Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 450

Network and Security Manager Administration Guide
400
RADIUS Access-Challenge
When a user attempts to log in using telnet, a security devices can process
access-challenge packets from an external RADIUS server. Access-challenge is an
additional authentication level. After a username and password has been authentication.
the RADIUS server sends an access-challenge to the security device, which forwards the
challenge to the user. When the user replies, the device sends a new access-request with
the user's response to the RADIUS server; if the user's response is correct, the
authentication process concludes successfully.
NOTE: Juniper Networks does not support access-challenge with L2TP.
Juniper Networks Dictionary File
A dictionary file defines vendor-specific attributes (VSAs) that you load onto a RADIUS
server. After you define the VSA values, the security device can query those values when
a user logs on to the device.
You must load a Juniper Networks dictionary file to enable the RADIUS server to support
NSM-specific attributes as administrator privileges, user groups, and remote L2TP and
XAuth IP address, and DNS and WINS server address assignments. You do not need to
load Juniper Networks dictionary file to enable RADIUS to make IP address assignments
(Juniper Networks uses the standard RADIUS attribute for IP address assignments).
Juniper Networks provides two dictionary files: one for Funk Software RADIUS servers
and one for Cisco RADIUS servers:
For Funk Software RADIUS server dictionary file, go to
http:/ /www.juniper.net/customers/csc/research/netscreen_kb/downloads/dictionary/funk_radius.zip
For Cisco RADIUS server dictionary file, go to
http:/ /www.juniper.net/customers/csc/research/netscreen_kb/downloads/dictionary/cisco_radius.zip
If using a Microsoft RADIUS server, there is no dictionary file. You must configure it as
outlined in Using a Windows NT Domain / Active Directory for User Authentication Security
Devices , which you can download from the Juniper customer support site.
Each Juniper Networks dictionary file contains the following specific information:
Vendor ID—The Juniper Networks vendor ID (VID; also called an "IETF number" ) is
3224. The VID identifies a specific vendor for a particular attribute. Some types of
RADIUS server require you to enter the VID for each attribute entry, while other types
only require you to enter it once and then apply it globally. Refer to your RADIUS server
documentation for further information.
Attribute Name—The attribute names describe individual NSM-specific attributes,
such as NS-Admin-Privilege, NS-User-Group, and NS-Primary-DNS-Server.
Copyright © 2010, Juniper Networks, Inc.