Configuration Commands

Use the following commands to configure the local authentication server.

aaa authentication default

• Use to specify that the local authentication method is used to authenticate PPP subscribers on the default virtual router or on the selected virtual router.

  Note: You can specify multiple authentication methods; for example, aaa authentication ppp default local radius. If, during local authentication, the matching user entry is not found in a populated database or if it is found and rejected, the authentication procedure terminates. However, if the specified local user database is empty or if it does not exist, the authentication process uses the next authentication method specified (RADIUS in this case).

• Example

  host1(config)#aaa authentication ppp default local radius

• Use the no version to restore the default authentication method of radius.
• See aaa authentication default

aaa local database

• Use to create a local user database.
• Use the database name default to specify the default local user database, or enter a name for the specific local user database.
• Example

  host1(config)#aaa local database westLocal40

• Use the no version to delete the specified database and all entries in the database.
• See aaa local database

aaa local select database

• Use to assign the local user database that the virtual router uses for local authentication.
• Example

  host1(config)#virtual-router cleveland

  host1:cleveland(config)#aaa local select database westLocal40

• Use the no version to restore the default setting, which uses the default local user database for local authentication.
• See aaa local select database

aaa local username

• Use to configure a user entry in the specified local user database and to enter Local User Configuration mode.
• The username must be unique within a particular database; however, the same username can be used in different databases.
• Use the database name default to configure the username in the default local user database.

  Note: The router supports usernames up to 64 characters long; however, PAP and CHAP support is limited to 31-character usernames.

• Example

  host1(config)#aaa local username cksmith database westLocal40

• Use the no version to delete the user entry from the specified local user database. Use the database name default to delete the user entry from the default local user database.
• See aaa local username

ip address

• Use to specify the IP address parameter for a user entry in the local user database. The address is negotiated with the subscriber after the subscriber is authenticated.
• Example

  host1(config-local-user)#ip-address 192.168.42.6

• Use the no version to delete the IP address parameter from the user entry in the local user database.
• See ip address

ip address-pool

• Use to specify the IP address pool parameter for a user entry in the local user database. The address pool is used to assign an IP address to the subscriber; the address is negotiated with the subscriber after the subscriber is authenticated.
• Example

  host1(config-local-user)#ip-address-pool svPool2

• Use the no version to delete the IP address pool parameter from the user entry in the local user database.
• See ip address-pool

operational-virtual-router

• Use to specify the virtual router parameter for a user entry in the local user database. The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication.
• If authentication is performed by a non-default virtual router, then the subscriber is assigned to the same virtual router that performs authentication, regardless of this parameter setting.
• Example

  host1(config-local-user)#operational-virtual-router boston2

• Use the no version to delete the operational virtual router parameter from the user entry in the local user database.
• See operational-virtual-router

password

• Use to add a password to a user entry in the local user database. The password is used to authenticate a subscriber, and is encrypted by means of a two-way encryption algorithm.

  Note: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

• The new password replaces any current password or secret.
• Specify one of the following encryption algorithms, followed by the password:
  • 0—An unencrypted password; this is the default
  • 8—A two-way encrypted password
• Example

  host1(config-local-user)#password 0 myPassword

• Use the no version to delete the password or secret from the user entry in the local user database.
• See password

secret

• Use to add a secret to a user entry in the local user database. The secret is used to authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm.

  Note: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

• The new secret replaces any current password or secret.
• Specify one of the following encryption algorithms, followed by the secret:
  • 0—An unencrypted secret; this is the default
  • 5—An MD5-encrypted secret
• Example

  host1(config-local-user)#secret 5 Q3&t9REwk45jxSM#fj$z

• Use the no version to delete the secret or password from the user entry in the local user database.
• See secret

user-name

• Use to configure a user entry and optional password or secret in the default local user database. This command creates the database if it does not already exist.
• Optionally, specify a password or secret that is assigned to the user in the default local user database, or specify that no password is required for the particular username.
  • Specify one of the following encryption algorithms, followed by the password:
    • 0—An unencrypted password; this is the default
    • 8—A two-way encrypted password
  • Specify one of the following encryption algorithms, followed by the secret:
    • 0—An unencrypted secret; this is the default
    • 5—An MD5-encrypted secret
  • Use the nopassword keyword to remove the password or secret

    Note: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

• Example

  host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z

• Use the no version to delete the username entry from the default local user database.
• See user-name

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.