Technical Documentation

Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication

The following example shows how to configure system authentication for RADIUS, TACACS, and password authentication.

The example permits logins only by the individual user Philip, and by users who have been authenticated by a remote RADIUS server. If a user logs in and is not authenticated by the RADIUS server, the user is denied access to the router. However, if the RADIUS server is not available, the user’s login name has a local password, and the user enters that password, the user is authenticated (using the password authentication method) and allowed access to the router. For more information about the password authentication method, see JUNOS Software Authentication Order for RADIUS, TACACS+, and Password Authentication.

When Philip tries to log in to the system, if the RADIUS server authenticates him, he is given access and privileges for the super-user class. Local accounts are not configured for other users. When they log in to the system and the RADIUS server authenticates them, they are given access using the same user ID (UID) 9999 and the same privileges for the operator class.

[edit]system {authentication-order radius; login {user philip {full-name "Philip"; uid 1001; class super-user;user remote {full-name "All remote users";uid 9999;class operator;}}}}

Note: For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time. For example, when you create a remote template account, a set of remote users can concurrently share a single UID. For more information about template accounts, see Overview of Template Accounts for RADIUS and TACACS+ Authentication.

Configuring a single remote user template account requires that all users without individual configuration entries share the same class and UID. When you are using RADIUS and telnet or RADIUS and SSH together, you can specify a different template user other than the remote user.

To configure an alternate template user, specify the user-name parameter returned in the RADIUS authentication response packet. Not all RADIUS servers allow you to change this parameter. The following shows a sample JUNOS configuration:

[edit]system {authentication-order radius; login {user philip {full-name "Philip";uid 1001;class super-user; }user operator {full-name "All operators";uid 9990;class operator;}user remote {full-name "All remote users";uid 9999;class read-only;}}}

Assume your RADIUS server is configured with the following information:

  • User Philip with password “olympia”
  • User Alexander with password “bucephalus” and username “operator”
  • User Darius with password “redhead” and username “operator”
  • User Roxane with password “athena”

Philip would be given access as a superuser (super-user) because he has his own local user account. Alexander and Darius share UID 9990 and have access as operators. Roxane has no template-user override, so she shares access with all the other remote users, getting read-only access.

Published: 2010-04-26