Technical Documentation

Example: Configuring CHAP Authentication with RADIUS

You can send RADIUS messages through a routing instance to customer RADIUS servers in a private network. To configure the routing instance to send packets to a RADIUS server, include the routing-instance statement at the [edit access profile profile-name radius-server] hierarchy level and apply the profile to an interface with the access-profile statement at the [edit interfaces interface-name unit logical-unit-number ppp-options chap] hierarchy level.

In this example, PPP peers of interfaces at-0/0/0.0 and at-0/0/0.1 are authenticated by a RADIUS server reachable via routing instance A. PPP peers of interfaces at-0/0/0.2 and at-0/0/0.3 are authenticated by a RADIUS server reachable via routing instance B.

For more information about RADIUS authentication, see Configuring RADIUS Authentication.

system {radius-server {1.1.1.1 secret $9$dalkfj;2.2.2.2 secret $9$adsfaszx;}}routing-instances {A {instance-type vrf;...}B {instance-type vrf;...}}access {profile A-PPP-clients {authentication-order radius;radius-server {3.3.3.3 {port 3333;secret "$9$LO/7NbDjqmPQGDmT"; # # SECRET-DATAtimeout 3;retry 3;source-address 99.99.99.99;routing-instance A;}4.4.4.4 {routing-instance A;secret $9$adsfaszx;}}}profile B-PPP-clients {authentication-order radius;radius-server {5.5.5.5 {routing-instance B;secret $9$kljhlkhl;}6.6.6.6 {routing-instance B;secret $9$kljhlkhl;}}}}interfaces {at-0/0/0 {atm-options {vpi 0;}unit 0 {encapsulation atm-ppp-llc;ppp-options {chap {access-profile A-PPP-clients;}}keepalives {interval 20;up-count 5;down-count 5;}vci 0.128;family inet {address 21.21.21.21/32 {destination 21.21.21.22;}}}unit 1 {encapsulation atm-ppp-llc;...ppp-options {chap {access-profile A-PPP-clients;}}...}unit 2 {encapsulation atm-ppp-llc;...ppp-options {chap {access-profile B-PPP-clients;}}...}unit 3 {encapsulation atm-ppp-llc;...ppp-options {chap {access-profile B-PPP-clients;}}...}...}...}

Users who log in to the router with telnet or SSH connections are authenticated by the RADIUS server 1.1.1.1. The backup RADIUS server for these users is 2.2.2.2.

Each profile may contain one or more backup RADIUS servers. In this example, PPP peers are CHAP authenticated by the RADIUS server 3.3.3.3 (with 4.4.4.4. as the backup server) or RADIUS server 5.5.5.5 (with 6.6.6.6 as the backup server).


Published: 2010-04-26