Junos OS User Authentication Overview

 

Junos OS supports different methods such as local password authentication, RADIUS and TACACS+ to control access to the network. Authentication methods are used for validating users who attempt to access the router or switch using telnet. Authentication prevents unauthorized devices and users from gaining access to your LAN. For more information, read this topic.

Junos OS User Authentication Methods

The Junos OS supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+).

With local password authentication, you configure a password for each user allowed to log in to the router or switch.

RADIUS and TACACS+ are authentication methods for validating users who attempt to access the router or switch using telnet. They are both distributed client-server systems—the RADIUS and TACACS+ clients run on the router or switch, and the server runs on a remote network system.

You can configure the router or switch to be both a RADIUS and TACACS+ client, and you can also configure authentication passwords in the Junos OS configuration file. You can prioritize the methods to configure the order in which the software tries the different authentication methods when verifying user access.

You can control access to your network using several different authentication methods—media access control (MAC) RADIUS, for example. Authentication prevents unauthorized devices and users from gaining access to your LAN. For MAC RADIUS authentication, end devices must be authenticated before they receive an IP address from a DHCP server.

Note

Note about the MAC RADIUS authentication:

  • You can enable end devices to access the network without authenticating on the RADIUS server by configuring the MAC address of the end device in the static MAC bypass list by configuring the MAC address using the authentication-whitelist statement.

  • You can configure one or more authentication methods on a single interface and thereby enable fallback to the next method if the first or second method is unsuccessful.

  • On a single interface you can configure one or a combination of several authentication methods.

  • The EAP method supported for MAC RADIUS authentication is EAP-MD5.

  • You can configure MAC RADIUS authentication on interfaces that are connected to end devices.

  • When you configure the mac-radius restrict option, the switch immediately attempts a MAC- RADIUS authentication by sending a request to the RADIUS server for authentication of the MAC address of the end device. If MAC address of the end device is configured for RADIUS authentication, LAN access between the two switches is created.

Configuring Local User Template Accounts for User Authentication

You use local user template accounts when you need different types of templates for authentication. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router or switch and referenced by the TACACS+ and RADIUS authentication servers.

When you configure local user templates and a user logs in, Junos OS issues a request to the authentication server to authenticate the user’s login name. If a user is authenticated, the server returns the local username to Junos OS, which then determines whether a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, Junos OS selects the appropriate local user template locally configured on the router or switch. If a local user template does not exist for the authenticated user, the router or switch defaults to the remote template.

To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file.

To configure a local user template, include the user local-username statement at the [edit system login] hierarchy level and specify the privileges you want to grant to the local users to whom the template applies:

This example configures the sales and engineering local user templates:

When the login users Simon and Rob are authenticated, the router or switch applies the sales local user template. When login users Harold and Jim are authenticated, the router or switch applies the engineering local user template.

Configuring Remote Template Accounts for User Authentication

By default, the Junos OS uses remote template accounts for user authentication when:

  • The authenticated user does not exist locally on the router or switch.

  • The authenticated user’s record in the authentication server specifies local user, or the specified local user does not exist locally on the router or switch.

To configure the remote template account, include the user remote statement at the [edit system login] hierarchy level and specify the privileges you want to grant to remote users:

To configure different access privileges for users who share the remote template account, include the allow-commands and deny-commands statements in the authentication server configuration file.

Example: Creating Template Accounts

This example shows how to create template accounts.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+ authentication. When a user is authenticated by a template account, the CLI username is the login name, and the privileges, file ownership, and effective user ID are inherited from the template account.

By default, Junos OS uses the remote template account when:

  • The authenticated user does not exist locally on the device.

  • The authenticated user's record in the RADIUS or TACACS+ server specifies local user, or the specified local user does not exist locally on the device.

In this example, you create a remote template account and set the username to remote and the login class for the user as operator. You create a remote template that is applied to users authenticated by RADIUS or TACACS+ that do not belong to a local template account.

You then create a local template account and set the username as admin and the login class as superuser. You use local template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template.

Configuration

Creating a Remote Template Account

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create a remote template account:

  • Set the username and the login class for the user.

Results

From configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Creating a Local Template Account

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create a local template account:

  1. Set the username and the login class for the user.

Results

From configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note

To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and specify a system authentication order. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verifying the Template Accounts Creation

Purpose

Verify that the template accounts have been created.

Action

From operational mode, enter the show system login command.

Understanding Remote Authentication Servers

You probably already use a remote authentication server (or servers) in your network. It is a recommended best practice, because the servers allow you to centrally create a consistent set of user accounts for all devices in your network. There are many good reasons for implementing a authentication, authorization, and accountability (AAA) solution in your network, not the least of which is to make the management of user accounts easier.

There are two basic methods of remote authentication in use by most enterprises today—RADIUS and TACACS+. Junos OS supports both types and can be configured to query multiple remote authentication servers of both types. The idea behind a RADIUS or TACACS+ server is simple, a central authentication server that routers, switches, security devices, and even servers can use to authenticate users as they attempt to gain access to these systems. Think of the advantages that a central user directory brings for authentication auditing and access control in a client server model, and you have your justification for RADIUS or TACACS+ for your networks infrastructure.

Using a central server has multiple advantages over the alternative of creating local users on each device, a time-consuming and error-prone task. A central authentication system also simplifies the use of one-time password systems such as SecureID, which offer protection against password sniffing and password replay attacks, in which someone uses a captured password to pose as a system administrator.

  • RADIUS—You should use RADIUS when your priorities are interoperability and performance.

    • Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.

    • Performance—RADIUS is much lighter on your routers and switches and for this reason, network engineers generally prefer RADIUS over TACACS+.

  • TACACS+—You should use TACACS+ when your priorities are security and flexibility.

    • Security—TACACS+ is more secure than RADIUS. Not only is the full session encrypted, but authorization and authentication are done separately to prevent someone from trying to force their way into your network.

    • Flexibility—TCP is a more flexible transport protocol than UDP. You can do more with it in more advanced networks. In addition, TACACS+ supports more of the enterprise protocols like NetBios or Appletalk.