NAS login class to RADIUS authenticated ldap users

Alan DeKok aland at
Sun Jun 25 14:41:17 CEST 2017

On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters at> wrote:
> I would like to map the group "admins" in the ldap directory, to the
> super-user account "admin-su" on a Juniper NAS. Likewise, map a directory
> group "net-ro" to the read-only account "admin-ro" on a juniper nas.


> When a user attempts to log into a nas with ldap account, the request goes
> to radius which looks up the user group membership & password. If the ldap
> user belongs to group "admins" in the ldap directory, the user is granted
> super-user rights via admin-su account on the juniper nas. If a user
> attempts juniper nas login, and belongs to ldap "net-ro" group they are
> given "admin-ro" read-only access to the juniper nas.

  That's clearer.  So write that down as a series of statements and if / then / else checks:

* when a user logs into the NAS, they do so with a name X, and password Y

* that information is sent to FreeRADIUS in an Access-Request

* FreeRADIUS checks to see if that name / password is OK, and rejects them
   if it's not OK.

* if they are accepted, FreeRADIUS looks up their group information in LDAP

* if they are in LDAP group "admins", FreeRADIUS should respond with
  Juniper-Local-User-Name = "admin-us"

* else if they are in LDAP group "net-ro",  FreeRADIUS should respond with
   Juniper-Local-User-Name = "admin-ro"

  Then, implement it piece by piece.  Get LDAP authentication working.  Then, get LDAP group checking working.  That's done via the LDAP-Group attribute...

  You'll want to put the Juniper-Local-User-Name into the "post-auth" section, as that is run only after a user is authenticated.

	if (LDAP-Group == admins) {
		update reply {
			Juniper-Local-User-Name := "admin-us"

You'll see that once you get the problem stated clearly, you can map that pretty directly into the FreeRADIUS configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list