Example: Configuring AAA Local Authentication

This example creates a sample local authentication environment. The steps in this example:

  1. Create a named local user database (westfordLocal40).
  2. Configure the database westfordLocal40.
    • Add users btjones and maryrdavis and their attributes to the database.
  3. Create the default local database using the optional username command.
    • Add optional subscriber parameters for user cksmith to the default database.
  4. Assign the default local user database to virtual router cleveland; assign database westfordLocal40 to the default virtual router and to virtual router chicago.
  5. Enable AAA authentication methods local and none on all virtual routers.
  6. Use the show commands to display information for the local authentication environment (various show command displays are listed after the example).

Example 1

This example shows the commands you use to create the AAA local authentication environment.

host1(config)#aaa local database westfordLocal40 host1(config)#aaa local username btjones database westfordLocal40 host1(config-local-user)#secret 38schillCy host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#aaa local username maryrdavis database westfordLocal40 host1(config-local-user)#secret 0 dav1sSecret99 host1(config-local-user)#ip-address 192.168.20.106 host1(config-local-user)#operational-virtual-router boston1 host1(config-local-user)#exit host1(config)#username cksmith password 0 yourPassword1 host1(config)#aaa local username cksmith database default host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#virtual-router cleveland host1(config)#aaa local select database default host1(config)#virtual-router default host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router chicago host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router default host1(config)#aaa authentication ppp default local none

Example 2

This example verifies that local authentication is configured on the router.

host1#show aaa authentication ppp default 
local none

Example 3

This example uses the show configuration category aaa local-authentication command with the databases keyword to show the local user databases that are configured on the router.

host1# show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database westfordLocal40

Example 4

This example uses the local-authentication users keywords to show the configured users and their parameters. The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password-encryption command is used for the example. Secrets are always displayed encrypted.

host1# show configuration category aaa local-authentication users
! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 10, 2004  21:15)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
 password yourPassword1
 operational-virtual-router boston2
 ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
 secret 5 }9s7-4N<WK2)2=)^!6~#
 operational-virtual-router boston2
 ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
 secret 5 E@A:nDXJJ<irb\`mF#[j
 operational-virtual-router boston1
 ip-address 192.168.20.106

Example 5

This example uses the users include-defaults keywords to show the configured users and their parameters, including the default parameters no-ip-address and no ip-address-pool.

host1# show configuration category aaa local-authentication users include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
 password yourPassword1
 operational-virtual-router boston2
 no ip-address
 ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
 secret 5 }9s7-4N<WK2)2=)^!6~#
 operational-virtual-router boston2
 no ip-address
 ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
 secret 5 E@A:nDXJJ<irb\`mF#[j
 operational-virtual-router boston1
 ip-address 192.168.20.106
 no ip-address-pool

Example 6

This example uses the virtual-router keyword with the default specification to show the local user database that is used by the default virtual router.

host1# show configuration category aaa local-authentication virtual-router default
! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router default
aaa local select database westfordLocal40

Example 7

This example uses the virtual-router keyword with a named virtual router. The include-defaults keyword shows the default configuration, including the line showing that there is no named local user database selected.

host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select

Related Documentation