Connecting Microsoft Radius Server to Junos Space

Basically, we need to do 3 steps in order to accomplish this task:

connecting the MS radius server to junos space. And this step is divided into 2 another steps:

a. Creating radius client:

Go to RADIUS Clients > right click > new

11

Type the IP address of J-Space (the one you’re using with CLI , not the virtual one) and type the shared secret you want to use.

12

11

b. In the J-Space go to Administration > Authentication Servers > add the radius IP address and all properties you want to use

notice: remember which protocol you’re going to use because you’ll be configuring that later in the radius server

11

Test the connection and then proceed

Second step is to configure remote profile. You’ll be creating remote profile to set permissions for remote authenticated users:

Go to Role Based Access Control > Remote Profiles > Create new

Set the profile name and the permissions you want to give the authenticated users

Remember the profile name because you’ll be using that in the last step.

Last step is to create network policy in the radius server:

Go to:

12

Capture

add the group users name which they should grant access to the J-Space

11

11

And now the important part: Vendor Specific

Junos code is : 2636

Attribute number : 11 , string

refer to : https://www.juniper.net/documentation/en_US/junos/topics/reference/general/radius-vendor-specific-attributes-juniper-networks.html

Attribute value should be the same remote profile name you’ve configured in the J-Space remote profiles.

12

11

If the authenticated user is part of a domain then in the J-Space login page you should login in this context: Domain\User

Advertisements

Deploying Log Collector in Junos Space

You well connect the log collector to the Security director after downloading the OVA and installing it in VM machine and configuring the network settings .

You may not type 6 and change the default user/pass for connecting the log collector .. but if you want then then just remember the password you entered.

default user/pass: admin/juniper123

Go to Administration > Logging Management > Logging Nodes > Create

1

1

Next > Finish

1

If you receive “Log Collector is not in Time Sync” then 2 things:

1- check if the log collector and junos space machines both has ntp port 123 open in firewall toward the ntp server.

2- check if you have configure the right ntp server in /etc/ntp.conf file . if not then:

stop the service : /etc/init.d/ntpd stop

update the ntp server settings in the file

for the update : ntpd -gq

start the service : /etc/init.d/ntpd start

In order to collect the logs into the log collector , you’ll need to configure the log collector IP address in the junos firewall and it should be reachable. For example:

admin@Firewall> show configuration security log stream Log-Collector
severity info;
format sd-syslog;
category all;
host {
192.168.10.45;
}

Untitled

STRM disk space

Capture

So sometimes we can view such those logs in the STRM ..

Moreover you also might receive an email notifiation from STRM saying the same:

Capture

According to:

https://www.juniper.net/documentation/software/management/strm/2013_2/strm-troubleshooting-guide.pdf

Pages: 16-17

Lets use this command in the CLI: df -PTh /store/backup

Capture

And what I do to clear files up , is connecting via WinSCP to the STRM machine and then cleaning the files which claimed to be the issue in the link I shared. (see page 17)

So in the /store/ariel/events I can see on each those two folders “uncompressedCache + payloads” files from 2014/2015/2016 … those files I don’t need actually So I’m gonna copy it as a backup to my desktop then delete it from STRM machine .

In my scenario that was enough to get the STRM work again .. but with other situations you might go all the way with the procedure explained inthe STRM troubleshooting guide.

Configuring IPv6 on SRX firewall

1- First make sure that your SRX is support inet6 flow :

root@Lab> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

 

f it appears to be in “drop” mode , then you need to enable it and reboot the device :

root@lab# set security forwarding-options family inet6 mode flow-based
root@lab# exit
root@lab> request system reboot

After reboot:

root@School-Lab> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

2- Configure IPv6 on interface :

set interfaces ge-0/0/15 unit 0 family inet6 address 2001:2222:1111:e00::d11/56

3- Static route :

set routing-options rib inet6.0 static route ::/0 next-hop 2001:2222:1111:e00::1

 

SRX GENCFG failed error message

Regarding to “/kernel: GENCFG: op 2 (USP Blob) failed; err 7 (Doesn’t Exist)”.

This kernel message is generated because kernel does not have a handler for a certain gencfg blob message.

It is harmless message and showing perhaps due to logging level too verbose.

You can modify your syslog level to ‘any critical’ to avoid these messages.

{primary:node1}[edit]
root@Firewall# set groups node1 system syslog file default-log-messages any ?
Possible completions:
alert Conditions that should be corrected immediately
any All levels
critical Critical conditions
emergency Panic conditions
error Error conditions
info Informational messages
none No messages
notice Conditions that should be handled specially
warning Warning messages

Junos commands you might not aware of

So there is a Junos commands you might not aware of which can make your dealing with configuring a Junos device much easy and simple ! Lets take a look at some of them !

  • ‘rename’ command:

lab@ex-1# rename ge-0/0/6 unit 1 to unit 0

while configuring a switch , accidentally you configure unit 1 to an interface and you cannot commit the configuration because there no such a unit 1 with layer 2 interfaces on EX series switches . So instead of rolling back / deleting wrong configuration , you can simply rename the configuration to the correct one .

  • ‘wildcard’ command:

[edit interfaces]

lab@ex-1# wildcard delete ge-*

matched: ge-0/0/6

matched: ge-0/0/7

matched: ge-0/0/8

delete 3 objects? [yes,no] (no) yes

if you need to delete a lot of line that having something in common , like deleting gig interfaces , you can simply use the ‘wildcard’ command

  • pipe match pipe filter command

user@switch> show interfaces terse | match “interface|0/6|0/7″

Interface Admin Link Proto Local Remote
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up up
ge-0/0/7.0 up up eth-switch

showing multiple matching outputs .

  • ‘copy’ commad

[edit interfaces]

# copy ge-0/0/6 to ge-0/0/7

The copy command duplicates an interface including any child statements such as description.

  • ‘replace’ commad

# replace pattern lopbck with loopback

Make global changes to text patterns in the configuration. For example, if you consistently misspell a word common to the description statement for all of the interfaces on your device, you can fix this mistake with a single command.

  • ‘insert’ command

[edit security policies]
# insert from-zone trust to-zone untrust policy 1 before policy 2

You can use the insert (before/after) to re-order policies instead of deleting and configuring again .

  • ‘refresh’ command

admin@FW> show chassis routing-engine | match Idle | refresh 5                                                         
—(refreshed at 2017-05-03 12:12:24 IDT)—
Idle                      14 percent
Idle                      74 percent
—(refreshed at 2017-05-03 12:12:29 IDT)—
Idle                      14 percent
Idle                      74 percent
—(*more 100%)—[abort]

This command will refresh the output ecery <n> seconds .

How to change Junos Space logo welcome page

First you need to do ‘inspect element’ to the page

1

2

[root@space-005056941e6f ~]# find / | grep junos_space_rgb_360x240.png

/usr/local/jboss/domain/tmp/servers/server1/vfs/deployment1c48889875ac1ea/systemService-web.war-9705d0aeabb62272/images/junos_space_rgb_360x240.png

/usr/local/jboss/domain/tmp/servers/server1/vfs/deployment1c48889875ac1ea/cmUI.war-3dcd1c3964e96143/images/junos_space_rgb_360x240.png

find: /proc/27145: No such file or directory

 

[root@space-005056941e6f ~]# cd /usr/local/jboss/domain/tmp/servers/server1/vfs/deployment1c48889875ac1ea/systemService-web.war-9705d0aeabb62272/images/

[root@space-005056941e6f images]# ls

background-aqua-2560×1458.jpg        bgd_gradient_fill.png    junos_space_rgb_1800x1200.png  login_button_62x24.png     preload

background-aqua-2560×1458.png        burst-space-192×180.png  junos_space_rgb_360x240.png    logo_juniper_reversed.png  rounded-blue-100×26-btn.png

background-aqua-login-2560×1458.png  gradient-background.png  login-aqua-2560×1458.png       logo-reversed.png

Login via WinSCP to the junos space machine . And remeber that you need to change the Shell Environment from Default to /bin/bash

9.png

3

Copy the logo to your PC and edit it

4

Don’t forget to backup the one you have on the Junos space machine (just rename it)

5

If you’re having a problem with permissions just run via the CLI those commands

6

[root@space-005056941e6f ~]# cd /usr/local/jboss/domain/tmp/servers/server1/vfs/deployment1c48889875ac1ea/systemService-web.war-9705d0aeabb62272/

[root@space-005056941e6f systemService-web.war-9705d0aeabb62272]# chmod 777 images/

7

8