Security

Reply
MVP
Posts: 371
Registered: ‎01-14-2010

Howto: JUNOS CLI Authentication and Accounting via Clearpass

This Howto describes configuring RADIUS authentication and accounting on a Juniper device running JUNOS 11.4+ and integrating that with Clearpass. The Juniper device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.

 

As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

 

Clearpass:

 

Enable the Juniper Dictionary in Clearpass:

 

1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Juniper"
3. Click on "Juniper" and then click "Enable"

 

Add the Juniper device to Clearpass Device Group. I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

 

1. Configuration > Network > Device groups

2. Select "Add Device Group"
3. Fill in the "Name" field. I'll be using "Junipers" in this example
4. Select "List" under "Format"
5. Under the "List", move the Juniper Device from the "Available Devices" to "Selected Devices"
6. Click "Save"

 

Create a Juniper Enforcement Profile:

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "RADIUS based enforcement" as the Template
4. Provide a name, "Juniper RADIUS Admin"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
   i. Type - "Radius:Juniper"
   ii. Name - "Juniper-Local-User-Name (1)",
   iii. Value - "radius-login-rw"
7. Finally, click "Save"

 

Create a Juniper Enforcement Policy:

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Juniper Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. Juniper-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Juniper RADIUS Admin"
9. Click "Save"

 

Create a Juniper Login Service:

1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Juniper Logins"
5. Under "Service Rule" enter the following:
   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Junipers"
6. Under Authentication:
   i. Authentication Methods - MSCHAP
   ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS 
   iv. Value - CN=Juniper-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "Juniper-Admins"

 

8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Juniper Login Enforcement Policy"

 

9. Click "Save"

 

Juniper Device:

 

1. Enter the configuration mode on the Juniper device with the following command:

 

edit

 

2. The following will configure a class of users with full CLI permissions:

 

set system login class Junos-Admins idle-timeout 30
set system login class Junos-Admins permissions all

 

3. This will configure a specific user that references the class defined above. Note that the user name "radius-login-rw" is the same as the Clearpass Enforcement Profile.

 

set system login user radius-login-rw uid 9000
set system login user radius-login-rw class Junos-Admins

 

Optional:

 

The following optional configurations setup two distinct users. The first is a help desk user and the corresponding class. This user will have a redacted set of operational commands in the CLI. The one thing to note is that you would have to create an additional Clearpass Enforcement Profile and send a VSA of "radius-login-ro."

 

set system login class helpdesk idle-timeout 30
set system login class helpdesk permissions access

 

set system login user radius-login-ro uid 9001
set system login user radius-login-ro class helpdesk

 

The following user, "remote," is a generic user in JUNOS that can be used to authenticate any RADIUS authentication request. The class-based configuration above is a much better approach, but I figured what the hey:

 

set system login user remote full-name "AD Authorized"
set system login user remote uid 9999
set system login user remote class super-user

 

4. The following configuration will setup the Clearpass server as the primary RADIUS server for CLI connections:

 

set system radius-server <Clearpass Server> port 1812
set system radius-server <Clearpass Server> accounting-port 1813
set system radius-server <Clearpass Server> secret <Juniper Device Key>
set system radius-server <Clearpass Server> source-address <Juniper loopback or inbound mgmt>

 

5. This configuration will force MSCHAP:

 

set system radius-options password-protocol mschap-v2

 

6. The following configuration is very important. This configuration states that the ONLY authentication source will be the RADIUS server; locally defined accounts will only be checked if the RADIUS server is unavailable.

 

set system authentication-order radius

 

Optional:

 

This configuration will check the RADIUS server and locally defined accounts, even if the RADIUS server is available.

 

set system authentication-order [radius password]

 

7. The following will enable RADIUS Accounting for CLI connections:

 

set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination radius server <Clearpass Server> secret <Juniper Device Key>
set system accounting destination radius server <Clearpass Server> source-address <Juniper loopback or inbound mgmt>

 

8. commit and-quit comment "Adding Clearpass RADIUS authentication and accounting"

 

You should now be able to log into the CLI on a JUNOS device with Clearpass. You can verify that things are working by logging into a Juniper device and viewing the results in Access Tracker found under Monitoring > Live Monitoring. You'll also be able to view the accounting details about this connection under Monitoring > Live Monitoring > Accounting.

The AD account show up before the "@" symbol on a successful CLI connection:

 

mcourtney@top-srx100>

 

I've also configured wired 802.1x in JUNOS with dynamic firewall filters. I'll write this up as well, if there's interest. 

 

Let me know what you think and if it works out.


-Mike

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Howto: JUNOS CLI Authentication and Accounting via Clearpass

Thanks for the How- To: Mike. If you don't mind I will create a arubapedia page with this.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 371
Registered: ‎01-14-2010

Re: Howto: JUNOS CLI Authentication and Accounting via Clearpass

Hi Troy,

 

Yep, that's not a problem. Thanks!

 

-Mike

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Howto: JUNOS CLI Authentication and Accounting via Clearpass

Here you go...

Thanks for the how to..:)

https://afp.arubanetworks.com/afp/index.php/How-_To:_Juniper_JUNOS_CLI_Authentication_and_Accounting_via_Clearpass
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: