RADIUS Overview

RADIUS is a distributed client/server that protects networks against unauthorized access. RADIUS clients running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server.

You can access the RADIUS server through either a subscriber line or the CLI.

Note: For CLI/telnet users only—For CLI security, the router supports the RADIUS Access-Challenge message. The RADIUS server uses this message to send the user a challenge requiring a response. The router then displays the single reply message and attempts to authenticate the user with the new response as the password.

The central RADIUS server stores all the required user authentication and network access information. RADIUS informs the router of the privilege levels for which RADIUS-authenticated users have enable access. The router permits or denies enable access accordingly.

The RADIUS server is configured and managed by a RADIUS administrator. See your RADIUS server documentation for information about configuring and managing a RADIUS server.

The E Series RADIUS client uses the IP address in the router ID unless you explicitly set an IP address by using the radius update-source-addr command.

To explicitly set the source address, perform the following tasks:

• Configure the RADIUS update-source address.
• Set this address on the RADIUS server if required.

  Note: For additional RADIUS information about topics such as restricting user access, vty line authentication, or SSH, see the Passwords and Security chapter in JunosE System Basics Configuration Guide.

RADIUS Services

RADIUS provides three distinct services:

• Authentication—Determines whether or not a user is allowed to access a specific service or resource.
• Authorization—Associates connection attributes or characteristics with a specific user.
• Accounting—Tracks service use by subscribers.

RADIUS Attributes

JunosE Software supports the RADIUS attributes and vendor-specific attributes (VSAs) listed in this chapter. These attributes define specific authentication, authorization, and accounting elements in a user’s profile. The profile is stored on the RADIUS server. RADIUS messages contain RADIUS attributes to communicate information between an E Series Broadband Services Router and the RADIUS server.

Note these guidelines about RADIUS attribute numbers:

• The number, such as [1], that appears in brackets before each attribute is the attribute’s standard number.
• Any attribute number beginning with 26, such as [26-1], identifies a vendor-specific attribute.