Active Directory Juniper mapping attribute - no local login-id configured

Steven Vacaroaia stef97 at
Fri Sep 3 20:43:45 CEST 2021


I am trying to setup 2FA for my Juniper switches using Freeradius,
Active Directory and Yubikey

It seems to work fine AS LONG AS I have the user added to the switches
but the right way to do this is by using groups and
Juniper-Local-User-Name attribute

My ultimate goal is to achieve this:

    if the user is part of the AD group XXXX
        has  a valid yubikey
             connect to switches that are part of the huntgroup ZZZZ
using "remoteadmin" class
             to switches that are part of the huntgroup YYYY using
"remoteuser" class

The classes above have been configured on the switches
All works well EXCEPT the radius attribute mapping

The error on the switches is :
"...User 'remote' authenticated successfully but no local login-id

It looks like what I need to do is
 to make sure that the group of users that you're allowing access to
the EXs gets the following vendor-specific attribute returned in their
access-accept message:

Vendor Code: 2636 (Juniper)

Attribute:1 Juniper-Local-User-Name

Value: "superUserClass"


Do I have to modify AD schema and add those attributes or there is a
better / smarter way to
achieve the above  ?

Any help/ instructions / ideas / documentation pointers will be
greatly appreciated

I strongly prefer not to make changes to AD

Many thanks

More information about the Freeradius-Users mailing list