User Accounts and Authentication
This section describes how to create user accounts and define authentication methods for the QFX5220, QFX5230, QFX5240, and QFX5241 Switches. This configuration helps define who can log in to the device, how to verify their authenticity, and what actions these users are authorized to perform on the device.
A user account is an identity that allows a user to access a particular device and includes a username, password (or authentication method), and login class (permission level). For more information, see User Accounts.
Authentication is the process of verifying the user's identity before granting access. For more information, see User Authentication Overview.
QFX Series Switches include predefined login classes such as operator, read-only, superuser, and unauthorized. For more information, see Login Classes.
Local User Account
Initially, when you start any QFX Series Switch, it defaults to a root user with no password option. However, you are not allowed to do any configuration changes at the root level.
To make any configuration changes, you need an account with a password. This is the simplest authentication method, where the username and password are stored locally on the switch. You can create a user and define permissions and system access using login classes. For more information, see User Accounts and Login Classes.
Example: To create an admin user:
[edit] root@<hostname># set system login user admin class super-user root@<hostname># set system login user admin authentication plain-text-password New password: Retype new password: root@<hostname># commit
RADIUS Authentication
This type of authentication uses a centralized server to authenticate users that attempt to access a network device. This method is commonly used in telecom networks. For more information, see RADIUS Authentication.
To configure a RADIUS server:
[edit] root@<hostname># set system authentication-order radius root@<hostname># set system authentication-order password root@<hostname># set system radius-server server-address secret "MyRadiusSecret" root@<hostname># set system radius-server server-address source-address ip-address
In the above code snippet, configure authentication order, then add system
radius-server with a secret (and optionally source-address,
interface, timeout, retries, etc.). Try
the RADIUS method of authentication first, and if that fails, use the local user
authentication method.
TACACS+ Authentication
This type of authentication is an alternate method of authenticating users that attempt to access a network device. TACACS+ provides authentication and command authorization. This authentication method is often used in enterprise networks. For more information, see TACACS+ Authentication.
To configure a TACACS+ server:
[edit] root@<hostname># set system authentication-order tacplus root@<hostname># set system authentication-order password root@<hostname># set system tacplus-server server-address secret "password" root@<hostname># set system tacplus-server server-address source-address source-address
Of all the authentication methods, the system will first try the TACACS+ authentication. If it fails, the system tries the RADIUS server authentication method. If both authentication methods fails, the system tries the local user authentication method.