AD: I'm not really sure what that means... I can see where it is not clear. AD: Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept. I would like to map the group "admins" in the ldap directory, to the super-user account "admin-su" on a Juniper NAS. Likewise, map a directory group "net-ro" to the read-only account "admin-ro" on a juniper nas. When a user attempts to log into a nas with ldap account, the request goes to radius which looks up the user group membership & password. If the ldap user belongs to group "admins" in the ldap directory, the user is granted super-user rights via admin-su account on the juniper nas. If a user attempts juniper nas login, and belongs to ldap "net-ro" group they are given "admin-ro" read-only access to the juniper nas. I can log into the juniper nas with my ldap user and pass, but the Juniper has an account known as "remote" that catches all requests. The "remote" account is unique and only allows 1 type of user access at a time. So, if I want to grant different users su or ro access to the nas, I can't in this scenario. AD: That lets users log in without doing password checks. This is likely not what you want. You are right, I do not want to allow user access without a password. I have removed DEFAULT LDAP-Group == "admins", Auth-Type := Accept & replaced with DEFAULT LDAP-Group == "users", Auth-Type := Reject. I did this just to keep regular users fro being able to access the nas with their ldap user and pass. AD: Do those instructions work? If so, make small modifications to change them to do what you want. The Juniper instructions do not work and are probably old, though they came from a recently dated post. Thank you. Darrain On Sat, Jun 24, 2017 at 10:05 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters@bioteam.net> wrote:
I need to map ldap authenticated (389directory) users to juniper nas
local
accounts that all have different access rights. I clearly run the ldap module, and do a group search to verify a user can access based on group. Is it possible to take the group the ldap module finds and map it to a same named account on the juniper was ?
I'm not really sure what that means...
I want to avoid using the remote user id on the juniper nas with the access class that I assign, and instead use the different accounts on the juniper nas which are different access levels:
user-ro user-op user-su
Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept.
i.e. In order to configure it, you need to know what you want it to do. Once your requirements are written down, the solutions are usually pretty straightforward.
I have not messed with the git pulled 3.0.14 config files other than ldap, clients.conf and users file. See radiusd -X below for run info. In my users file I have:
DEFAULT LDAP-Group == "admins", Auth-Type := Accept
That lets users log in without doing password checks. This is likely not what you want.
Junipers instructions are as follow, which I have tried:
Do those instructions work? If so, make small modifications to change them to do what you want.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html