Technical Documentation

Configuring RADIUS Authentication

RADIUS authentication is a method of authenticating users who attempt to access the router or switch. Tasks to configure RADIUS authentication are:

Configuring RADIUS Server Details

To use RADIUS authentication on the router or switch, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server:

[edit system]radius-server server-address {accounting-port port-number;port port-number; retry number; secret password; source-address source-address;timeout seconds; }

server-address is the address of the RADIUS server.

You can specify a port on which to contact the RADIUS server. By default, port number 1812 is used (as specified in RFC 2865). You can also specify an accounting port to send accounting packets. The default is 1813 (as specified in RFC 2866).

You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret used by the local router or switch must match that used by the server.

Optionally, you can specify the amount of time that the local router or switch waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router or switch attempts to contact a RADIUS authentication server (in the retry statement). By default, the router or switch waits 3 seconds. You can configure this to be a value from 1 through 90 seconds. By default, the router or switch retries connecting to the server 3 times. You can configure this to be a value from 1 through 10 times.

You can use the source-address statement to specify a logical address for individual or multiple RADIUS servers.

To configure multiple RADIUS servers, include multiple radius-server statements.

To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Overview of Template Accounts for RADIUS and TACACS+ Authentication.

You can also configure RADIUS authentication at the [edit access] and [edit access profile] hierarchy level. The JUNOS Software uses the following search order to determine which set of servers are used for authentication:

  1. [edit access profile profile-name radius-server server-address]
  2. [edit access radius-server server-address]
  3. [edit system radius-server server-address]

Configuring MS-CHAPv2 for Password-Change Support

You can configure the Microsoft implementation of the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) on the router or switch to support changing of passwords. This feature provides users accessing a router or switch the option of changing the password when the password expires, is reset, or is configured to be changed at next logon.

Before you configure MS-CHAPv2 for password-change support, ensure that you have done the following:

  • Configured RADIUS server authentication parameters.
  • Set the first tried option in the authentication order to RADIUS server.

To configure MS-CHAP-v2, include the following statements at the [edit system radius-options] hierarchy level:

[edit system radius-options]password-protocol mschap-v2;

The following example shows statements for configuring the MS-CHAPv2 password protocol, password authentication order, and user accounts:

[edit]system {authentication-order [ radius password ];radius-server { secret "$9$G-j.5Qz6tpBk.1hrlXxUjiq5Qn/C"; ## SECRET-DATA}radius-options {password-protocol mschap-v2;}login {user bob {class operator;}}}

Specifying a Source Address for the JUNOS Software to Access External RADIUS Servers

You can specify which source address the JUNOS Software uses when accessing your network to contact an external RADIUS server for authentication. You can also specify which source address the JUNOS Software uses when contacting a RADIUS server for sending accounting information.

To specify a source address for a RADIUS server, include the source-address statement at the [edit system radius-server server-address] hierarchy level:

[edit system radius-server server-address]source-address source-address;

source-address is a valid IP address configured on one of the router or switch interfaces.

Note: You can configure the JUNOS Software to select a fixed address as the source address for locally generated IP packets.

Published: 2010-04-26