users, load averages: 0.47, 0.61, 0.64
USER     TTY      FROM                              LOGIN@  IDLE WHAT
ed       u0       -                                2:11PM      9 -cl
a        pts/0    10.101.0.0                       2:13PM      - -cl

a@vMX2>

enjoy!

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[vintovkin]

just for demonstration purposes let's deny NOC users to make any changes on the boxes, let's leave them read-only rights,
we know we have user "b" with the same password "b" on radius which is matched by "class_B" (radius configuration is not changed)

So on juniper, it will be user "class_B" to which we bind local class with read-only rights, let's do it:

==

Код: Выделить всё

ed@vQFX2# commit check
configuration check succeeds

{master:1}[edit]
ed@vQFX2# show | compare
[edit system login]
+    class NOC_CLASS {
+        idle-timeout 10;
+        permissions all;
+        deny-commands "clear|request|configure|start shell|edit";
+    }
[edit system login]
+    user class_B {
+        uid 2004;
+        class NOC_CLASS;
+    }

{master:1}[edit]
ed@vQFX2# commit
configuration check succeeds
commit complete

{master:1}[edit]
ed@vQFX2#

{master:1}[edit]
ed@vQFX2# show system | display set
set system login class ADMIN_CLASS idle-timeout 10
set system login class ADMIN_CLASS login-alarms
set system login class ADMIN_CLASS login-tip
set system login class ADMIN_CLASS permissions all
set system login class NOC_CLASS idle-timeout 10
set system login class NOC_CLASS permissions all
set system login class NOC_CLASS deny-commands "clear|request|configure|start shell|edit"
set system login user class_A uid 2001
set system login user class_A class ADMIN_CLASS
set system login user class_B uid 2004
set system login user class_B class NOC_CLASS
...
set system authentication-order radius
set system authentication-order password
set system radius-server 192.168.0.165 secret "IREreM8XdwY"
set system radius-server 192.168.0.165 timeout 3
set system radius-server 192.168.0.165 retry 3
set system radius-server 192.168.0.165 source-address 10.10.10.5
...
{master:1}[edit]
ed@vQFX2#

==

Verification, pay attention user "b" (class 'NOC_CLASS') cannot run denied commands, "a" (class 'ADMIN_CLASS') can:

==

Код: Выделить всё

[edit]
ed@vSRX1# run ssh b@10.10.10.5 source 10.10.10.10

Password:
--- JUNOS 18.4R2.7 built 2019-06-27 08:41:44 UTC
{master:1}
b@vQFX2>

{master:1}
b@vQFX2> show cli authorization | match class
Current user: 'class_B' login: 'b' class 'NOC_CLASS'

{master:1}
b@vQFX2> edit
         ^
unknown command.

{master:1}
b@vQFX2> configure
         ^
unknown command.

{master:1}
b@vQFX2> start shell
               ^
syntax error, expecting <command>.

{master:1}
b@vQFX2> request
         ^
unknown command.
b@vQFX2> request?
No valid completions
{master:1}
b@vQFX2>

{master:1}
b@vQFX2> show configuration interfaces lo0
unit 0 {
    family inet {
        address 10.10.10.5/32;
    }
    family iso {
        address 49.0001.0000.0000.0005.00;
    }
}

{master:1}
b@vQFX2> quit

Connection to 10.10.10.5 closed.

[edit]
ed@vSRX1#

[edit]
ed@vSRX1# run ssh a@10.10.10.5 source 10.10.10.10

Password:
--- JUNOS 18.4R2.7 built 2019-06-27 08:41:44 UTC
JUNOS tip:
Use ESC-/ in the CLI to expand strings into matching words from the
command line history.

No alarms currently active

{master:1}
a@vQFX2> show cli authorization | match class
Current user: 'class_A' login: 'a' class 'ADMIN_CLASS'

{master:1}
a@vQFX2> edit
Entering configuration mode

{master:1}[edit]
a@vQFX2# quit
Exiting configuration mode

{master:1}
a@vQFX2>

Alex Keda special thank you to you for your site
Лиссяра спасибо большое!