NAS login class to RADIUS authenticated ldap users

Alan DeKok aland at
Sun Jun 25 05:05:47 CEST 2017

On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters at> wrote:
> I need to map ldap authenticated (389directory)  users to juniper nas local
> accounts that all have different access rights. I clearly run the ldap
> module, and do a group search to verify a user can access based on group.
> Is it possible to take the group the ldap module finds and map it to a same
> named account on the juniper was ?

  I'm not really sure what that means...

> I want to avoid using the remote user id on the juniper nas with the access
> class that I assign, and instead use the different accounts on the juniper
> nas which are different access levels:
> user-ro
> user-op
> user-su

  Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept.

  i.e. In order to configure it, you need to know what you want it to do.  Once your requirements are written down, the solutions are usually pretty straightforward.

> I have not messed with the git pulled 3.0.14 config files other than ldap,
> clients.conf and users file. See radiusd -X below for run info.  In my
> users file I have:
> DEFAULT LDAP-Group == "admins", Auth-Type := Accept

  That lets users log in without doing password checks.  This is likely not what you want.

> Junipers instructions are as follow, which I have tried:

  Do those instructions work?  If so, make small modifications to change them to do what you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list