Configuring the Lab Account

The following commands establish the lab account and associate the user with the superuser login class:

[edit system] root@r1# set login user lab class superuser [edit system] root@r1# set login user lab authentication  plain-text-password New password: Retype new password:

Because the lab, root, and ops accounts are to be authenticated through RADIUS, you must now configure the RADIUS server's properties. The RADIUS-related parameters needed for this task are configured with the following commands:

[edit system] lab@r1# set radius-server 10.0.200.2 secret jni 
Tip 

If your test bench does not offer RADIUS support, you can reduce the delay associated with the failed RADIUS authentication requests by setting the retry and timeout parameters to 1.

To tell the system that RADIUS authentication is to be used first, you must specify radius as the first entry in the system's authentication-order list with the following command:

[edit system] root@r1# set authentication-order radius 

The resulting lab account and RADIUS configuration are shown next:

root@r1# show login user lab class superuser; authentication {  encrypted-password "$1$nNISN$o7OGTEhEF5sOcgjS9p0Lf0";  # SECRET-DATA } root@r1# show radius-server 10.0.200.2 secret "$9$NQVs4Pfz36A"; # SECRET-DATA [edit system] root@r1# show authentication-order authentication-order radius;

Verify the Lab Account

To verify the lab account, we log out as root and reconnect as the lab user:

root@r1% exit logout r1 (ttyd0) login: lab Password: Last login: Fri Mar 8 16:20:47 on ttyd0 --- JUNOS 5.2B3.1 built 2001-12-28 18:50:44 UTC lab@r1>

Though the previous capture indicates that your user account is functional, notice the terminology 'automatic login in the event of RADIUS failure' in Table 1.1, shown earlier. This should cause you to wonder what would happen if the RADIUS server should become unreachable. To simulate a RADIUS failure, the shared secret is changed to foo and the lab account is retested:

 [edit system radius-server] lab@r1# set 10.0.1.102 secret foo [edit system radius-server] lab@r1# commit and-quit commit complete Exiting configuration mode lab@r1> quit r1 (ttyd0) login: lab Password: Local password: Last login: Mon Apr 1 12:36:17 on ttyd0 --- JUNOS 5.2B3.1 built 2001-12-28 18:50:44 UTC lab@r1>

Note the second prompt that asks for a local password. This indicates that automatic login is not functional. The problem lies in the omission of the password keyword in the system's authentication-order statement. Adding password after radius will cause the router to automatically verify the user's password against the local password database when access to the RADIUS server fails. To meet the configuration criteria, you must enter the following command to add password to the router's authentication order list:

[edit] lab@r1# set system authentication-order password [edit] lab@r1# show system authentication-order authentication-order [ radius password ]; [edit] lab@r1# commit and-quit commit complete Exiting configuration mode

With the changes committed, we now retest the lab login:

lab@r1> quit r1 (ttyd0) login: lab Password: Last login: Mon Apr 1 12:41:09 on ttyd0 --- JUNOS 5.2B3.1 built 2001-12-28 18:50:44 UTC lab@r1> 

The user is now automatically logged in using the local password database when access to the RADIUS server is broken. After testing, you should reset the shared RADIUS secret to the correct value as specified in Table 1.1, shown earlier.

Note 

The local password database is not consulted when the RADIUS server returns an access reject message because of an unknown username or incorrect password being used. You will need to remove (or deactivate) the system's RADIUS configuration or change the authentication order to allow local logins if you feel that the RADIUS server has been misconfigured with regard to a given account's username or password.




JNCIP. Juniper Networks Certified Internet Professional Study Guide Exam CERT-JNCIP-M
JNCIP: Juniper Networks Certified Internet Professional Study Guide
ISBN: 0782140734
EAN: 2147483647
Year: 2003
Pages: 132

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net