Configuring RADIUS Server Authentication

RADIUS authentication is a method of authenticating users who attempt to access the router or switch.

The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using a one-time-password system for increased security, and that all vendors of these systems support RADIUS.

You should use RADIUS when your priorities are interoperability and performance:

Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.
Performance—RADIUS is much lighter on your routers and switches and for this reason, network engineers generally prefer RADIUS over TACACS+.

To use RADIUS authentication on the device, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server.

Because remote authentication is configured on multiple devices, it is commonly configured inside of a configuration group. As such, the steps shown here are in a configuration group called global. Using a configuration group is optional.

To configure authentication by a RADIUS server:

Add an IPv4 or IPv6 server address.
- Configure an IPv4 source address and server address:
  [edit groups global]user@host# set system radius-server server-address source-address source-address
  For example:
  [edit groups global]user@host# set system radius-server 192.168.17.28 source-address 192.168.17.1
- Configure an IPv6 source address and server address:
  [edit groups global system radius-server server-address]user@host# set server-address secret “secretkey” source-address source-address
  For example:
  [edit groups global system radius-server ::17.22.22.162]user@host# set secret $9$lPOv87ZGiH.5JGn/AtOB7-dVgo source-address ::17.22.22.1
  The source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces. This configuration sets a fixed address as the source address for locally generated IP packets.
  Server address is a unique IPv4 or IPv6 address that is assigned to a particular server and used to route information to the server. If the Junos OS device has several interfaces that can reach the RADIUS server, assign an IP address that Junos OS can use for all its communication with the RADIUS server.
Include a shared secret password.
You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret password used by the local router or switch must match that used by the server. The secret password configures the password that the Junos OS device uses to access the RADIUS server.
[edit groups global system radius-server server-address]user@host# set secret password
For example:
[edit groups global system radius-server 192.168.69.162]user@host# set secret $9$gQ4UHf5F36CiH.5Tz9CuO1hreM8xw2oIENVwgZG
If necessary, specify a port on which to contact the RADIUS server.
By default, port number 1812 is used (as specified in RFC 2865).
Note: You can also specify an accounting port to send accounting packets with the accounting-port statement. The default is 1813 (as specified in RFC 2866).
[edit groups global system radius-server server-address]user@host# set port port-number
For example:
[edit groups global system radius-server 192.168.69.162]user@host# set port 1845
Specify the order in which Junos OS attempts authentication.
You must include the authentication-order statement in your remote authentication configuration.
The example assumes your network includes both RADIUS and TACACS+ servers. In this example, whenever a user attempts to log in, Junos OS begins by querying the RADIUS server for authentication. If it fails, it next attempts authentication with locally configured user accounts. Finally the TACACS+ server is tried.
[edit groups global system]user@host# set authentication-order [ authentication-methods ]
For example:
[edit groups global system]user@host# set authentication-order [ radius password tacplus ]
Assign a login class to RADIUS-authenticated users.
You can assign different user templates and login classes to RADIUS-authenticated users. This allows RADIUS-authenticated users to be granted different administrative permissions on the Junos OS device. By default, RADIUS-authenticated users use the remote user template and are assigned to the associated class, which is specified in the remote user template, if the remote user template is configured. The username remote is a special case in Junos OS. It acts as a template for users who are authenticated by a remote server, but do not have a locally-configured user account on the device. In this method, Junos OS applies the permissions of the remote template to those authenticated users without a locally defined account. All users mapped to the remote template are of the same login class.
In the Junos OS configuration, a user template is configured in the same way as a regular local user account, except that no local authentication password is configured because the authentication is remotely performed on the RADIUS server.
- To use the same permissions for all RADIUS-authenticated users:
  [edit groups global system login]user@host# set user remote class class
  For example:
  [edit groups global system login]user@host# set user remote class super-user
- To have different login classes be used for different RADIUS-authenticated users, granting them different permissions:
  1. Create multiple user templates in the Junos OS configuration.
    Every user template can be assigned a different login class.
    For example:
    [edit groups global system login]set user RO class read-onlyset user OP class operatorset user SU class super-userset user remote full-name "default remote access user template"set user remote class read-only
  2. Have the RADIUS server specify the name of the user template to be applied to the authenticated user.
    For a RADIUS server to indicate which user template is to be applied, it needs to include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string) Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message. The string value in the Juniper-Local-User-Name must correspond to the name of a configured user template on the device. For a list of relevant Juniper RADIUS VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.
    If the Juniper-Local-User-Name is not included in the Access-Accept message or the string contains a user template name that does not exist on the device, the user is assigned to the remote user template, if configured. If it is not configured, authentication fails for the user.
    After logging in, the remotely authenticated user retains the same username that was used to log in. However, the user inherits the user class from the assigned user template.
    In a RADIUS server, users can be assigned a Juniper-Local-User-Name string, which indicates the user template to be used in the Junos OS device. From the previous example, the string would be RO, OP, or SU.
    Configuration of the RADIUS server depends on the server being used. For instructions for the Juniper Steel-Belted Radius server, see Steel-Belted Radius (SBR) Enterprise. For information on using FreeRADIUS, see http://kb.juniper.net/InfoCenter/index?page=content&id=KB19446.