Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a RADIUS Server for Authentication and Authorization

Junos Space Network Management Platform supports authorization of users from a RADIUS server. Using the Authentication Servers page (Administration > Authentication Servers), you can configure a RADIUS server to authenticate and authorize users to log in exclusively from a centralized location using one or more RADIUS remote authentication servers. You can also authenticate and authorize users to log in to Junos Space Platform using both local and remote authentication and authorization.

Note:

Before you authenticate and authorize users to login to Junos Space Platform by using the RADIUS server, you must make sure that:

To understand login behavior with remote authentication enabled, see the Junos Space Login Behavior with Remote Authentication Enabled topic.

Authorization data in the RADIUS server are stored as vendor-specific attributes (VSAs). Therefore, you must update the Junos dictionary file (juniper.dct) in the RADIUS server with the Junos Space Platform defined VSA (Juniper-Junosspace-Profiles). Users in the RADIUS server database should be assigned the VSA with the value corresponding to the Junos Space remote profile that you want to assign to the user. The user is authorized with roles specified by the remote profile. For a list of relevant Juniper RADIUS VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.

To configure VSAs in Steel-Belted Radius:

  1. Add the Junos Space VSA to the Juniper dictionary file (juniper.dct). Locate the dictionary file and add the following text to the file:
  2. Assign a remote profile to the user by using the Juniper-Junosspace-Profiles attribute.

    For more information about adding the VSA and assigning a Junos Space remote profile to a user in Steel-Belted RADIUS, see the Steel-Belted RADIUS documentation.

To configure VSAs in FreeRADIUS:

  1. Add the Junos Space VSA to the Juniper dictionary file (dictionary.juniper). Locate the dictionary file and add the following text to the file:

  2. Assign a remote profile to the user by using the Juniper-Junosspace-Profiles attribute.

    The following example shows how configuration information can be added to FreeRADIUS to assign a remote profile to a user:

    For more information about adding the VSA and assigning a Junos Space remote profile to a user in Free RADIUS, see the FreeRADIUS documentation.

Note:

The remote profiles created in Junos Space Platform are not automatically synchronized to the RADIUS server for selection. The administrator must manually enter the correct remote profile name.