JUNOSe 9.1.x Broadband Access Configuration Guide > Configuring Remote Access > Configuring Local Authentication Servers

Configuring Local Authentication Servers

The AAA local authentication server enables the E-series router to provide local PAP and CHAP user authentication for subscribers. The router also provides limited authorization, using the IP address, IP address pool, and operational virtual router parameters. When a subscriber logs on to the E-series router that is using local authentication, the subscriber is authenticated against user entries in a local user database; the optional parameters are assigned to subscribers after the subscriber is authenticated.

Creating the Local Authentication Environment

To create your local authentication environment:

1. Create local user databases—Create the default database or a named database.
2. Add entries to local user databases—Add user entries to the database. A database can contain information for multiple users.
3. Assign a local user database to the virtual router—Specify the database that the virtual router will use to authenticate subscribers.
4. Enable local authentication on the virtual router—Specify the local method as an AAA authentication method used by the virtual router.

Creating Local User Databases

When a subscriber connects to an E-series router that is using local authentication, the local authentication server uses the entries in the local user database selected by the virtual router to authenticate the subscriber.

A local authentication server can have multiple local user databases, and each database can have entries for multiple subscribers. The default local user database, if it exists, is used for local authentication by default. The E-series router supports a maximum of 100 user entries. A maximum of 100 databases can be configured.

To create a local user database, use the aaa local database command and the name of the database; use the name default to create the default local user database:

host1(config)#aaa local database westLocal40 

Adding User Entries to Local User Databases

The local authentication server uses the information in a local user database to authenticate a subscriber. A local user database can contain information for multiple users.

The E-series router provides two commands for adding entries to local user databases: the username command and the aaa local username command. You can specify the following parameters:

• Username—Name associated with the subscriber.
• Passwords and secrets—Single words that can be encrypted or unencrypted. Passwords use two-way encryption, and secrets use one-way encryption. Both passwords and secrets can be used with PAP authentication; however, only passwords can be used with CHAP authentication.
• IP address—The IP address to assign to the subscriber (aaa local username command only).
• IP address pool—The IP address pool used to assign the subscriber's IP address (aaa local username command only).
• Operational virtual router—The virtual router to which the subscriber is assigned. This parameter is applicable only if the subscriber is authenticated by the default virtual router (aaa local username command only).

Using the username Command

The username command is similar to the command used by some third-party vendors. The command can be used to add entries in the default local user database; it is not supported for named local user databases. The IP address, IP address pool, and operational virtual router parameters are not supported in the username command. However, after the user is added to the default local user database, you can use the aaa local username command with a database name default to enter Local User Configuration mode and add the additional parameters.

NOTE: If the default local user database does not exist, the username command creates this database and adds the user entry to the database.

To add a subscriber and password or secret to the default local user database, complete the following step:

host1(config)#username rockyB password rockyPassword

Using the aaa local username Command

To enter Local User Configuration mode and add user entries to a local user database, use the following commands:

1. Specify the subscriber's username and the database you want to use. Use the database name default to specify the default local user database. This command also puts the router into Local User Configuration mode.

host1(config)# aaa local username cksmith database westLocal40

host1(config-local-user)#

 NOTE: You can use the aaa local username command to add or modify user entries to a default database that was created by the username command. 



 

2. (Optional) Specify the type of encryption algorithm and the password or secret that the subscriber must use to connect to the router. A subscriber can be assigned either a password or a secret, but not both. For example:

host1(config-local-user)#password 8 iTtakes2% 

3. (Optional) Specify the IP address to assign to the subscriber.

host1(config-local-user)#ip-address 192.168.101.19 

4. (Optional) Specify the IP address pool used to assign the subscriber's IP address.

host1(config-local-user)#ip-address-pool svPool2 

5. (Optional) Assign the subscriber to an operational virtual router. This parameter is applicable only if the subscriber is authenticated in the default virtual router.

host1(config-local-user)#operational-virtual-router boston2

Assigning a Local User Database to a Virtual Router

Use the procedure in this section to assign a local user database to a virtual router. The virtual router uses the database for local authentication when the subscriber connects to the E-series router. Use the following commands in Global Configuration mode:

NOTE: If you do not specify a local user database, the virtual router selects the default database by default. This applies to all virtual routers.

1. Specify the virtual router name.

host1(config)# virtual-router cleveland 

2. Specify the database to use for authentication on this virtual router.

host1:cleveland(config)# aaa local select database westLocal40 

Enabling Local Authentication on the Virtual Router

On the E-series router, RADIUS is the default AAA authentication method for PPP subscribers. Use the commands in this section to specify that the local authentication method is used.

To enable local authentication on the default router, use the following command:

host1(config)# aaa authentication ppp default local 

To enable local authentication on a specific virtual router, first select the virtual router:

host1(config)# virtual-router cleveland

host1:cleveland(config)# aaa authentication ppp default local 

Configuration Commands

Use the following commands to configure the local authentication server.

aaa authentication default

• Use to specify that the local authentication method is used to authenticate PPP subscribers on the default virtual router or on the selected virtual router.
  

  NOTE: You can specify multiple authentication methods; for example, aaa authentication ppp default local radius. If, during local authentication, the matching user entry is not found in a populated database or if it is found and rejected, the authentication procedure terminates. However, if the specified local user database is empty or if it does not exist, the authentication process uses the next authentication method specified (RADIUS in this case).

  
  
• Example

host1(config)#aaa authentication ppp default local radius

• Use the no version to restore the default authentication method of radius.

aaa local database

• Use to create a local user database.
• Use the database name default to specify the default local user database, or enter a name for the specific local user database.
• Example

host1(config)#aaa local database westLocal40

• Use the no version to delete the specified database and all entries in the database.

aaa local select database

• Use to assign the local user database that the virtual router uses for local authentication.
• Example

host1(config)#virtual-router cleveland

host1:cleveland(config)#aaa local select database westLocal40

• Use the no version to restore the default setting, which uses the default local user database for local authentication.

aaa local username

• Use to configure a user entry in the specified local user database and to enter Local User Configuration mode.
• The username must be unique within a particular database; however, the same username can be used in different databases.
• Use the database name default to configure the username in the default local user database.
  

  NOTE: The router supports usernames up to 64 characters long; however, PAP and CHAP support is limited to 31-character usernames.

  
  
• Example

host1(config)#aaa local username cksmith database westLocal40

• Use the no version to delete the user entry from the specified local user database. Use the database name default to delete the user entry from the default local user database.

ip-address

• Use to specify the IP address parameter for a user entry in the local user database. The address is negotiated with the subscriber after the subscriber is authenticated.
• Example

host1(config-local-user)#ip-address 192.168.42.6

• Use the no version to delete the IP address parameter from the user entry in the local user database.

ip-address-pool

• Use to specify the IP address pool parameter for a user entry in the local user database. The address pool is used to assign an IP address to the subscriber; the address is negotiated with the subscriber after the subscriber is authenticated.
• Example

host1(config-local-user)#ip-address-pool svPool2 

• Use the no version to delete the IP address pool parameter from the user entry in the local user database.

operational-virtual-router

• Use to specify the virtual router parameter for a user entry in the local user database. The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication.
• If authentication is performed by a non-default virtual router, then the subscriber is assigned to the same virtual router that performs authentication, regardless of this parameter setting.
• Example

host1(config-local-user)#operational-virtual-router boston2

• Use the no version to delete the operational virtual router parameter from the user entry in the local user database.

password

• Use to add a password to a user entry in the local user database. The password is used to authenticate a subscriber, and is encrypted by means of a two-way encryption algorithm.
  

  NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

  
  
• The new password replaces any current password or secret.
• Specify one of the following encryption algorithms, followed by the password:

• 0—An unencrypted password; this is the default
• 8—A two-way encrypted password

• Example

host1(config-local-user)#password 0 myPassword

• Use the no version to delete the password or secret from the user entry in the local user database.

secret

• Use to add a secret to a user entry in the local user database. The secret is used to authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm.
  

  NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

  
  
• The new secret replaces any current password or secret.
• Specify one of the following encryption algorithms, followed by the secret:

• 0—An unencrypted secret; this is the default
• 5—An MD5-encrypted secret

• Example

host1(config-local-user)#secret 5 Q3&t9REwk45jxSM#fj$z

• Use the no version to delete the secret or password from the user entry in the local user database.

username

• Use to configure a user entry and optional password or secret in the default local user database. This command creates the database if it does not already exist.
• Optionally, specify a password or secret that is assigned to the user in the default local user database, or specify that no password is required for the particular username.

• Specify one of the following encryption algorithms, followed by the password:

• 0—An unencrypted password; this is the default
• 8—A two-way encrypted password

• Specify one of the following encryption algorithms, followed by the secret:

• 0—An unencrypted secret; this is the default
• 5—An MD5-encrypted secret

• Use the nopassword keyword to remove the password or secret
  

  NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

  
  

• Example

host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z 

• Use the no version to delete the username entry from the default local user database.

Local Authentication Example

This example creates a sample local authentication environment. The steps in this example:

1. Create a named local user database (westfordLocal40).
2. Configure the database westfordLocal40.

• Add users btjones and maryrdavis and their attributes to the database.

3. Create the default local database using the optional username command.

• Add optional subscriber parameters for user cksmith to the default database.

4. Assign the default local user database to virtual router cleveland; assign database westfordLocal40 to the default virtual router and to virtual router chicago.
5. Enable AAA authentication methods local and none on all virtual routers.
6. Use the show commands to display information for the local authentication environment (various show command displays are listed after the example).

Example 1

This example shows the commands you use to create the AAA local authentication environment.

host1(config)#aaa local database westfordLocal40

host1(config)#aaa local username btjones database westfordLocal40

host1(config-local-user)#secret 38schillCy

host1(config-local-user)#ip-address-pool addressPoolA

host1(config-local-user)#operational-virtual-router boston2

host1(config-local-user)#exit

host1(config)#aaa local username maryrdavis database westfordLocal40

host1(config-local-user)#secret 0 dav1sSecret99

host1(config-local-user)#ip-address 192.168.20.106

host1(config-local-user)#operational-virtual-router boston1

host1(config-local-user)#exit

host1(config)#username cksmith password 0 yourPassword1

host1(config)#aaa local username cksmith database default

host1(config-local-user)#ip-address-pool addressPoolA

host1(config-local-user)#operational-virtual-router boston2

host1(config-local-user)#exit

host1(config)#virtual-router cleveland

host1(config)#aaa local select database default

host1(config)#virtual-router default

host1(config)#aaa local select database westfordLocal40

host1(config)#virtual-router chicago

host1(config)#aaa local select database westfordLocal40

host1(config)#virtual-router default

host1(config)#aaa authentication ppp default local none

Example 2

This example verifies that local authentication is configured on the router.

host1#show aaa authentication ppp default

local none

Example 3

This example uses the show configuration category aaa local-authentication command with the databases keyword to show the local user databases that are configured on the router.

host1#show configuration category aaa local-authentication databases

! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC

! Juniper Edge Routing Switch ERX-1400

! Version: 6.1.0 (November 8, 2004  18:31)

! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.

!

! Commands displayed are limited to those available at privilege level 15

!

! NOTE:  This script represents only a subset of the full system configuration.

! The category displayed is: aaa local-authentication databases

!

hostname host1

aaa new-model

aaa local database default

aaa local database westfordLocal40

Example 4

This example uses the local-authentication users keywords to show the configured users and their parameters. The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password-encryption command is used for the example. Secrets are always displayed encrypted.

host1#show configuration category aaa local-authentication users

! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC

! Juniper Edge Routing Switch ERX-1400

! Version: 6.1.0 (November 10, 2004  21:15)

! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.

!

! Commands displayed are limited to those available at privilege level 15

!

! NOTE:  This script represents only a subset of the full system configuration.

! The category displayed is: aaa local-authentication users

!

hostname host1

aaa new-model

aaa local username cksmith database default

 password yourPassword1

 operational-virtual-router boston2

 ip-address-pool addressPoolA

!

aaa local username btjones database westfordLocal40

 secret 5 }9s7-4N<WK2)2=)^!6~#

 operational-virtual-router boston2

 ip-address-pool addressPoolA

!

aaa local username maryrdavis database westfordLocal40

 secret 5 E@A:nDXJJ<irb\`mF#[j

 operational-virtual-router boston1

 ip-address 192.168.20.106

Example 5

This example uses the users include-defaults keywords to show the configured users and their parameters, including the default parameters no-ip-address and no ip-address-pool.

host1#show configuration category aaa local-authentication users include-defaults

! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC

! Juniper Edge Routing Switch ERX-1400

! Version: 6.1.0 (November 8, 2004  18:31)

! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.

!

! Commands displayed are limited to those available at privilege level 15

!

! NOTE:  This script represents only a subset of the full system configuration.

! The category displayed is: aaa local-authentication users

!

hostname host1

aaa new-model

aaa local username cksmith database default

 password yourPassword1

 operational-virtual-router boston2

 no ip-address

 ip-address-pool addressPoolA

!

aaa local username btjones database westfordLocal40

 secret 5 }9s7-4N<WK2)2=)^!6~#

 operational-virtual-router boston2

 no ip-address

 ip-address-pool addressPoolA

!

aaa local username maryrdavis database westfordLocal40

 secret 5 E@A:nDXJJ<irb\`mF#[j

 operational-virtual-router boston1

 ip-address 192.168.20.106

 no ip-address-pool

Example 6

This example uses the virtual-router keyword with the default specification to show the local user database that is used by the default virtual router.

host1#show configuration category aaa local-authentication virtual-router default

! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC

! Juniper Edge Routing Switch ERX-1400

! Version: 6.1.0 (November 8, 2004  18:31)

! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.

!

! Commands displayed are limited to those available at privilege level 15

!

! NOTE:  This script represents only a subset of the full system configuration.

! The category displayed is: aaa local-authentication

!

virtual-router default

aaa local select database westfordLocal40

Example 7

This example uses the virtual-router keyword with a named virtual router. The include-defaults keyword shows the default configuration, including the line showing that there is no named local user database selected.

host1#show configuration category aaa local-authentication virtual-router cleveland include-defaults

! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC

! Juniper Edge Routing Switch ERX-1400

! Version: 6.1.0 (November 8, 2004  18:31)

! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.

!

! Commands displayed are limited to those available at privilege level 15

!

! NOTE:  This script represents only a subset of the full system configuration.

! The category displayed is: aaa local-authentication

!

virtual-router cleveland

no aaa local select