Configuring Local Authentication Servers

The AAA local authentication server enables the E Series router to provide local PAP and CHAP user authentication for subscribers. The router also provides limited authorization, using the IP address, IP address pool, and operational virtual router parameters. When a subscriber logs on to the E Series router that is using local authentication, the subscriber is authenticated against user entries in a local user database; the optional parameters are assigned to subscribers after the subscriber is authenticated.

Creating the Local Authentication Environment

To create your local authentication environment:

Create local user databases—Create the default database or a named database.
Add entries to local user databases—Add user entries to the database. A database can contain information for multiple users.
Assign a local user database to the virtual router—Specify the database that the virtual router will use to authenticate subscribers.
Enable local authentication on the virtual router—Specify the local method as an AAA authentication method used by the virtual router.

Creating Local User Databases

When a subscriber connects to an E Series router that is using local authentication, the local authentication server uses the entries in the local user database selected by the virtual router to authenticate the subscriber.

A local authentication server can have multiple local user databases, and each database can have entries for multiple subscribers. The default local user database, if it exists, is used for local authentication by default. The E Series router supports a maximum of 100 user entries. A maximum of 100 databases can be configured.

To create a local user database, use the aaa local database command and the name of the database; use the name default to create the default local user database:

host1(config)#aaa local database westLocal40

Adding User Entries to Local User Databases

The local authentication server uses the information in a local user database to authenticate a subscriber. A local user database can contain information for multiple users.

The E Series router provides two commands for adding entries to local user databases: the username command and the aaa local username command. You can specify the following parameters:

Username—Name associated with the subscriber.
Passwords and secrets—Single words that can be encrypted or unencrypted. Passwords use two-way encryption, and secrets use one-way encryption. Both passwords and secrets can be used with PAP authentication; however, only passwords can be used with CHAP authentication.
IP address—The IP address to assign to the subscriber (aaa local username command only).
IP address pool—The IP address pool used to assign the subscriber’s IP address (aaa local username command only).
Operational virtual router—The virtual router to which the subscriber is assigned. This parameter is applicable only if the subscriber is authenticated by the default virtual router (aaa local username command only).

Using the username Command

The username command is similar to the command used by some third-party vendors. The command can be used to add entries in the default local user database; it is not supported for named local user databases. The IP address, IP address pool, and operational virtual router parameters are not supported in the username command. However, after the user is added to the default local user database, you can use the aaa local username command with a database name default to enter Local User Configuration mode and add the additional parameters.

Note: If the default local user database does not exist, the username command creates this database and adds the user entry to the database.

To add a subscriber and password or secret to the default local user database, complete the following step:

host1(config)#username rockyB password rockyPassword

Using the aaa local username Command

To enter Local User Configuration mode and add user entries to a local user database, use the following commands:

Specify the subscriber’s username and the database you want to use. Use the database name default to specify the default local user database. This command also puts the router into Local User Configuration mode.
host1(config)# aaa local username cksmith database westLocal40 host1(config-local-user)#
Note: You can use the aaa local username command to add or modify user entries to a default database that was created by the username command.
(Optional) Specify the type of encryption algorithm and the password or secret that the subscriber must use to connect to the router. A subscriber can be assigned either a password or a secret, but not both. For example:
host1(config-local-user)#password 8 iTtakes2%
(Optional) Specify the IP address to assign to the subscriber.
host1(config-local-user)#ip-address 192.168.101.19
(Optional) Specify the IP address pool used to assign the subscriber’s IP address.
host1(config-local-user)#ip-address-pool svPool2
(Optional) Assign the subscriber to an operational virtual router. This parameter is applicable only if the subscriber is authenticated in the default virtual router.
host1(config-local-user)#operational-virtual-router boston2

Assigning a Local User Database to a Virtual Router

Use the procedure in this section to assign a local user database to a virtual router. The virtual router uses the database for local authentication when the subscriber connects to the E Series router. Use the following commands in Global Configuration mode:

Note: If you do not specify a local user database, the virtual router selects the default database by default. This applies to all virtual routers.

Specify the virtual router name.
host1(config)# virtual-router cleveland
Specify the database to use for authentication on this virtual router.
host1:cleveland(config)# aaa local select database westLocal40

Enabling Local Authentication on the Virtual Router

On the E Series router, RADIUS is the default AAA authentication method for PPP subscribers. Use the commands in this section to specify that the local authentication method is used.

To enable local authentication on the default router, use the following command:

host1(config)# aaa authentication ppp default local

To enable local authentication on a specific virtual router, first select the virtual router:

host1(config)# virtual-router cleveland host1:cleveland(config)# aaa authentication ppp default local

Configuration Commands

Use the following commands to configure the local authentication server.

aaa authentication default

Use to specify that the local authentication method is used to authenticate PPP subscribers on the default virtual router or on the selected virtual router.

Note: You can specify multiple authentication methods; for example, aaa authentication ppp default local radius. If, during local authentication, the matching user entry is not found in a populated database or if it is found and rejected, the authentication procedure terminates. However, if the specified local user database is empty or if it does not exist, the authentication process uses the next authentication method specified (RADIUS in this case).

Example
host1(config)#aaa authentication ppp default local radius
Use the no version to restore the default authentication method of radius.
See aaa authentication default

aaa local database

Use to create a local user database.
Use the database name default to specify the default local user database, or enter a name for the specific local user database.
Example
host1(config)#aaa local database westLocal40
Use the no version to delete the specified database and all entries in the database.
See aaa local database

aaa local select database

Use to assign the local user database that the virtual router uses for local authentication.
Example
host1(config)#virtual-router cleveland host1:cleveland(config)#aaa local select database westLocal40
Use the no version to restore the default setting, which uses the default local user database for local authentication.
See aaa local select database

aaa local username

Use to configure a user entry in the specified local user database and to enter Local User Configuration mode.
The username must be unique within a particular database; however, the same username can be used in different databases.
Use the database name default to configure the username in the default local user database.
Note: The router supports usernames up to 64 characters long; however, PAP and CHAP support is limited to 31-character usernames.
Example
host1(config)#aaa local username cksmith database westLocal40
Use the no version to delete the user entry from the specified local user database. Use the database name default to delete the user entry from the default local user database.
See aaa local username

ip address

Use to specify the IP address parameter for a user entry in the local user database. The address is negotiated with the subscriber after the subscriber is authenticated.
Example
host1(config-local-user)#ip-address 192.168.42.6
Use the no version to delete the IP address parameter from the user entry in the local user database.
See ip address

ip address-pool

Use to specify the IP address pool parameter for a user entry in the local user database. The address pool is used to assign an IP address to the subscriber; the address is negotiated with the subscriber after the subscriber is authenticated.
Example
host1(config-local-user)#ip-address-pool svPool2
Use the no version to delete the IP address pool parameter from the user entry in the local user database.
See ip address-pool

operational-virtual-router

Use to specify the virtual router parameter for a user entry in the local user database. The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication.
If authentication is performed by a non-default virtual router, then the subscriber is assigned to the same virtual router that performs authentication, regardless of this parameter setting.
Example
host1(config-local-user)#operational-virtual-router boston2
Use the no version to delete the operational virtual router parameter from the user entry in the local user database.
See operational-virtual-router

password

Use to add a password to a user entry in the local user database. The password is used to authenticate a subscriber, and is encrypted by means of a two-way encryption algorithm.

Note: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

The new password replaces any current password or secret.
Specify one of the following encryption algorithms, followed by the password:
- 0—An unencrypted password; this is the default
- 8—A two-way encrypted password
Example
host1(config-local-user)#password 0 myPassword
Use the no version to delete the password or secret from the user entry in the local user database.
See password

secret

Use to add a secret to a user entry in the local user database. The secret is used to authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm.

The new secret replaces any current password or secret.
Specify one of the following encryption algorithms, followed by the secret:
- 0—An unencrypted secret; this is the default
- 5—An MD5-encrypted secret
Example
host1(config-local-user)#secret 5 Q3&t9REwk45jxSM#fj$z
Use the no version to delete the secret or password from the user entry in the local user database.
See secret

user-name

Use to configure a user entry and optional password or secret in the default local user database. This command creates the database if it does not already exist.

Optionally, specify a password or secret that is assigned to the user in the default local user database, or specify that no password is required for the particular username.

Specify one of the following encryption algorithms, followed by the password:
- 0—An unencrypted password; this is the default
- 8—A two-way encrypted password
Specify one of the following encryption algorithms, followed by the secret:
- 0—An unencrypted secret; this is the default
- 5—An MD5-encrypted secret

Use the nopassword keyword to remove the password or secret

Example
host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z
Use the no version to delete the username entry from the default local user database.
See user-name

Local Authentication Example

This example creates a sample local authentication environment. The steps in this example:

Create a named local user database (westfordLocal40).
Configure the database westfordLocal40.
- Add users btjones and maryrdavis and their attributes to the database.
Create the default local database using the optional username command.
- Add optional subscriber parameters for user cksmith to the default database.
Assign the default local user database to virtual router cleveland; assign database westfordLocal40 to the default virtual router and to virtual router chicago.
Enable AAA authentication methods local and none on all virtual routers.
Use the show commands to display information for the local authentication environment (various show command displays are listed after the example).

Example 1

This example shows the commands you use to create the AAA local authentication environment.

host1(config)#aaa local database westfordLocal40 host1(config)#aaa local username btjones database westfordLocal40 host1(config-local-user)#secret 38schillCy host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#aaa local username maryrdavis database westfordLocal40 host1(config-local-user)#secret 0 dav1sSecret99 host1(config-local-user)#ip-address 192.168.20.106 host1(config-local-user)#operational-virtual-router boston1 host1(config-local-user)#exit host1(config)#username cksmith password 0 yourPassword1 host1(config)#aaa local username cksmith database default host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#virtual-router cleveland host1(config)#aaa local select database default host1(config)#virtual-router default host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router chicago host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router default host1(config)#aaa authentication ppp default local none

Example 2

This example verifies that local authentication is configured on the router.

host1#show aaa authentication ppp default 
local none

Example 3

This example uses the show configuration category aaa local-authentication command with the databases keyword to show the local user databases that are configured on the router.

host1# show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database westfordLocal40

Example 4

This example uses the local-authentication users keywords to show the configured users and their parameters. The password for username cksmith is displayed unencrypted because the default setting of disabled or no for the service password-encryption command is used for the example. Secrets are always displayed encrypted.

host1# show configuration category aaa local-authentication users
! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 10, 2004  21:15)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
 password yourPassword1
 operational-virtual-router boston2
 ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
 secret 5 }9s7-4N<WK2)2=)^!6~#
 operational-virtual-router boston2
 ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
 secret 5 E@A:nDXJJ<irb\`mF#[j
 operational-virtual-router boston1
 ip-address 192.168.20.106

Example 5

This example uses the users include-defaults keywords to show the configured users and their parameters, including the default parameters no-ip-address and no ip-address-pool.

host1# show configuration category aaa local-authentication users include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
 password yourPassword1
 operational-virtual-router boston2
 no ip-address
 ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
 secret 5 }9s7-4N<WK2)2=)^!6~#
 operational-virtual-router boston2
 no ip-address
 ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
 secret 5 E@A:nDXJJ<irb\`mF#[j
 operational-virtual-router boston1
 ip-address 192.168.20.106
 no ip-address-pool

Example 6

This example uses the virtual-router keyword with the default specification to show the local user database that is used by the default virtual router.

host1# show configuration category aaa local-authentication virtual-router default
! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router default
aaa local select database westfordLocal40

Example 7

This example uses the virtual-router keyword with a named virtual router. The include-defaults keyword shows the default configuration, including the line showing that there is no named local user database selected.

host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004  18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc.  All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:  This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select