Linking JunOS authentication to Active Directory using RADIUS

This post shows how to create two roles in JunOS: ‘read-only’ and ‘super-user’ and to give AD users access to these roles via groups. The Juniper vendor-specific information comes from here:

The Windows Server 2008R2 bit (server IP address

  1. Add the “Network Policy and Access Services” role, and the “Network Policy Server” role service. Then start the “Network Policy Service” MMC snap-in.

  1. Select “Templates Management”, right-click “Shared Secrets” and select “New”.
  2. Give the template a name like “JunOS”, select “Generate” and then click the “Generate” button to create the shared secret.
  3. Copy the shared secret to a text file for later use, then click OK

  1. Click “Policies”, right-click on “Network Policies” and choose “New”
  2. Choose a name for the SuperUser policy like “JunOS SuperUser”
  3. The type of network access server should be “Unspecified”

  1. Add a new “Condition” matching “Windows Groups” and add the groups from AD that should have SuperUser access

  2. On the “Specify Access Permission” page leave “Access granted” selected

  1. On the “Configure Authentication Methods” page unselect everything except “Microsoft Encrpyted Authentication version 2 (MS-CHAP-v2)

  1. On the “Configure Constraints” page there are no changes.
  2. On the “Configure Settings” page delete the “Standard” RADIUS attributes

  1. Select “Vendor Specific” under the RADIUS Attributes
  2. Click Add, change the Vendor dropdown to “Custom” and click “Vendor-Specific” from the attributes

  1. Click “Add”, then “Add” on the “Attribute Information” dialog
  2. Select “Enter Vendor Code” from the “Specify network access server vendor” section and enter the Juniper vendor code “2636”
  3. Select “Yes. It conforms” to specify that the attribute conforms to the RADIUS RFC

  1. Click “Configure Attribute” and set the “Vendor-assigned attribute number” to “1”, which represents “Juniper-Local-User-Name”
  2. Set the “Attribute format” to “String”
  3. Set the “Attribute value” to “su”. This is the local username passed to JunOS

  1. Click OK buttons to get back to the “Configure Settings” screen, and select “Encryption”
  2. Unselect everything except “Strongest Encryption”

  1. Click “Next”, then “Finish”

  1. Repeat instructions 5-23 for the “JunOS ReadOnly profile”, setting the RADIUS attribute value to “ro” to match the JunOS config below.
  2. Make sure the order of the Policies is as in the next screenshot

  1. Expand “RADIUS Clients and Servers”, right-click “RADIUS Clients” and click “New”
  2. Enter the details of the JunOS router, selecting “JunOS” from the Shared Secrets template dropdown

  1. Click “OK”

The JunOS bit (router IP address, add this configuration changing the secret key that Windows created. This sets up two user ‘roles’ – ‘ro’ and ‘su’ and configures the radius server shared secret.

set system authentication-order [ password radius ]
set system radius-server secret “0C&2eTVBv8SMXwq1eo5!3fyBhh!u2gcBjGLcz@jIC4LPj8slrBC9V^j&0hMXUHRe”
set system radius-options password-protocol mschap-v2
    set system login user ro class read-only
set system login user su class super-user
set system services ssh

Then “show | compare” should look something like this:

[edit system]
+  authentication-order [ password radius ];
+  radius-server {
+ secret “$9$pml/uIEyrKx7-yrWx7-Y2F36CAuEcleWLUj3/9t1IwYgoUHqmf3nCHqBIEhyr24oZUHz39tpOikz69CpuxNdw4aHkPQz6CtclM8N-ZGDkqfCtOB1EfTAu1ISy24oaUiHqPTz6f5RSyKx7jHqPfQn6CtO1Vw9t01yr8Xx7bsGUHfTFKMGjiq5TREcylM”; ## SECRET-DATA
+  }
+  radius-options {
+      password-protocol mschap-v2;
+  }
+  login {
+      user ro {
+          class read-only;
+      }
+      user su {
+          class super-user;
+      }
+  }
[edit system services]
+    ssh;


After ‘commit’, JunOS will start the SSH daemon. If everything worked, then you can log in as any AD user that’s in the groups selected above:

Superuser group:

macbook:/Users/chrisl/ 12$ ssh chrisl@junos
chrisl@junos’s password: 
— JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC
chrisl@junos> configure 
Entering configuration mode


Readonly group:

macbook:/Users/chrisl/ 13$ ssh hermioneg@junos
hermioneg@junos’s password: 
— JUNOS 10.1R1.8 built 2010-02-12 17:15:05 UTC
hermioneg@junos> conf
unknown command.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comment replies are not available offline

Hi, I have a question. How I can configure the ports on the Switch to authenticate to Active Directory and RADIUS server?

This is a computer connected to the domain network EXAMPLE.COM.US receives a computer without domain does not receive network.

Thank You

on February 19, 2015 at 5:24 pm Reply |

IEEE 802.1X ? Sorry that’s not something this article covers : )

on February 20, 2015 at 4:15 pm Reply |

Yes, 802.1X protocol on Juniper.

Validating a computer on the network through Active Directory credentials

on February 23, 2015 at 5:38 pm Reply |

First thanks for the tutorial,

In case I don’t want to configure ‘su’ and ‘ro’ users what would be the value of the “String”? is it root in this case?

Thank you

on February 9, 2015 at 1:06 am Reply |

Been a while since I looked at this, but if you already have a JunOS generic superuser account you want to use then yes you can use that. root might work, but that might be special in JunOS. Give it a go : )

on February 10, 2015 at 9:57 am Reply |

I tried every single tutorial on the internet to get my SRX to work with radius with no luck. This is the only method that worked!
Thank you very much for this article.

on June 17, 2014 at 3:36 pm Reply |

Brilliant. Thanks for the easy instructions. Not everyone shows screenshots 🙂

on May 8, 2014 at 7:34 pm Reply |

thank you sir! Very nice article that helped me out a lot.

on June 12, 2013 at 1:30 pm Reply |