While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

First add the RADIUS server configuration to the Junos device. The following example uses local (Junos) authentication first. If the user is not found, the next user database is RADIUS.

Junos Configuration

set system authentication-order [ password radius ]
set system radius-server 192.168.1.15 secret abc123

Create two classes and define the rights associated with that class.

set system login user readonly-users class read-only
set system login user super-users class super-user

Now we need to configure the RADIUS server (Cisco ISE in this case).

Cisco ISE Configuration

When we want to assign a class to the user, we need to be able to return a special attribute that the Junos OS understands. The appropriate attribute (according to the Juniper documentation) is 'Juniper-Local-User-Name'.
This required the so-called Juniper Dictionary, which contains these Vendor-Specific-Attributes (VSA) on the RADIUS server. Unfortunately, the Juniper dictionary is not available on Cisco ISE, so you have to add it yourself.

Searching the Interwebs didn't direct me to the specific dictionary file, but the actual dictionary is a part of the FreeRADIUS implementation, so I extracted the dictionary file from the download on their website. Just look for a file in the compressed .gz file called dictionary.juniper.

Once located and extracted, you can upload / import the file to the ISE appliance via RADIUS Dictionary Management:

Policy -> Policy Elements -> Dictionaries -> System -> RADIUS -> RADIUS Vendors

Now that the Juniper dictionary is added, the Juniper RADIUS attributes can be used in the authentication and authorization policies on ISE. In this case; when the authentication is successful, the RADIUS server should return at least the following RADIUS attributes:

Service-Type = Login-User
Juniper-Local-User-Name = "<class_name>"

Where <class_name> is the confgured class on the Junos device.

This is configured in the Authorization Results part of ISE:

Policy -> Policy Elements -> Results -> Authorization -> Authorization Profiles

We also need to add the Juniper devices as a Network Access Device, and to make things easier, add them to a Device Group.
I usually create device groups based on vendor and purpose. In this case I made a group called 'Juniper'. This group contains two sub-groups called 'EX Switches' and 'SRX Firewalls'. By doing this you can differentiate between different kind of devices and the users (network administrators) that are allowed to access the devices.
Another benefit is that not every vendor / device used the same authentication or authorization parameters. A Cisco device sends different attributes, and required Cisco specific attributes for role mapping. Differentiating makes things easier.

When the actual Network Access Devices are added to ISE, all that needs to be done is assign them to the correct device group.

All that's left to do is to create the authentication and authorization policy to allow device access for administration.

The authentication policy (in this case) is based on where the request comes from (a Juniper Device), and the type of authentication requested (PAP/ASCII). If that occurs, the internal user database is queried.

If we would be using a Cisco IOS device we would have more flexibility in regards to the authentication and authorization policies, since those devices send more RADIUS attributes to the RADIUS server that we can use in our policies. E.g. the attribute Service=login is send bij Cisco IOS devices. Junos lacks this as you can see from this Wireshark capture (the 1.1.1.1 IP address shown in the screenshot is a OSPF test on my behalf, and has nothing to do with this blogpost).

Thankfully, the ISE solution is flexible enough to cope with these limitations. I always say that the only limitation is your imagination when it comes to configuring the authentication and authorization policies.

After the authentication comes the authorization part. In this case the check is for the device type, the group to which the user belongs, and what profile (RADIUS attributes) needs to be returned.

When configured correctly, the user gets assigned the appropriate rights on the Junos device. This can be verified in the logging of ISE.

in the following screenshot are the parts that were used in the policies etc. highlighted.

Even Splunk (my local syslog collector) says the authentication went fine.