Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Radius and local users

    Posted 03-03-2016 01:29

    Hello,

     

    I have configure radius authentication for ex4200 and everey thing works fine:

    set system authentication-order [radius password]
set system radius-server 192.168.1.2 secret xxxxxxx

    I have one problem, the local user still can login, even if radius server is available.

    How to prevent it, and allow local user login only radius server is unavailable?

     

    Thanks.



  • 2.  RE: Radius and local users

    Posted 03-03-2016 05:36

    Hi zvitins,

     

    If the Radius server doesn't reply within 30 seconds to the authentication request from the EX switch the switch will try to authenticate the user using local profiles. 

     

    What do you mean by "everey thing works fine" ? Are you sure the radius server is replying and EX is recieving the reply for requests for authentication for the users you are talking about ?



  • 3.  RE: Radius and local users

    Posted 03-06-2016 23:06

    Hello,

     

    i try to explain: I have local user - user1 and radius user - user1, If I insert radius pasword I log in as radius user, if I insert local password I log in as local user. Also I have one local user who can log in without any problem even radius is working.

     

    As I understand, local user can't log in if radius is available, but I can - and that is what I want to understand and resolve.

     

     

     

    Thanks.



  • 4.  RE: Radius and local users

     
    Posted 03-07-2016 05:58

    I assume what you are saying is that for the same username, you have different passwords for their Radius account vs their local user account, yes?  I am not sure how this would work, but when you use local password, this would fail for Radius, but then work for local.  Not sure if this is by design or not.  Suggest you need to open a TAC case for someone to test and figure out operation and see if by design or a sort of bug.



  • 5.  RE: Radius and local users
    Best Answer

    Posted 03-07-2016 06:21

    No bug, works as designed. You have the following bahaviour depending on the authentication-order configuration as described in http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/authentication-order-authentication-methods-overview.html

     

     

    (1) authentication-order [ radius password ];

    - If the user has the correct password due to the radius account, he is accepted

    - If the user is not accepted by the radius account, the local database (aka password) is consulted. If the local password is correct, he is accepted, otherwise denied.

     

    (2) authentication-order radius;

    - If the user has the correct password due to the radius account, he is accepted, if not he is rejected and cannot login.

    - If the radius server does not reply, then the local password database is consulted as a fallback!

     

    So, you have to go for option (2).

     

    Cheers,

    Carsten

     

     



  • 6.  RE: Radius and local users

     
    Posted 03-07-2016 06:54

    Perfection.  Thanks