RADIUS Authentication on Juniper

This article shows how to configure a Juniper router to authenticate users on a RADIUS server.

1. Configure the router with the RADIUS server information:

[edit system]
set system radius-server 10.0.12.1 port 1812
set system radius-server 10.0.12.1 secret yourpassword
set system radius-server 10.0.12.1 timeout 5
set system radius-server 10.0.12.1 retry 3
set system radius-server 10.0.12.1 source-address 192.168.120.4

In this case, the RADIUS server is with the IP address of 10.0.12.1, UDP port 1812.

2. Add one entry in [edit system login user] for each administrator and configure the proper permissions (classes).1)http://www.juniper.net/techpubs/en_US/junos12.3/information-products/pathway-pages/system-basics/user-access.html#overview.

[edit]
system {
   authentication-order radius;
   login {
      user philip {
         full-name "Philip";
         uid 1001;
         class super-user;
      }
      user operator {
         full-name "All operators";
         uid 9990;
         class operator;
      }
      user remote {
         full-name "All remote users";
         uid 9999;
        class read-only;
      }
   }
}

Check for another example in this website.

3. Add an account named “remote”. This account will be used when the RADIUS server successfully authenticates someone but there’s no corresponding entry for this user in the router. In this case, the remote user will be given the permissions assigned to the defined “remote” user.2)http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/authentication-user-template-accounts-overview.html3)http://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/authentication-user-remote-template-account-configuring.html.

set system login user remote uid 2001
set system login user remote class operator

Junos OS contains a few predefined login classes, that are listed below. The predefined login classes cannot be modified. 4)http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/access-login-class-overview.html

  • operator
  • read-only
  • superuser or super-user
  • unauthorized

New classes can be created to assign users custom sets of permissions. Check this link for a list of all permissions supported by the router.5)http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/access-privileges-levels-overview.html.

4. Configure the authentication order in the router to first try to authenticate the user with the RADIUS server. If not successfully authenticated by RADIUS, try in the local users database (password).

system {
    authentication-order [ radius password ];
}

5. Important note: if the RADIUS server is running in Microsoft Windows, the option “NAS IPv4 Address” (on Windows) must be configured with the router’s loopback address.

 

References   [ + ]

1. http://www.juniper.net/techpubs/en_US/junos12.3/information-products/pathway-pages/system-basics/user-access.html#overview
2. http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/authentication-user-template-accounts-overview.html
3. http://www.juniper.net/techpubs/en_US/junos12.3/topics/task/configuration/authentication-user-remote-template-account-configuring.html
4. http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/access-login-class-overview.html
5. http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/access-privileges-levels-overview.html

Leave a Reply

Your email address will not be published. Required fields are marked *