RADIUS Authentication

 

The Junos OS supports RADIUS for central authentication of users on multiple routers or switches or security devices. To use RADIUS authentication on the device, you must configure information about one or more RADIUS servers on the network. You can also configure RADIUS accounting on the device to collect statistical data about the users logging in to or out from a LAN and sending the data to a RADIUS accounting server. For more information, read this topic.

Configuring RADIUS Server Authentication

RADIUS authentication is a method of authenticating users who attempt to access the router or switch.

Why Use RADIUS

The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using a one-time-password system for increased security, and all vendors of these systems support RADIUS.

You should use RADIUS when your priorities are interoperability and performance:

  • Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.

  • Performance—RADIUS is much lighter on your routers and switches and for this reason, network engineers generally prefer RADIUS over TACACS+.

Configuring RADIUS Server Details

To use RADIUS authentication on the device, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server.

Because remote authentication is configured on multiple devices, it is commonly configured inside of a configuration group. As such, the steps shown here are in a configuration group called global. Using a configuration group is optional.

Note

The remote statement must always be lowercase.

Note

This feature is supported on SRX1500, SRX5400, SRX5600, and SRX5800 devices.

To configure authentication by a RADIUS server:

  1. Add an IPv4 or IPv6 server address.

    • Configure an IPv4 source-address and server-address:

      For example:

    • Configure an IPv6 source-address and server address:

      For example:

      Source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces. This sets a fixed address as the source address for locally generated IP packets.

      Server address is a unique IPv4 or IPv6 address that is assigned to a particular server and used to route information to the server. If the Junos OS device has several interfaces that can reach the RADIUS server, assign an IP address that Junos OS can use for all its communication with the RADIUS server.

  2. Include a shared secret password.

    You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret password used by the local router or switch must match that used by the server. The secret password configures the password that the Junos OS device uses to access the RADIUS server.

    For example:

  3. If necessary, specify a port on which to contact the RADIUS server.

    By default, port number 1812 is used (as specified in RFC 2865).

    Note

    You can also specify an accounting port to send accounting packets with the accounting-port statement. The default is 1813 (as specified in RFC 2866).

    For example:

  4. Specify the order in which Junos OS attempts authentication.

    You must include the authentication-order statement in your remote authentication configuration.

    The example assumes your network includes both RADIUS and TACACS+ servers. In this example, whenever a user attempts to log in, Junos OS begins by querying the RADIUS server for authentication. If it fails, it next attempts authentication with locally configured user accounts. Finally the TACACS+ server is tried.

    For example:

  5. Assign a login class to RADIUS-authenticated users.

    You can assign different user templates and login classes to RADIUS-authenticated users. This allows RADIUS-authenticated users to be granted different administrative permissions on the Junos OS device. By default, RADIUS-authenticated users use the remote user template and are assigned to the associated class, which is specified in the remote user template, if the remote user template is configured. The username remote is a special case in Junos OS. It acts as a template for users who are authenticated by a remote server, but do not have a locally configured user account on the device. In this method, Junos OS applies the permissions of the remote template to those authenticated users without a locally defined account. All users mapped to the remote template are of the same login class.

    In the Junos OS configuration, a user template is configured in the same way as a regular local user account, except that no local authentication password is configured because the authentication is remotely performed on the RADIUS server.

    • To use the same permissions for all RADIUS-authenticated users:

      For example:

    • To have different login classes be used for different RADIUS-authenticated users, granting them different permissions:

      1. Create multiple user templates in the Junos OS configuration.

        Every user template can be assigned a different login class.

        For example:

      2. Have the RADIUS server specify the name of the user template to be applied to the authenticated user.

        For a RADIUS server to indicate which user template is to be applied, it needs to include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string) Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message. The string value in the Juniper-Local-User-Name must correspond to the name of a configured user template on the device. For a list of relevant Juniper RADIUS VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.

        If the Juniper-Local-User-Name is not included in the Access-Accept message or the string contains a user template name that does not exist on the device, the user is assigned to the remote user template, if configured. If it is not configured, authentication fails for the user.

        After logging in, the remotely authenticated user retains the same username that was used to log in. However, the user inherits the user class from the assigned user template.

        In a RADIUS server, users can be assigned a Juniper-Local-User-Name string, which indicates the user template to be used in the Junos OS device. From the previous example, the string would be RO, OP, or SU. Configuration of the RADIUS server depends on the server being used.

Configuring RADIUS To Use the Management Instance

By default, Junos OS routes authentication, authorization, and accounting packets for RADIUS through the default routing instance. Starting in Junos OS Release 18.1R1, existing RADIUS behavior is enhanced to support a management interface in a non-default VRF instance.

When the routing-instance mgmt_junos option is configured in both the radius-server server-ip-address and the raius server server-ip-address statements, provided the management-instance statement is also configured, RADIUS packets are routed through the management instance mgmt_junos.

Note

The routing-instance mgmt_junos option must be configured in both the radius-server and the radius server statements. If not, even if the management-instance statement is set, RADIUS packets will still be sent using the default routing instance only.

For more details on this management instance, see management-instance.

Example: Configuring a RADIUS Server for System Authentication

This example shows how to configure a RADIUS server for system authentication.

Requirements

Before you begin:

Overview

In this example, you add a new RADIUS server with an IP address of 172.16.98.1 and specify the shared secret password of the RADIUS server as Radiussecret1. The secret is stored as an encrypted value in the configuration database. Finally, you specify the source address to be included in the RADIUS server requests by the device. In most cases you can use the loopback address of the device, which in this example is 10.0.0.1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Step-by-Step Procedure

To configure a RADIUS server for system authentication:

  1. In the J-Web user interface, select Configure>System Properties>User Management.
  2. Click Edit. The Edit User Management dialog box appears.
  3. Select the Authentication Method and Order tab.
  4. In the RADIUS section, click Add. The Add Radius Server dialog box appears.
  5. In the IP Address box, type the server’s 32–bit IP address.
  6. In the Password and Confirm Password boxes, type the secret password for the server and verify your entry.
  7. In the Server Port box, type the appropriate port.
  8. In the Source Address box, type the source IP address of the server.
  9. In the Retry Attempts box, specify the number of times that the server should try to verify the user’s credentials.
  10. In the Time Out box, specify the amount of time (in seconds) the device should wait for a response from the server.
  11. Click OK to check your configuration and save it as a candidate configuration.
  12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a RADIUS server for system authentication:

  1. Add a new RADIUS server and set its IP address.
  2. Specify the shared secret (password) of the RADIUS server.
  3. Specify the device’s loopback address source address.

Results

From configuration mode, confirm your configuration by entering the show system radius-server command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note

To completely set up RADIUS authentication, you must create user template accounts and specify a system authentication order. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verifying the RADIUS Server System Authentication Configuration

Purpose

Verify that the RADIUS server has been configured for system authentication.

Action

From operational mode, enter the show system radius-server command.

Example: Configuring RADIUS Authentication

The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using a one-time-password system for increased security, and all vendors of these systems support RADIUS.

The Junos OS uses one or more template accounts to perform user authentication. You create the template account or accounts, and then configure the user access to use that account. If the RADIUS server is unavailable, the fallback is for the login process to use the local account that set up on the router or switch.

The following example shows how to configure RADIUS authentication:

The following example shows how to enable RADIUS authentication and define the shared secret between the client and the server. The secret enables the client and server to determine that they are talking to the trusted peer.

Define a timeout value for each server, so that if there is no response within the specified number of seconds, the router can try either the next server or the next authentication mechanism.

The following example shows how to configure RADIUS template accounts for different users or groups of users:

Configuring RADIUS Authentication (QFX Series or OCX Series)

RADIUS authentication is a method of authenticating users who attempt to access the router or switch. Tasks to configure RADIUS authentication are:

Note

The source-address statement is not supported at the [edit system radius-options or [edit system-radius-server name] hierarchies on the QFabric system.

Configuring RADIUS Server Details

To use RADIUS authentication on the router or switch, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server:

server-address is the address of the RADIUS server.

You can specify a port on which to contact the RADIUS server. By default, port number 1812 is used (as specified in RFC 2865). You can also specify an accounting port to send accounting packets. The default is 1813 (as specified in RFC 2866).

You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret used by the local router or switch must match that used by the server.

Optionally, you can specify the amount of time that the local router or switch waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router or switch attempts to contact a RADIUS authentication server (in the retry statement). By default, the router or switch waits 3 seconds. You can configure this to be a value from 1 through 90 seconds. By default, the router or switch retries connecting to the server three times. You can configure this to be a value from 1 through 10 times.

You can use the source-address statement to specify a logical address for individual or multiple RADIUS servers.

To configure multiple RADIUS servers, include multiple radius-server statements.

To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Example: Configuring Authentication Order.

You can also configure RADIUS authentication at the [edit access] and [edit access profile] hierarchy level. Junos OS uses the following search order to determine which set of servers are used for authentication:

  1. [edit access profile profile-name radius-server server-address]

  2. [edit access radius-server server-address]

  3. [edit system radius-server server-address]

Configuring MS-CHAPv2 for Password-Change Support

You can configure the Microsoft implementation of the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) on the router or switch to support changing of passwords. This feature provides users accessing a router or switch the option of changing the password when the password expires, is reset, or is configured to be changed at the next login.

Before you configure MS-CHAPv2 for password-change support, ensure that you:

  • Configure the RADIUS server authentication parameters

  • Set the authentication-order to use the RADIUS server for the initial password attempt

To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy level:

The following example shows statements for configuring the MS-CHAPv2 password protocol, password authentication order, and user accounts:

Specifying a Source Address for the Junos OS to Access External RADIUS Servers

You can specify which source address Junos OS uses when accessing your network to contact an external RADIUS server for authentication. You can also specify which source address Junos OS uses when contacting a RADIUS server for sending accounting information.

To specify a source address for a RADIUS server, include the source-address statement at the [edit system radius-server server-address] hierarchy level:

source-address is a valid IP address configured on one of the router or switch interfaces.

Juniper Networks Vendor-Specific RADIUS Attributes

Junos OS supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.

Table 1: Juniper Networks Vendor-Specific RADIUS Attributes

Name

Description

Type

Length

String

Juniper-Local-User-Name

Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.

1

≥3

One or more octets containing printable ASCII characters.

Juniper-Allow-Commands

Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

2

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

Juniper-Deny-Commands

Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

3

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

Juniper-Allow-Configuration

Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

4

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

Juniper-Deny-Configuration

Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

5

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

Juniper-Interactive-Command

Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets.

8

≥3

One or more octets containing printable ASCII characters.

Juniper-Configuration-Change

Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets.

9

≥3

One or more octets containing printable ASCII characters.

Juniper-User-Permissions

Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets.

Note: When the Juniper-User-Permissions attribute is configured to grant the Junos OS maintenance or all permissions on a RADIUS server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account.

10

≥3

One or more octets containing printable ASCII characters.

The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety. See Login Class Permission Flags.

Juniper-Authentication-Type

Indicates the authentication method (local database, or RADIUS server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows ’local’. If the user is authenticated using RADIUS server, the attribute value shows ’remote’.

11

≥5

One or more octets containing printable ASCII characters.

Juniper-Session-Port

Indicates the source port number of the established session.

12

size of integer

Integer

For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).

Juniper-Switching-Filter VSA Match Conditions and Actions

Devices support the configuration of RADIUS server attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS).

Through VSAs, you can configure port-filtering attributes on the RADIUS server. VSAs are cleartext fields sent from the RADIUS server to the device as a result of authentication success or failure. Authentication prevents unauthorized user access by blocking a supplicant at the port until the device is authenticated by the RADIUS server. The VSA attributes are interpreted by the device during authentication, and the device takes appropriate actions. Implementing port-filtering attributes with authentication on the RADIUS server provides a central location for controlling LAN access for supplicants.

These port-filtering attributes specific to Juniper Networks are encapsulated in a RADIUS server VSA with the vendor ID set to the Juniper Networks ID number, 2636.

As well as configuring port-filtering attributes through VSAs, you can apply a port firewall filter that has already been configured on the device directly to the RADIUS server. Like port-filtering attributes, the filter is applied during the authentication process, and its actions are applied at the device port. Adding a port firewall filter to a RADIUS server eliminates the need to add the filter to multiple ports and devices.

The Juniper-Switching-Filter VSA works in conjunction with 802.1X authentication to centrally control access of supplicants to the network. You can use this VSA to configure filters on the RADIUS server, which are sent to the switch and applied to users that have been authenticated using 802.1X authentication.

The Juniper-Switching-Filter VSA can contain one or more filter terms. Filter terms are configured using one or more match conditions with a resulting action. Match conditions are the criteria that a packet must meet for a configured action to be applied on it. The action is the action that the switch takes if a packet meets the criteria in the match conditions. The action that the switch can take is either accept or deny a packet.

The following guidelines apply when you specify match conditions and actions for VSAs:

  • Both match and action statements are mandatory.

  • If no match condition is specified, any packet is considered a match by default.

  • If no action is specified, the default action is to deny the packet.

  • Any or all options can be included in each match and action statement.

  • The AND operation is performed on fields that are of a different type, which are separated by commas. Fields of the same type cannot be repeated.

  • For the forwarding-class option to be applied, the forwarding class must be configured on the switch. If the forwarding class is not configured on the switch, this option is ignored.

Table 2 describes the match conditions that you can specify when you configure a VSA attribute as a firewall filter by using the match command on the RADIUS server. The string that defines a match condition is called a match statement.

Table 2: Match Conditions

Option

Description

destination-mac mac-address

Destination media access control (MAC) address of the packet.

source-vlan source-vlan

Name of the source VLAN.

source-dot1q-tag tag

Tag value in the 802.1Q header, in the range 0 through 4095.

destination-ip ip-address

Address of the final destination node.

ip-protocol protocol-id

IPv4 protocol value. In place of the numeric value, you can specify one of the following text synonyms:

ah, egp (8), esp (50, gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17)

source-port port

TCP or User Datagram Protocol (UDP) source port field. Normally, you specify this match statement in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric field, you can specify one of the text options listed under destination-port.

destination-port port

TCP or UDP destination port field. Normally, you specify this match statement in conjunction with the ip-protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cvspserver (2401), cmd (514), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), telnet (23), tacacs-ds (65), talk (517), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)

When you define one or more terms that specify the filtering criteria, you also define the action to take if the packet matches all criteria. Table 3 shows the actions that you can specify in a term.

Table 3: Actions for VSAs

Option

Description

(allow | deny)

Accept a packet or discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

forwarding-class class-of-service

(Optional) Classify the packet in one of the following forwarding classes:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

loss-priority (low | medium | high)

(Optional) Set the packet loss priority (PLP) to low, medium, or high. Specify both the forwarding class and the loss priority.

Understanding RADIUS Accounting

Devices support IETF RFC 2866, RADIUS Accounting. Configuring RADIUS accounting on the device supports collecting statistical data about users logging in to or out from a LAN and sending the data to a RADIUS accounting server. The statistical data gathered can be used for general network monitoring, analyzing and tracking usage patterns, or billing a user based upon the amount of time or type of services accessed.

To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the device, and select the type of accounting data to be collected.

The RADIUS accounting server you specify can be the same server used for RADIUS authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. If the primary server (the first one configured) is unavailable, each RADIUS server in the list is tried in the order in which they are configured in the Junos OS.

The RADIUS accounting process between the device and a RADIUS server works like this:

  1. A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For example, on FreeRADIUS, the default port is 1813.
  2. The device forwards an accounting-request packet containing an event record to the accounting server. The event record associated with this supplicant contains an Acct-Status-Type attribute whose value indicates the beginning of user service for this supplicant. When the supplicant’s session ends, the accounting request contains an Acct-Status-Type attribute value indicating the end of user service. The RADIUS accounting server records this as a stop-accounting record containing session information and the length of the session.
  3. The RADIUS accounting server logs these events in a file as start-accounting or stop-accounting records. On FreeRADIUS, the filename is the server’s address; for example, 192.0.2.0.
  4. The accounting server sends an accounting-response packet back to the device confirming it has received the accounting request.
  5. If the device does not receive a response from the server, it continues to send accounting requests until an accounting response is returned from the accounting server.

The statistics collected through this process can be displayed from the RADIUS server; to see those statistics, the user accesses the log file configured to receive them.

Configuring RADIUS System Accounting

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.

Tasks for configuring RADIUS system accounting are:

  1. Configuring Auditing of User Events on a RADIUS Server

  2. Specifying RADIUS Server Accounting and Auditing Events

  3. Configuring RADIUS Server Accounting

Configuring Auditing of User Events on a RADIUS Server

To audit user events, include the following statements at the [edit system accounting] hierarchy level:

Specifying RADIUS Server Accounting and Auditing Events

To specify the events you want to audit when using a RADIUS server for authentication, include the events statement at the [edit system accounting] hierarchy level:

events is one or more of the following:

  • login—Audit logins

  • change-log—Audit configuration changes

  • interactive-commands—Audit interactive commands (any command-line input)

Configuring RADIUS Server Accounting

To configure RADIUS server accounting, include the server statement at the [edit system accounting destination radius] hierarchy level:

server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include multiple server statements.

Note

If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the Junos OS uses the RADIUS servers configured at the [edit system radius-server] hierarchy level.

accounting-port port-number specifies the RADIUS server accounting port number.

The default port number is 1813.

Note

If you enable RADIUS accounting at the [edit access profile profile-name accounting-order] hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a value for the accounting-port statement.

routing-instance routing-instance is the name of the non-default management instance. Use mgmt_junos as the routing-instance name. See Management Interface in a Nondefault Instance.

You must specify a secret (password) that the local router or switch passes to the RADIUS client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ “).

In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 address (in case if radius-server address is IPv4) or IPv6 address (in case if radius-server address is IPv6) configured on one of the router or switch interfaces.

Optionally, you can specify the number of times that the router or switch attempts to contact a RADIUS authentication server by including the retry statement. By default, the router or switch retries three times. You can configure the router or switch to retry from 1 through 10 times.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a RADIUS server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds.

Starting with Junos OS Release 14.1 and Junos OS Release 17.3R1, you can configure the enhanced-accounting statement to view the attribute values of a logged in user. If you use the enhanced-accounting statement at the [edit system radius-options] hierarchy level, the RADIUS attributes such as access method, remote port, and access privileges can be audited. You can limit the number of attribute values to be displayed for auditing by using the enhanced-avs-max <number> statement at the [edit system accounting] hierarchy level.

When a Juniper Networks router or switch is configured with RADIUS accounting, it sends Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages contain information about user activities such as software logins, configuration changes, and interactive commands. This information is typically used for monitoring a network, collecting usage statistics, and ensuring that users are billed properly.

The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured for RADIUS accounting:

Release History Table
Release
Description
Starting in Junos OS Release 18.1R1, existing RADIUS behavior is enhanced to support a management interface in a non-default VRF instance.
Starting with Junos OS Release 14.1 and Junos OS Release 17.3R1, you can configure the enhanced-accounting statement to view the attribute values of a logged in user.