Table of Contents
Advertisement
Configuring Match Statements on the RADIUS Server
Copyright © 2010, Juniper Networks, Inc.
You can configure simple filter conditions using the
the Juniper dictionary on the RADIUS server. These filters are then sent to a switch
whenever a new user is authenticated successfully. The filters are created and applied
on all EX Series switches that authenticate users through that RADIUS server without
the need to configure anything on each individual switch.
To configure the
Juniper-Switching-Filter
and a resulting action using the CLI for the RADIUS server. Enter the match statement
plus an action statement enclosed within quotes (" ") using the following syntax:
match <destination-mac mac-address> <source-vlan vlan-name> <source-dot1q-tag
tag> <destination-ip ip-address> <ip-protocol protocol-id> <source-port port>
<destination-port port>
}
action [allow | deny] <forwarding-class class-of-service> <loss-priority (low | medium
| high)>
}
See "VSA Match Conditions and Actions for EX Series Switches" on page 2626 for definitions
of match statement options.
To configure match conditions on the RADIUS server:
Verify that the Juniper dictionary is loaded on your RADIUS server and includes the
1.
filtering attribute
Juniper-Switching-Filter
[root@freeradius]# cat /usr/local/share/freeradius/dictionary.juniper
#
dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
#
VENDOR
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
ATTRIBUTE
Juniper-Allow-Commands
ATTRIBUTE
Juniper-Deny-Commands
ATTRIBUTE
Juniper-Allow-Configuration
ATTRIBUTE
Juniper-Deny-Configuration
ATTRIBUTE
Juniper-Switching-Filter
<—
Enter the match conditions and actions. For example:
2.
To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is
[root@freeradius]#
cd /usr/local/etc/raddb
vi users
For each relevant user, add the
Juniper-Switching-Filter = "match source-dot1q-tag 10 action deny"
Juniper-Switching-Filter
attribute, enter one or more match conditions
, attribute ID 48:
Juniper
Juniper-Switching-Filter
Chapter 83: Configuring Access Control
attribute in
2636
1
string
2
string
3
string
4
string
5
string
48
string
10
):
attribute:
2619
Advertisement
Chapters
Table of Contents
Troubleshooting
Related Manuals for Juniper JUNOS OS 10.3 - SOFTWARE
Related Products for Juniper JUNOS OS 10.3 - SOFTWARE
- Juniper IDP OS 5.1R1 - S REV 1
- Juniper JUNOS OS 10.4 - S REV 5
- Juniper JUNOS OS 10.4 - FOR EX REV 1
- Juniper JUNOS OS 10.4 - XML API OPERATIONAL
- Juniper IDP OS 5.1R1
- Juniper JUNOS SOFTWARE 10.2 - SOFTWARE INSTALLATION AND UPGRADE GUIDE 4-28-2010
- Juniper OCX1100
- Juniper ADVANCED INSIGHT SCRIPTS 2.5 - S REV 1