Creating a Remote Authentication Server
To run Junos Space Network Management Platform remote authentication, you must create one or more remote authentication servers and configure the server settings.
To create a remote authentication server:
- Select Administration > Authentication
The Authentication Servers page is displayed.
- (Optional) If you want to use one of the remote authentication
modes supported by Junos Space Platform, in the Authentication
Mode Setting area, perform the following tasks:
Junos Space Platform allows you to add authentication servers even when you are using local authentication. This enables you to configure the authentication server settings before enabling and specifying a remote authentication mode.
- Select the Use Remote Authentication check
The option button to specify the remote authentication mode is enabled.
- Specify the remote authentication mode that you want to
use. Do one of the following:
Select Remote Authentication Only to use the remote authentication mode supported by Junos Space Platform.
Select Remote-Local Authentication to use the remote local authentication mode supported by Junos Space Platform.
- Click Save to store the remote authentication mode setting you select.
- Select the Use Remote Authentication check box.
- To add a remote authentication server:
- Click the + (Add auth server) icon.
The Create Auth Server dialog box is displayed.
- Specify the remote authentication server fields, as explained
in Table 1; all the
fields are mandatory.
Table 1: Remote Authentication Server Parameters
Specify the type of the authentication server:
RADIUS—Authenticate users by using a RADIUS server.
TACACS+—Authenticate users by using a TACACS+ server.
Specify the name of the remote authentication server.
The remote authentication server name cannot exceed 128 characters and can contain only letters, numbers, hyphens, underscores, or periods.
Select one of the following authentication protocols supported by the remote server:
PAP—Password Authentication Protocol
CHAP—Challenge Handshake Authentication Protocol
MS-CHAPv2—(RADIUS only) Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Specify the IP address of the remote authentication server.
Depending on whether the Junos Space fabric is configured with only IPv4 addresses or both IPv4 and IPv6 addresses, Junos Space Platform allows you to enter an IPv4 address or either an IPv4 or IPv6 address respectively for the remote authentication server.
The IPv4 and IPv6 addresses that you use must be valid addresses. Refer to http://www.iana.org/assignments/ipv4-address-space for the list of restricted IPv4 addresses and http://www.iana.org/assignments/ipv6-address-space for the list of restricted IPv6 addresses.
Specify the UDP port number assigned by the remote authentication server.
The default port number is 1812 for RADIUS authentication and 49 for TACACS+ authentication.
Specify the password (shared secret) that is used for authentication between the remote authentication server, the proxy authentication server, and Junos Space Platform.
The shared secret that you specify must match the shared secret configured in the RADIUS or TACACS+ server.
Confirm Shared Secret
Reenter the password (shared secret) to confirm.
Number of Tries
Specify the number of retries that a Junos Space Platform attempts to contact the remote authentication server.
After the specified number of tries is exceeded and if you have configured other servers, Junos Space Platform attempts to contact the other authentication servers one by one.
You can enter a value from 1 through 5; the default is 3 tries.
Max Retry Timeout MSecs
Specify the interval (in milliseconds) that the Junos Space Platform waits for a reply from the remote authentication server before it times out.
The minimum value is 1000 milliseconds and the default is 6000 milliseconds.
- Click OK.
The remote authentication server is created and displayed in the table on the Authentication Servers page.
- Click the + (Add auth server) icon.
- (Optional) Click Test Connection to verify
the connection from Junos Space Platform to the remote authentication
If the test connection result is a success, the remote authentication server is reachable.
If the test connection result is a failure, the remote authentication server is unreachable.
If the test connection result displays the message Mismatched shared secret, then the configured shared secret for that server is incorrect. Ensure that you have entered the correct remote authentication server shared secret details.