[an error occurred while processing this directive][an error occurred while processing this directive]

Example: Configuring RADIUS Authentication

The JUNOS Software supports two protocols for central authentication of users on multiple routers: Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). We recommend RADIUS because it is a multivendor IETF standard, and its features are more widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using a one-time-password system for increased security, and all vendors of these systems support RADIUS.

In the JUNOS model for centralized RADIUS authentication, you create one or more template accounts on the router, and the users’ access to the router is configured to use the template account. In this configuration, if the RADIUS server is not reachable, the fallback authentication mechanism is through the local account set up on the router.

The following example shows how to configure RADIUS authentication:

[edit]system {authentication-order [ radius password ];root-authentication {encrypted-password "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA}name-server {10.1.1.1;10.1.1.2;}}

The following example shows how to enable RADIUS authentication and define the shared secret between the client and the server. This enables the client and server to know that they are talking to the trusted peer.

Define a timeout value for each server so if there is no response within the specified number of seconds, the router can try either the next server or the next authentication mechanism.

[edit]system {radius-server {10.1.2.1 {secret "$9$aH1j8gqQ1sdjerrrhser"; # SECRET-DATAtimeout 5;}10.1.2.2 {secret "$9$aH1j8gqQ1csdoiuardwefoiud"; # SECRET-DATAtimeout 5;}}}

Published: 2010-04-26

[an error occurred while processing this directive]