CLI Configuration
For information about configuring RADIUS authentication, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-security-admin-guide/index.html?managing-users-config.html.Important: To completely set up RADIUS authentication, you must specify a system authentication order and create user template accounts (steps 2 and 3, respectively).
- Add an external RADIUS server, and specify the port number and shared secret of the RADIUS server. In this example, the external RADIUS server is 10.0.0.100, with a port of 1812 and secret of
abc. - Specify the authentication order. In this example, user authentication is first attempted with the local password before RADIUS authentication is attempted.
- Assign a class to the remote authenticated users. By default, JUNOS Software uses the
remotetemplate account when the authenticated user does not exist locally on the device, and when the authenticated user's record in the RADIUS server specifies a local user template, but the specified local user template does not exist locally on the device.
user@host# set system radius-server 10.0.0.100 port 1812 secret abc
user@host# set system authentication-order radius
user@host# insert system authentication-order password before radius
In this example, a user named
remote, with a full name of "all remote users", who belongs to the operator login class is created.user@host# set system login user remote full-name "all remote users"
user@host# set system login user remote class operator Note: By default, PAP is used in Junos, which is clear text. To enable mschap-v2, use the command below:
user@host#set system radius-options password-protocol mschap-v2
No comments:
Post a Comment