Setting Up RADIUS User Authentication
Problem
You use RADIUS for user authentication in your network and you want to set up the router to authenticate against the RADIUS server.
Solution
Configure information about your RADIUS server:
[edit system] aviva@router1# set radius-server 192.168.63.10 secret $1991poppI aviva@router1# show radius-server { 192.168.63.10 secret "$9$90m6AO1EcyKWLhcYgaZji"; ## SECRET-DATA }
Discussion
The Remote Authentication Dial-In User Service (RADIUS) provides a centralized method for authenticating users on the router. RADIUS uses a client/server model. A RADIUS server receives user connection requests, authenticates the user, and returns all configuration information necessary for the clientin this case, the routerto deliver service to the user. All transactions between the server and the client are authenticated by a password called a shared secret.
To configure the router as a RADIUS client, you set the IP address of your RADIUS server and the password (secret) that the router should use to access the server. The secret on the router and the RADIUS server must be the same. After you type the secret, the CLI never displays it but shows it in a pseudoencrypted format. The show output is a simple obfuscation to prevent someone from reading the password over your shoulder.
By default, the JUNOS software sends authentication requests to UDP port 1812 on the RADIUS server, as defined in RFC 2865. Also by default, the router waits three seconds to receive a response from the RADIUS server and, if it doesn't hear from the server, tries three more times to connect. You can modify these values if necessary. Here, we allow just 1 retry and wait 10 seconds to receive a response from the server:
[edit system] aviva@router1# set radius-server 192.168.63.10 retry 1 aviva@router1# set radius-server 192.168.63.10 timeout 10
If you use a centralized server, it represents a single point of failure if it should go down. To provide redundancy, you can configure several servers:
[edit system] aviva@router1# set radius-server 192.168.0.23 secret 2lip123 aviva@router1# set radius-server 10.0.16.1 secret 883roZe
When you configure more than one server, initially the primary server is the one you configured first. After that, the primary server is the one that last responded. If the router cannot reach this server, it tries the remaining ones in the order configured. Use the show command to see the order in which the router tries the servers:
[edit system] aviva@router1# show radius-server { 192.168.63.10 secret "$9$vs0W7-oJGiqm24fzF3AtKvWL7V"; ## SECRET-DATA 10.0.16.1 secret "$9$4DojHQFnCp0TzIcrKXxbs2"; ## SECRET-DATA 192.168.0.23 secret "$9$7edYgq.5QF/iktuB1hcwY2"; ## SECRET-DATA }
Notice that this example specifies different secrets for each server to improve network security. If you suspect that the password of the primary server has been compromised, you can switch to one of the secondary servers.
The JUNOS software defines vendor-specific RADIUS attributes, which are included in packets sent to the RADIUS server. You can configure your server to interpret the Juniper-specific information (see Table 2-2). The Juniper Networks vendor ID is 2636. All the Juniper attributes are used only in RADIUS Access-Accept packets.
Attribute name |
Description |
Type field value |
Length field value |
String |
---|---|---|---|---|
Juniper-Local-User-Name |
Name of user template. |
1 |
3 or more |
One or more ASCII octets |
Juniper-Allow-Commands |
Allows user to run operational mode commands in addition to those authorized by the user's login class. Same action as the allow-command statement. |
2 |
3 or more |
One or more ASCII octets written as an extended regular expression |
Juniper-Deny-Commands |
Disallows user to run operational mode commands authorized by the user's login class. Same action as the deny-command statement. |
3 |
3 or more |
One or more ASCII octets written as an extended regular expression |
Juniper-Allow-Configuration |
Allows the user to modify portions of the configuration in addition to those authorized by the user's login class. Same action as the allow-statement statement. |
4 |
3 or more |
One or more ASCII octets written as an extended regular expression |
Juniper-Deny-Configuration |
Disallows user to modify portions of the configuration in addition to those authorized by the user's login class. Same action as the deny-statement statement. |
5 |
3 or more |
One or more ASCII octets written as an extended regular expression |
See Also
RFC 2865, Remote Authentication Dial In User Service (RADIUS)