Problem
You want to use a RADIUS or TACACS+ database to authenticate a group of users who perform similar job functions and tasks on the router, instead of setting up individual login accounts for them on the router.
Solution
Create a group account on the router to allow multiple users to be authenticated by the same RADIUS or TACACS+ server account:
[edit system login] aviva@router1# set user noc class operator aviva@router1# set user noc full-name "NOC team"
Then set the authentication order so that the remote server is checked before the router's configuration file. The following command uses TACACS+:
[edit system] aviva@router1# set authentication-order [ tacacs password ]
Finally, map the users on the server to the account name configured on the router. The following is the map on a TACACS+ server:
user = mike { service = junos-exec { local-user-name = noc } } user = sage { service = junos-exec { local-user-name = noc } }
Discussion
When you want a group of users to be able to log in to and work on the router but always want to use a central authentication server, you can set up a common account instead of creating login accounts on the router for these users. Then in the RADIUS or TACACS+ database, you map the username to the common account name.
The first command in this recipe creates the group account noc that has operator privileges and can perform most operational commands but cannot enter configuration mode. This second command, set user remote full-name, provides a description of the account. This command is optional but is suggested so that the meaning of the account is clear. The third command sets TACACS+ as the primary authentication method.
The TACACS+ database in this recipe has two usernames, mike and sage. When these two users try to log in to the router using their regular login names mike and sage, the login request is authenticated by the TACACS+ server, which sees that their local username (their login account name on the router) is noc. The server returns this information to the router, which logs them in using the noc account and gives them operator privileges.
Users who are authenticated only by a group account will not be able to log in to the router if the authentication server is down. You should always configure some individual user accounts with passwords on the router so someone can always log in to the router (see Recipe 2.5).
See Also
Recipes 2.4, 2.5, 2.10, and 2.13
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast