SRC Template Accounts for RADIUS and TACACS+ Authentication

When a user logs in to the CLI, the following authentication is performed:

• RADIUS and /or TACSACS+ server authentication
• Authentication through a user account configured under [system login user]

For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time.

Typically when you use RADIUS and/or TACACS+ authentication, the user account is shared among a group of users who have the same privileges. You create template accounts for sets of users. Template accounts can be named:

• remote—(Default) A single account that defines user permissions for all users that authenticate through RADIUS or TACACS+
• name-of-your-choice —Account for a group of users

Use a named template account when you need different types of templates. Each template can define a different set of permissions appropriate to a group of users who use that template. For example, you can configure a set of remote users to concurrently share a single UID.

When a user is part of a group that uses a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective username are inherited from the template account.

Named Template Accounts

Template accounts for which you define a name are defined on a C-series Controller and are referenced by the TACACS+ and RADIUS authentication servers through usernames. All users who share a local user template account have the same access privileges.

When a user who accesses the C-series Controller through a name template account logs in:

1. The SRC software issues a request to the authentication server to authenticate the user’s login name.
2. If a user is authenticated, the server returns the username to the SRC software.
3. The SRC software determines whether a username is specified for that login name.
4. If there is a username, the SRC software selects the appropriate template.
5. If a user template does not exist for the authenticated user, the C-series Controller uses the remote template.

Using Remote SRC Template Accounts

To configure the remote template account and specify the privileges that you want to grant to remote users:

• Include the system login user remote statement at the [edit] hierarchy level, and specify the “ All remote users” for the full-name option:

  [edit]

  system login user remote {

  full-name "All remote users";

  uid uid-value ;

  class class-name ;

  }

All users who share the remote template account have the same access privileges.

Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice.