1. September 8, 2014

      Junos 12.1X44 Dynamic VPN with FreeRADIUS

      One of the features Juniper added to the SRX Dynamic VPN starting with Junos 12.1X44 is the ability to set the VPN client group via RADIUS (eliminating the need to specify the client username).

      What Juniper don’t tell you is how to do it; using the Juniper-Local-Group-Name VSA (vendor 2636 option 46). So, after some trial and error, here’s how:

      Step 1: Configure the access profile and create the Dynamic VPN client group:

      set security dynamic-vpn clients dynclient-testing remote-protected-resources 192.168.1.0/24
      set security dynamic-vpn clients dynclient-testing remote-exceptions 0.0.0.0/0
      set security dynamic-vpn clients dynclient-testing ipsec-vpn vpn-dynamic
      set security dynamic-vpn clients dynclient-testing user-groups dynvpn_testing
      

      Step 2: Add the following line to /usr/share/freeradius/dictionary.juniper:

      ATTRIBUTE	Juniper-Local-Group-Name		46	string
      

      Step 3: Assign the user the group through /etc/raddb/users (or however you do it):

      testuser    Cleartext-Password := "Testing123"
                  Juniper-Local-Group-Name = dynvpn_testing
      

      And… well, test!

    2. June 21, 2011

      KVM virtual console to physical TTY

      This took me longer than it should’ve to figure out… I wanted to take the virtual console (pts) from a KVM virtual machine, and map it to a physical tty, so that I could login to my virtual machine from the physical keyboard, without having to login to the virtual host itself. This can be done with a simple one-liner:

      screen /dev/pts/1 > /dev/tty9 < /dev/tty9 &

      Add that to /etc/rc.d/rc.local to start on system startup (hopefully after the VM has started), and I'm all set!