 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The JUNOScope software uses local password authentication. You set up a username, password, and permissions for each user allowed to log in to JUNOScope.
However, when you use RADIUS authentication, you must set up single accounts (for authorization purposes) that are shared by a set of users. You create these accounts using the remote and local user template accounts.
A template account is a mapping between JUNOScope and the RADIUS server that allows RADIUS users to get the appropriate permissions. When a user with a RADIUS account logs in to JUNOScope, the software forwards the username and password to the RADIUS server for authentication. If authentication succeeds, the RADIUS server sends the Juniper-Local-User-Name attribute (if present for the user) to JUNOScope. Based on the received Juniper-Local-User-Name attribute and the configured template user accounts, JUNOScope determines the permissions for the user. The RADIUS account user gets the same permissions as the template user.
You set up template accounts the same way you create users in JUNOScope. To add a user in JUNOScope, see Adding a User. See also RADIUS User Login Scenarios .
When you configure a local template and a user logs in, the JUNOScope software sends a request to the authentication server to authenticate the user's login name. When a user is authenticated, the RADIUS server returns the local username to JUNOScope. If a local username (for example, the Juniper-Local-User-Name attribute) is specified for that login name. the appropriate local template is selected. If no local template is returned by the RADIUS server or no corresponding local template exists in JUNOScope, JUNOScope will, by default, use the remote template (see Remote Template Accounts.)
Table 12 shows the user account information that must exist on the RADIUS server and in the local template account or user set up in JUNOScope.
Table 12: Local Template Account
|
RADIUS Server User Account |
JUNOScope Local Template Account |
|---|---|
|
Username: “edward” Password: ”edward” Juniper-Local-User-Name= “fritz” |
Username: fritz Password: fritz Permissions: superuser |
If a local user logs in to JUNOScope using username fritz and password fritz, the user will log in successfully with superuser permissions. However, if a RADIUS user “edward” logs in to JUNOScope successfully using username edward, that user gets the same permissions as fritz. In this case, user “edward“ on successful login gets the superuser permissions. If you change the permission for fritz to read-write, user ”edward”, on successful login, will also get read-write permissions.
There can be only one remote template account in JUNOScope. You configure a remote template in JUNOScope by creating a user with username remote and a password with any secure name. (See Adding a User.)
In JUNOScope, a remote template is for a user with username 'remote' with a RADIUS account when either no Juniper-Local-User-Name attribute is specified for that user or the specified local user does not exist in JUNOScope (see Table 13).
For example:
Table 13: Remote Template Account
|
RADIUS Server User Account |
JUNOScope Local Template Account |
|---|---|
|
edward password = “ edward” Juniper-Local-User-Name attribute is not specified |
Username: remote Password: remote Permissions: superuser |
Username “edward” will get the same permissions as the remote template (for example, the same permissions as user remote) if configured in JUNOScope.
If neither the local nor remote template is configured in JUNOScope (for example, for RADIUS user “edward”, if both users fritz and remote do not exist in JUNOScope), the RADIUS user will not be able to log in.
For a user with an account in RADIUS to be able to successfully log in to JUNOScope, JUNOScope must have at least remote user template configured.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |