Setting Up RADIUS User Authentication

Problem

You use RADIUS for user authentication in your network and you want to set up the router to authenticate against the RADIUS server.

Solution

Configure information about your RADIUS server:

	[edit system]
	aviva@router1# set radius-server 192.168.63.10 secret $1991poppI
	aviva@router1# show
	radius-server {
	 192.168.63.10 secret "$9$90m6AO1EcyKWLhcYgaZji"; ## SECRET-DATA
	}

 

Discussion

The Remote Authentication Dial-In User Service (RADIUS) provides a centralized method for authenticating users on the router. RADIUS uses a client/server model. A RADIUS server receives user connection requests, authenticates the user, and returns all configuration information necessary for the clientin this case, the routerto deliver service to the user. All transactions between the server and the client are authenticated by a password called a shared secret.

To configure the router as a RADIUS client, you set the IP address of your RADIUS server and the password (secret) that the router should use to access the server. The secret on the router and the RADIUS server must be the same. After you type the secret, the CLI never displays it but shows it in a pseudoencrypted format. The show output is a simple obfuscation to prevent someone from reading the password over your shoulder.

By default, the JUNOS software sends authentication requests to UDP port 1812 on the RADIUS server, as defined in RFC 2865. Also by default, the router waits three seconds to receive a response from the RADIUS server and, if it doesn't hear from the server, tries three more times to connect. You can modify these values if necessary. Here, we allow just 1 retry and wait 10 seconds to receive a response from the server:

	[edit system]
	aviva@router1# set radius-server 192.168.63.10 retry 1
	aviva@router1# set radius-server 192.168.63.10 timeout 10

If you use a centralized server, it represents a single point of failure if it should go down. To provide redundancy, you can configure several servers:

	[edit system]
	aviva@router1# 
set 
radius-server 192.168.0.23 secret 2lip123
	aviva@router1# set radius-server 10.0.16.1 secret 883roZe

When you configure more than one server, initially the primary server is the one you configured first. After that, the primary server is the one that last responded. If the router cannot reach this server, it tries the remaining ones in the order configured. Use the show command to see the order in which the router tries the servers:

	[edit system]
	aviva@router1# show
	radius-server {
	 192.168.63.10 secret "$9$vs0W7-oJGiqm24fzF3AtKvWL7V"; ## SECRET-DATA
	 10.0.16.1 secret "$9$4DojHQFnCp0TzIcrKXxbs2"; ## SECRET-DATA
	 192.168.0.23 secret "$9$7edYgq.5QF/iktuB1hcwY2"; ## SECRET-DATA
	}

Notice that this example specifies different secrets for each server to improve network security. If you suspect that the password of the primary server has been compromised, you can switch to one of the secondary servers.

The JUNOS software defines vendor-specific RADIUS attributes, which are included in packets sent to the RADIUS server. You can configure your server to interpret the Juniper-specific information (see Table 2-2). The Juniper Networks vendor ID is 2636. All the Juniper attributes are used only in RADIUS Access-Accept packets.

Table 2-2. Juniper-specific RADIUS attributes

Attribute name

Description

Type field value

Length field value

String

Juniper-Local-User-Name

Name of user template.

1

3 or more

One or more ASCII octets

Juniper-Allow-Commands

Allows user to run operational mode commands in addition to those authorized by the user's login class. Same action as the allow-command statement.

2

3 or more

One or more ASCII octets written as an extended regular expression

Juniper-Deny-Commands

Disallows user to run operational mode commands authorized by the user's login class. Same action as the deny-command statement.

3

3 or more

One or more ASCII octets written as an extended regular expression

Juniper-Allow-Configuration

Allows the user to modify portions of the configuration in addition to those authorized by the user's login class. Same action as the allow-statement statement.

4

3 or more

One or more ASCII octets written as an extended regular expression

Juniper-Deny-Configuration

Disallows user to modify portions of the configuration in addition to those authorized by the user's login class. Same action as the deny-statement statement.

5

3 or more

One or more ASCII octets written as an extended regular expression

 

See Also

RFC 2865, Remote Authentication Dial In User Service (RADIUS)


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net