Managing User Authentication with a Configuration Editor

This section contains the following topics:

Setting Up RADIUS Authentication
Setting Up TACACS+ Authentication
Configuring Authentication Order
Controlling User Access
Setting Up Template Accounts

Setting Up RADIUS Authentication

To use RADIUS authentication, you must configure at least one RADIUS server.

The procedure provided in this section identifies the RADIUS server, specifies the secret (password) of the RADIUS server, and sets the source address of the services router's RADIUS requests to the loopback address of the device. The procedure uses the following sample values:

The RADIUS server's IP address is 172.16.98.1.
The RADIUS server's secret is Radiussecret1.
The loopback address of the device is 10.0.0.1.

To configure RADIUS authentication:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 11.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS authentication, you must create user template accounts and specify a system authentication order.
Go on to one of the following procedures:
- To specify a system authentication order, see Configuring Authentication Order.
- To configure a remote user template account, see Creating a Remote Template Account.
- To configure local user template accounts, see Creating a Local Template Account.

Table 11: Setting Up RADIUS Authentication

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the System level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Configure or Edit.	From the [edit] hierarchy level, enter edit system
Add a new RADIUS server	In the Radius server box, click Add new entry. In the Address box, type the IP address of the RADIUS server: 172.16.98.1	Set the IP address of the RADIUS server: set radius-server address 172.16.98.1
Specify the shared secret (password) of the RADIUS server. The secret is stored as an encrypted value in the configuration database.	In the Secret box, type the shared secret of the RADIUS server: Radiussecret1	Set the shared secret of the RADIUS server: set radius-server 172.16.98.1 secret Radiussecret1
Specify the source address to be included in the RADIUS server requests by the device. In most cases, you can use the loopback address of the device.	In the Source address box, type the loopback address of the device: 10.0.0.1	Set the device's loopback address as the source address: set radius-server 172.16.98.1 source-address 10.0.0.1

Setting Up TACACS+ Authentication

To use TACACS+ authentication, you must configure at least one TACACS+ server.

The procedure provided in this section identifies the TACACS+ server, specifies the secret (password) of the TACACS+ server, and sets the source address of the services router's TACACS+ requests to the loopback address of the device. This procedure uses the following sample values:

The TACACS+ server's IP address is 172.16.98.24.
The TACACS+ server's secret is Tacacssecret1.
The loopback address of the device is 10.0.0.1.

To configure TACACS+ authentication:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 12.
If you are finished configuring the network, commit the configuration.
To completely set up TACACS+ authentication, you must create user template accounts and specify a system authentication order.
Go on to one of the following procedures:
- To specify a system authentication order, see Configuring Authentication Order.
- To configure a remote user template account, see Creating a Remote Template Account.
- To configure local user template accounts, see Creating a Local Template Account.

Table 12: Setting Up TACACS+ Authentication

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the System level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Configure or Edit.	From the [edit] hierarchy level, enter edit system
Add a new TACACS+ server	In the Tacplus server box, click Add new entry. In the Address box, type the IP address of the TACACS+ server: 172.16.98.24	Set the IP address of the TACACS+ server: set tacplus-server address 172.16.98.24
Specify the shared secret (password) of the TACACS+ server. The secret is stored as an encrypted value in the configuration database.	In the Secret box, type the shared secret of the TACACS+ server: Tacacssecret1	Set the shared secret of the TACACS+ server: set tacplus-server 172.16.98.24 secret Tacacssecret1
Specify the source address to be included in the TACACS+ server requests by the device. In most cases, you can use the loopback address of the device.	In the Source address box, type the loopback address of the device: 10.0.0.1	Set the device's loopback address as the source address: set tacplus-server 172.16.98.24 source-address 10.0.0.1

Configuring Authentication Order

The procedure provided in this section configures the services router to attempt user authentication with the local password first, then with the RADIUS server, and finally with the TACACS+ server.

To configure authentication order:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 13.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and create user template accounts.
Go on to one of the following procedures:
- To configure a RADIUS server, see Setting Up RADIUS Authentication.
- To configure a TACACS+ server, see Setting Up TACACS+ Authentication.
- To configure a remote user template account, see Creating a Remote Template Account.
- To configure local user template accounts, see Creating a Local Template Account.

Table 13: Configuring Authentication Order

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the System level in the configuration hierarchy.

In the J-Web interface, select CLI Tools>Point and Click CLI.
Next to System, click Configure or Edit.

From the [edit] hierarchy level, enter

edit system

Add RADIUS authentication to the authentication order.

In the Authentication order box, click Add new entry.
In the list, select radius.
Click OK.

Insert the radius statement in the authentication order:

insert system authentication-order radius after password

Add TACACS+ authentication to the authentication order.

In the Authentication Order box, click Add new entry.
In the list, select tacplus.
Click OK.

Insert the tacplus statement in the authentication order:

insert system authentication-order tacplus after radius

Controlling User Access

This section contains the following topics:

Defining Login Classes
Creating User Accounts

You can define any number of login classes. You then apply one login class to an individual user account, as described in Creating User Accounts and Setting Up Template Accounts.

The procedure provided in this section creates a sample login class named operator-and-boot with the following privileges:

The operator-and-boot login class can reboot the services router using the request system reboot command.
The operator-and-boot login class can also use commands defined in the clear, network, reset, trace, and view permission bits. For more information, see Permission Bits.

To define login classes:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 14.
If you are finished configuring the network, commit the configuration.
Go on to one of the following procedures:
- To create user accounts, see Creating User Accounts.
- To create shared user accounts, see Setting Up Template Accounts.

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the System Login level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Configure or Edit. Next to Login, click Configure or Edit.	From the [edit] hierarchy level, enter edit system login
Create a login class named operator-and-boot with the ability to reboot the device.	Next to Class, click Add new entry. Type the name of the login class: operator-and-boot In the Allow commands box, type the request system reboot command enclosed in quotation marks: “request system reboot” Click OK.	Set the name of the login class and the ability to use the request system reboot command: set class operator-and-boot allow-commands “request system reboot”
Give the operator-and-boot login class operator privileges.	Next to Permissions, click Add new entry. In the Value list, select clear. Click OK. Next to Permissions, click Add new entry. In the Value list, select network. Click OK. Next to Permissions, click Add new entry. In the Value list, select reset. Click OK. Next to Permissions, click Add new entry. In the Value list, select trace. Click OK. Next to Permissions, click Add new entry. In the Value list, select view. Click OK.	Set the permission bits for the operator-and-boot login class: set class operator-and-boot permissions [clear network reset trace view]

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the System Login level in the configuration hierarchy.

In the J-Web interface, select CLI Tools>Point and Click CLI.
Next to System, click Configure or Edit.
Next to Login, click Configure or Edit.

From the [edit] hierarchy level, enter

edit system login

Create a login class named operator-and-boot with the ability to reboot the device.

Next to Class, click Add new entry.
Type the name of the login class:
operator-and-boot
In the Allow commands box, type the request system reboot command enclosed in quotation marks:
“request system reboot”
Click OK.

Set the name of the login class and the ability to use the request system reboot command:

set class operator-and-boot allow-commands “request system reboot”

Give the operator-and-boot login class operator privileges.

Next to Permissions, click Add new entry.
In the Value list, select clear.
Click OK.
Next to Permissions, click Add new entry.
In the Value list, select network.
Click OK.
Next to Permissions, click Add new entry.
In the Value list, select reset.
Click OK.
Next to Permissions, click Add new entry.
In the Value list, select trace.
Click OK.
Next to Permissions, click Add new entry.
In the Value list, select view.
Click OK.

Set the permission bits for the operator-and-boot login class:

set class operator-and-boot permissions [clear network reset trace view]

Creating User Accounts

User accounts provide one way for users to access the services router. (Users can access the router without accounts if you configured RADIUS or TACACS+ servers, as described in Setting Up RADIUS Authentication and Setting Up TACACS+ Authentication.)

The procedure provided in this section creates a sample user named cmartin with the following characteristics:

The user cmartin belongs to the superuser login class.
The user cmartin uses an encrypted password, $1$14c5.$sBopasdFFdssdfFFdsdfs0.

To create user accounts:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 15.
If you are finished configuring the network, commit the configuration.

Table 15: Creating User Accounts

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the System Login level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Configure or Edit. Next to Login, click Configure or Edit.	From the [edit] hierarchy level, enter edit system login
Create a user named cmartin who belongs to the superuser login class.	Next to User, click Add new entry. In the User name box, type cmartin. In the Class box, type superuser. Click OK.	Set the username and the login class for the user: set user cmartin class superuser
Define the encrypted password for cmartin.	Next to Authentication, click Configure. In the Encrypted password box, type $1$14c5.$sBopasdFFdssdfFFdsdfs0 Click OK.	Set the encrypted password for cmartin. set user cmartin authentication encrypted-password $1$14c5.$sBopasdFFdssdfFFdsdfs0

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the System Login level in the configuration hierarchy.

In the J-Web interface, select CLI Tools>Point and Click CLI.
Next to System, click Configure or Edit.
Next to Login, click Configure or Edit.

From the [edit] hierarchy level, enter

edit system login

Create a user named cmartin who belongs to the superuser login class.

Next to User, click Add new entry.
In the User name box, type cmartin.
In the Class box, type superuser.
Click OK.

Set the username and the login class for the user:

set user cmartin class superuser

Define the encrypted password for cmartin.

Next to Authentication, click Configure.
In the Encrypted password box, type
$1$14c5.$sBopasdFFdssdfFFdsdfs0
Click OK.

Set the encrypted password for cmartin.

set user cmartin authentication encrypted-password $1$14c5.$sBopasdFFdssdfFFdsdfs0

Setting Up Template Accounts

You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+ authentication. When a user is authenticated by a template account, the CLI username is the login name, and the privileges, file ownership, and effective user ID are inherited from the template account.

This section contains the following topics:

Creating a Remote Template Account
Creating a Local Template Account

Creating a Remote Template Account

You can create a remote template that is applied to users authenticated by RADIUS or TACACS+ that do not belong to a local template account.

By default, Junos OS uses the remote template account when

The authenticated user does not exist locally on the services router.
The authenticated user's record in the RADIUS or TACACS+ server specifies local user, or the specified local user does not exist locally on the device.

The procedure provided in this section creates a sample user named remote that belongs to the operator login class.

To create a remote template account:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 16.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and specify a system authentication order.
Go on to one of the following procedures:
- To configure a RADIUS server, see Setting Up RADIUS Authentication.
- To configure a TACACS+ server, see Setting Up TACACS+ Authentication.
- To specify a system authentication order, see Configuring Authentication Order.

Table 16: Creating a Remote Template Account

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the System Login level in the configuration hierarchy.	In the J-Web interface, select CLI Tools>Point and Click CLI. Next to System, click Configure or Edit. Next to Login, click Configure or Edit.	From the [edit] hierarchy level, enter edit system login
Create a user named remote who belongs to the operator login class.	Next to User, click Add new entry. In the User name box, type remote. In the Class box, type operator. Click OK.	Set the username and the login class for the user: set user remote class operator

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the System Login level in the configuration hierarchy.

In the J-Web interface, select CLI Tools>Point and Click CLI.
Next to System, click Configure or Edit.
Next to Login, click Configure or Edit.

From the [edit] hierarchy level, enter

edit system login

Create a user named remote who belongs to the operator login class.

Next to User, click Add new entry.
In the User name box, type remote.
In the Class box, type operator.
Click OK.

Set the username and the login class for the user:

set user remote class operator

Creating a Local Template Account

You can create a local template that is applied to users authenticated by RADIUS or TACACS+ that are assigned to the local template account. You use local template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template.

The procedure provided in this section creates a sample user named admin that belongs to the superuser login class.

To create a local template account:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 17.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and specify a system authentication order
Go on to one of the following procedures:
- To configure a RADIUS server, see Setting Up RADIUS Authentication.
- To configure a TACACS+ server, see Setting Up TACACS+ Authentication.
- To configure a system authentication order, see Configuring Authentication Order.

Managing User Authentication with a Configuration Editor

Setting Up RADIUS Authentication

Setting Up TACACS+ Authentication

Configuring Authentication Order

Controlling User Access

Defining Login Classes

Creating User Accounts

Setting Up Template Accounts

Creating a Remote Template Account

Creating a Local Template Account