[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring RADIUS Authentication

To use RADIUS authentication on the router, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server:



[edit system]

radius-server server-address {

accounting-port port-number;

port port-number; 

retry number; 

secret password; 

source-address source-address;

timeout seconds; 
}

server-address is the address of the RADIUS server.

You can specify a port on which to contact the RADIUS server. By default, port number 1812 is used (as specified in RFC 2865). You can also specify an accounting port to send accounting packets. The default is 1813 (as specified in RFC 2866).

You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret used by the local router must match that used by the server.

Optionally, you can specify the amount of time that the local router waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router attempts to contact a RADIUS authentication server (in the retry statement). By default, the router waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds. By default, the router retries connecting to the server 3 times. You can configure this to be a value in the range from 1 through 10 times.

You can use the source-address statement to specify a logical address for individual or multiple RADIUS servers.

To configure multiple RADIUS servers, include multiple radius-server statements.

To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Configuring Template Accounts for RADIUS and TACACS+ Authentication.

You can also configure RADIUS authentication at the [edit access] and [edit access profile] hierarchy level. The JUNOS software uses the following search order to determine which set of servers are used for authentication:



[edit access profile profile-name radius-server server-address],
[edit access radius-server server-address],
[edit system radius-server server-address]

For more information, see Configuring Access.

Configuring Juniper Networks Vendor-Specific RADIUS Attributes

The JUNOS software supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 14 lists the Juniper Networks VSAs you can configure.

Table 14: Juniper Networks Vendor-Specific RADIUS Attributes

Name	Description	Type	Length	String
Juniper-Local-User-Name	Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.	1	≥3	One or more octets containing printable ASCII characters.
Juniper-Allow-Commands	Contains an extended regular expression that allows the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.	2	≥3	One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12.
Juniper-Deny-Commands	Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.	3	≥3	One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12.
Juniper-Allow-Configuration	Contains an extended regular expression that allows the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.	4	≥3	One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13.
Juniper-Deny-Configuration	Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.	5	≥3	One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13.
Juniper-Interactive-Command	Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets.	8	≥3	One or more octets containing printable ASCII characters.
Juniper-Configuration-Change	Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets.	9	≥3	One or more octets containing printable ASCII characters.
Juniper-User-Permissions	Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets. Note: When the Juniper-User-Permissions attribute is configured to grant the JUNOS maintenance or all permissions on a RADIUS server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships . Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. For information about configuring user template accounts, see Configuring Template Accounts for RADIUS and TACACS+ Authentication.	10	≥3	One or more octets containing printable ASCII characters. The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety. See Table 11.

For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).

Configuring MS-CHAPv2 for Password-Change Support

The JUNOS software enables you to configure Microsoft’s implementation of the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) on the router for password-change support. This feature provides users accessing a router the option of changing the password when the password expires, is reset, or is configured to be changed at next logon.

Before you configure MS-CHAPv2 for password-change support, ensure that you have done the following:

Configured RADIUS server authentication parameters. For more information, see Configuring RADIUS Authentication.
Set the first tried option in the authentication order to RADIUS server. For more information, see Configuring the Authentication Order.

To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy level:



[edit system radius-options]
password-protocol mschap-v2;

For an example configuration, see Example: Configuring MS-CHAPv2 on the Router.

Example: Configuring MS-CHAPv2 on the Router

The following example shows statements for configuring the MS-CHAPv2 password protocol, password authentication order, and user accounts:



[edit]
system {
authentication-order [ radius password ];


radius-server {
192.168.69.149 secret "$9$G-j.5Qz6tpBk.1hrlXxUjiq5Qn/C";
## SECRET-DATA
}




radius-options {
password-protocol mschap-v2;
}




login {


user bob {
class operator;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]