Active Directory Juniper mapping attribute - no local login-id configured

[Steven Vacaroaia]

Hi,

I am trying to setup 2FA for my Juniper switches using Freeradius,
Active Directory and Yubikey

It seems to work fine AS LONG AS I have the user added to the switches
but the right way to do this is by using groups and
Juniper-Local-User-Name attribute

My ultimate goal is to achieve this:

    if the user is part of the AD group XXXX
      and
        has  a valid yubikey
           then
             connect to switches that are part of the huntgroup ZZZZ
using "remoteadmin" class
             or
             to switches that are part of the huntgroup YYYY using
"remoteuser" class

The classes above have been configured on the switches
All works well EXCEPT the radius attribute mapping

The error on the switches is :
"...User 'remote' authenticated successfully but no local login-id
configured..."

It looks like what I need to do is
"..
 to make sure that the group of users that you're allowing access to
the EXs gets the following vendor-specific attribute returned in their
access-accept message:

Vendor Code: 2636 (Juniper)

Attribute:1 Juniper-Local-User-Name

Value: "superUserClass"

..."



Do I have to modify AD schema and add those attributes or there is a
better / smarter way to
achieve the above  ?

Any help/ instructions / ideas / documentation pointers will be
greatly appreciated

Note
I strongly prefer not to make changes to AD

Many thanks
Steven