[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring RADIUS System Accounting

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.

Tasks for configuring RADIUS system accounting are:

  1. Configuring Auditing of User Events on a RADIUS Server
  2. Specifying RADIUS Server Accounting and Auditing Events
  3. Configuring RADIUS Server Accounting

Configuring Auditing of User Events on a RADIUS Server

To audit user events, include the following statements at the [edit system accounting] hierarchy level:

[edit system accounting]events [ events ];destination {radius {server {server-address {accounting-port port-number;secret password;source-address address;retry number;timeout seconds;}}}}

Specifying RADIUS Server Accounting and Auditing Events

To specify the events you want to audit when using a RADIUS server for authentication, include the events statement at the [edit system accounting] hierarchy level:

[edit system accounting]events [ events ];

events is one or more of the following:

  • login—Audit logins
  • change-log—Audit configuration changes
  • interactive-commands—Audit interactive commands (any command-line input)

Configuring RADIUS Server Accounting

To configure RADIUS server accounting, include the server statement at the [edit system accounting destination radius] hierarchy level:

server {server-address {accounting-port port-number;secret password;source-address address;retry number;timeout seconds;}}

server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include multiple server statements.

Note: If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the JUNOS Software uses the RADIUS servers configured at the [edit system radius-server] hierarchy level.

accounting-port port-number specifies the RADIUS server accounting port number.

The default port number is 1813.

Note: If you enable RADIUS accounting at the [edit access profile profile-name accounting-order] hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a value for the accounting-port statement.

You must specify a secret (password) that the local router or switch passes to the RADIUS client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ “).

In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 address configured on one of the router or switch interfaces.

Optionally, you can specify the number of times that the router or switch attempts to contact a RADIUS authentication server by including the retry statement. By default, the router or switch retries three times. You can configure the router or switch to retry from 1 through 10 times.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a RADIUS server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds.


Published: 2010-04-26

[an error occurred while processing this directive]