Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Junos OS User Authentication Overview

Junos OS supports different methods such as local password authentication, LDAPS, RADIUS, and TACACS+, to control user access to the network. Starting in Junos OS Release 20.2R1, we introduce LDAP support for login users with TLS security between the LDAPS client (device running Junos OS) and the LDAPS server. Authentication methods are used for validating users who attempt to access the router or switch using Telnet. Authentication prevents unauthorized devices and users from gaining access to your LAN.

Junos OS User Authentication Methods

Junos OS supports four methods of user authentication: local password authentication, LDAP over TLS (LDAPS), RADIUS, and TACACS+.

With local password authentication, you configure a password for each user allowed to log in to the router or switch.

LDAPS, RADIUS, and TACACS+ are authentication methods for validating users who attempt to access the router or switch using any of the login methods. They are distributed client-server systems—the LDAPS, RADIUS, and TACACS+ clients run on the router or switch, and the server runs on a remote network system.

You can configure the router or switch to be an LDAPS, RADIUS, and/or TACACS+ client and you can also configure authentication passwords in the Junos OS configuration file. You can prioritize the methods to configure the order in which the software tries the different authentication methods when verifying user access.

Configuring Local User Template Accounts for User Authentication

You use local user template accounts when you need different types of templates for authentication. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router or switch and referenced by the TACACS+, RADIUS, and LDAPS authentication servers.

When you configure local user templates and a user logs in, Junos OS issues a request to the authentication server to authenticate the user’s login name. If a user is authenticated, the server returns the local username to Junos OS, which then determines whether a local username is specified for that login name (juniperLocalUserName for LDAP, local-username for TACACS+, and Juniper-Local-User ). If so, Junos OS selects the appropriate local user template locally configured on the router or switch. If a local user template does not exist for the authenticated user, the router or switch defaults to the remote template.

To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file.

To configure a local user template, include the juniperLocalUserName for LDAP and user local-username statement for RADIUS on the server at the [edit system login] hierarchy level and specify the privileges you want to grant to the local users to whom the template applies:

This example configures the u_ldap local user template for LDAP in the LDAP Data Interchange Format (LDIF) file:

When the users John and Harry are authenticated, the router or switch applies the u_ldap local user template. When the users Tom and Dave are authenticated, the router or switch applies the auth local user template.

This example configures the sales and engineering local user templates for RADIUS:

When the login users Simon and Rob are authenticated, the router or switch applies the sales local user template. When login users Harold and Jim are authenticated, the router or switch applies the engineering local user template.

Configure Remote Template Accounts for User Authentication

By default, the Junos OS uses remote template accounts for user authentication when:

  • The authenticated user does not exist locally on the router or switch.

  • The authenticated user’s record in the authentication server specifies local user, or the specified local user does not exist locally on the router or switch.

To configure the remote template account, include the user remote statement at the [edit system login] hierarchy level and specify the privileges you want to grant to remote users:

To configure different access privileges for users who share the remote template account, include the allow-commands and deny-commands statements in the authentication server configuration file.

Example: Create Template Accounts

This example shows how to create template accounts.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

You can create template accounts that are shared by a set of users when you are using LDAP, RADIUS, or TACACS+ authentication. When a user is authenticated by a template account, the CLI username is the login name, and the privileges, file ownership, and effective user ID are inherited from the template account.

By default, Junos OS uses the remote template account when:

  • The authenticated user does not exist locally on the device.

  • The authenticated user's record in the LDAP, RADIUS, or TACACS+ server specifies local user, or the specified local user does not exist locally on the device.

In this example, you create a remote template account and set the username to remote and the login class for the user as operator. You create a remote template that is applied to users authenticated by LDAP, RADIUS, or TACACS+ that do not belong to a local template account.

You then create a local template account and set the username as admin and the login class as superuser. You use local template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template.

Configuration

Create a Remote Template Account

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create a remote template account:

  • Set the username and the login class for the user.

Results

From configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Create a Local Template Account

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create a local template account:

  1. Set the username and the login class for the user.

Results

From configuration mode, confirm your configuration by entering the show system login command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note:

To completely set up LDAP, RADIUS, or TACACS+ authentication, you must configure at least one LDAP, RADIUS, or TACACS+ server and specify a system authentication order. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verify the Template Accounts Creation

Purpose

Verify that the template accounts have been created.

Action

From operational mode, enter the show system login command.

What Are Remote Authentication Servers?

You probably already use a remote authentication server (or servers) in your network. It is a recommended best practice, because the servers allow you to centrally create a consistent set of user accounts for all devices in your network. There are many good reasons for implementing a authentication, authorization, and accountability (AAA) solution in your network, not the least of which is to make the management of user accounts easier.

There are three basic methods of remote authentication in use by most enterprises today—LDAPS, RADIUS and TACACS+. Junos OS supports all these types and can be configured to query multiple remote authentication servers of both types. The idea behind a LDAPS, RADIUS, or TACACS+ server is simple—a central authentication server that routers, switches, security devices, and even servers can use to authenticate users as they attempt to gain access to these systems. Think of the advantages that a central user directory brings for authentication auditing and access control in a client server model, and you have your justification for RADIUS, LDAP, or TACACS+ for your networks infrastructure.

Using a central server has multiple advantages over the alternative of creating local users on each device, a time-consuming and error-prone task. A central authentication system also simplifies the use of one-time password systems such as SecureID, which offer protection against password sniffing and password replay attacks, in which someone uses a captured password to pose as a system administrator.

  • RADIUS—You should use RADIUS when your priorities are interoperability and performance.

    • Interoperability—RADIUS is more interoperable than TACACS+, primarily because of the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported.

    • Performance—RADIUS is much lighter on your routers and switches and for this reason, network engineers generally prefer RADIUS over TACACS+.

  • TACACS+—You should use TACACS+ when your priorities are security and flexibility.

    • Security—TACACS+ is more secure than RADIUS. Not only is the full session encrypted, but authorization and authentication are done separately to prevent someone from trying to force their way into your network.

    • Flexibility—TCP is a more flexible transport protocol than UDP. You can do more with it in more advanced networks. In addition, TACACS+ supports more of the enterprise protocols like NetBios or Appletalk.

    • LDAPS—You should use LDAPS when your priorities are security and scalability.

      • Security—For enhanced security, LDAPS uses a private key used to encrypt the data; this prevents unauthorized access to information and secures data effectively, unlike the shared key used by RADIUS and TACACS+.

      • Scalability—LDAPS provides higher scalability without loss of reliability. There is no limit to the number of users as the users maintain their own certificates, and certificate authentication involves exchange of data between client and server only.

Release History Table
Release
Description
Junos OS Release 20.2R1
Starting in Junos OS Release 20.2R1, we introduce LDAP support for login users with TLS security between the LDAPS client (device running Junos OS) and the LDAPS server.