Creating a Login Account for Remote Authentication

Problem

You want to use a RADIUS or TACACS+ database to authenticate users instead of setting up individual login accounts for them on the router.

Solution

Create a login account that has the username remote:

[edit system] aviva@router1# set login user remote class operator aviva@router1# set login user remote full-name "remote account" aviva@router1# set login user remote uid 9999

Then set the authentication order so that the remote authentication server is checked before the router's configuration file. The following command uses a RADIUS server:

[edit system] aviva@router1# set authentication-order [ radius password ]

Use the following command for TACACS+:

[edit system] aviva@router1# set authentication-order [ tacacs password ]

 

Discussion

When you want users to be able to log in to and work on the router but always want to use a central authentication server, you can set up a placeholder account named remote instead of creating login accounts on the router for these users. When a user with no account in the local configuration files tries to log in to the router using her regular username, the authentication is handled by the remote account, which queries the RADIUS or TACACS+ server to authenticate the user. If the user's name and password match what is on the server, the user is authenticated and the router logs her in. (Recipes 2.12 and 2.13 explain how to configure the RADIUS and TACACS+ server information.)

As with an individual user account (see Recipe 2.5), you configure a privilege level with the set user remote class command and a user ID with the set user remote uid command. This recipe sets the privilege level to operator, which allows these users to perform most operational commands but not enter configuration mode. (Recipe 2.10 discusses privilege classes.)

This recipe includes the set user remote full-name command to provide a description of this account. This command is not required.

Users who are authenticated only by the remote account will not be able to log in to the router if the authentication server is down. You should always configure some individual user accounts with passwords on the router so someone can always log in to the router (see Recipe 2.5).

You can create only one remote account on the router. This means that all users who don't have an individual user account on the router and who are authenticated by RADIUS or TACACS+ share the same privilege level, which is configured in the set user remote class command. Recipe 2.9 describes how to set up remote accounts that have different privilege levels.

See Also

Recipes 2.5, 2.9, 2.10, 2.12, and 2.13

Категории