This Howto describes configuring RADIUS authentication and accounting on a Juniper device running JUNOS 11.4+ and integrating that with Clearpass. The Juniper device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.
As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.
Clearpass:
Enable the Juniper Dictionary in Clearpass:
1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Juniper"
3. Click on "Juniper" and then click "Enable"
Add the Juniper device to Clearpass Device Group. I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.
1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field. I'll be using "Junipers" in this example
4. Select "List" under "Format"
5. Under the "List", move the Juniper Device from the "Available Devices" to "Selected Devices"
6. Click "Save"
Create a Juniper Enforcement Profile:
1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "RADIUS based enforcement" as the Template
4. Provide a name, "Juniper RADIUS Admin"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius:Juniper"
ii. Name - "Juniper-Local-User-Name (1)",
iii. Value - "radius-login-rw"
7. Finally, click "Save"
Create a Juniper Enforcement Policy:
1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Juniper Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
i. Type - Tips
ii. Name - Role
iii. Operator - EQUALS
iv. Juniper-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Juniper RADIUS Admin"
9. Click "Save"
Create a Juniper Login Service:
1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Juniper Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Junipers"
6. Under Authentication:
i. Authentication Methods - MSCHAP
ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=Juniper-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "Juniper-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Juniper Login Enforcement Policy"
9. Click "Save"
Juniper Device:
1. Enter the configuration mode on the Juniper device with the following command:
edit
2. The following will configure a class of users with full CLI permissions:
set system login class Junos-Admins idle-timeout 30
set system login class Junos-Admins permissions all
3. This will configure a specific user that references the class defined above. Note that the user name "radius-login-rw" is the same as the Clearpass Enforcement Profile.
set system login user radius-login-rw uid 9000
set system login user radius-login-rw class Junos-Admins
Optional:
The following optional configurations setup two distinct users. The first is a help desk user and the corresponding class. This user will have a redacted set of operational commands in the CLI. The one thing to note is that you would have to create an additional Clearpass Enforcement Profile and send a VSA of "radius-login-ro."
set system login class helpdesk idle-timeout 30
set system login class helpdesk permissions access
set system login user radius-login-ro uid 9001
set system login user radius-login-ro class helpdesk
The following user, "remote," is a generic user in JUNOS that can be used to authenticate any RADIUS authentication request. The class-based configuration above is a much better approach, but I figured what the hey:
set system login user remote full-name "AD Authorized"
set system login user remote uid 9999
set system login user remote class super-user
4. The following configuration will setup the Clearpass server as the primary RADIUS server for CLI connections:
set system radius-server <Clearpass Server> port 1812
set system radius-server <Clearpass Server> accounting-port 1813
set system radius-server <Clearpass Server> secret <Juniper Device Key>
set system radius-server <Clearpass Server> source-address <Juniper loopback or inbound mgmt>
5. This configuration will force MSCHAP:
set system radius-options password-protocol mschap-v2
6. The following configuration is very important. This configuration states that the ONLY authentication source will be the RADIUS server; locally defined accounts will only be checked if the RADIUS server is unavailable.
set system authentication-order radius
Optional:
This configuration will check the RADIUS server and locally defined accounts, even if the RADIUS server is available.
set system authentication-order [radius password]
7. The following will enable RADIUS Accounting for CLI connections:
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination radius server <Clearpass Server> secret <Juniper Device Key>
set system accounting destination radius server <Clearpass Server> source-address <Juniper loopback or inbound mgmt>
8. commit and-quit comment "Adding Clearpass RADIUS authentication and accounting"
You should now be able to log into the CLI on a JUNOS device with Clearpass. You can verify that things are working by logging into a Juniper device and viewing the results in Access Tracker found under Monitoring > Live Monitoring. You'll also be able to view the accounting details about this connection under Monitoring > Live Monitoring > Accounting.
The AD account show up before the "@" symbol on a successful CLI connection:
mcourtney@top-srx100>
I've also configured wired 802.1x in JUNOS with dynamic firewall filters. I'll write this up as well, if there's interest.
Let me know what you think and if it works out.
-Mike