 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
You can configure the order in which the JUNOS software tries different authentication methods when authenticating peers. For each access attempt, the software tries the authentication methods in order, from first to last.
To configure the authentication order, include the authentication-order statement at the [edit access profile name] hierarchy level:
- [edit access profile profile-name]
-
authentication-order [ authentication-methods ];
In authentication-methods, specify one or more of the following in the preferred order, from first tried to last tried:
If you do not include the authentication-order statement, clients are verified by means of password authentication.
The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate a client, the authentication is abandoned and a new sequence is initiated.
For example, if you configure three RADIUS servers so that the router attempts to contact each server three times, and with each retry the server times out after 3 seconds, then the maximum time given to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this configuration, they might not be contacted because the authentication process might be abandoned before these servers are tried.
The JUNOS software enforces a limit to the number of standing authentication server requests that the CHAP authentication can have at one time. Thus, an authentication server method—RADIUS, for example—may fail to authenticate a client when this limit is exceeded. In the above example, any authentication method following this method is tried. If it fails, the authentication sequence is reinitiated by the router until authentication succeeds and the link is brought up.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |