Configuring a RADIUS Server for Authentication and Authorization
Junos Space Network Management Platform supports authorization of users from a RADIUS server. Using the Authentication Servers page (Administration > Authentication Servers), you can configure a RADIUS server to authenticate and authorize users to log in exclusively from a centralized location using one or more RADIUS remote authentication servers. You can also authenticate and authorize users to log in to Junos Space Platform using both local and remote authentication and authorization.
Before you authenticate and authorize users to login to Junos Space Platform by using the RADIUS server, you must make sure that:
You create and configure the RADIUS remote authentication server in Junos Space Platform (see Creating a Remote Authentication Server).
You create the remote profiles required for authorizing the users in Junos Space Platform (see Creating a Remote Profile).
You create user accounts by using the Role Based Access Control workspace in Junos Space Platform if you want to permit remote authentication and local authorization (see Creating Users in Junos Space Network Management Platform).
To understand login behavior with remote authentication enabled, see the Junos Space Login Behavior with Remote Authentication Enabled topic.
Authorization data in the RADIUS server are stored as vendor-specific attributes (VSAs). Therefore, you must update the Junos dictionary file (juniper.dct) in the RADIUS server with the Junos Space Platform defined VSA (Juniper-Junosspace-Profiles). Users in the RADIUS server database should be assigned the VSA with the value corresponding to the Junos Space remote profile that you want to assign to the user. The user is authorized with roles specified by the remote profile. For a list of relevant Juniper RADIUS VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.
To configure VSAs in Steel-Belted Radius:
To configure VSAs in FreeRADIUS:
Add the Junos Space VSA to the Juniper dictionary file (dictionary.juniper). Locate the dictionary file and add the following text to the file:
ATTRIBUTE Juniper-Junosspace-Profiles 11 String
Assign a remote profile to the user by using the Juniper-Junosspace-Profiles attribute.
The following example shows how configuration information can be added to FreeRADIUS to assign a remote profile to a user:
"guestuser" Auth-Type:=PAP, User-Password:="<password>" Juniper-Junosspace-Profiles = "guestprofile"
For more information about adding the VSA and assigning a Junos Space remote profile to a user in Free RADIUS, see the FreeRADIUS documentation.
The remote profiles created in Junos Space Platform are not automatically synchronized to the RADIUS server for selection. The administrator must manually enter the correct remote profile name.