AAA/802.1x
Highlighted
AAA/802.1x

Juniper User 'Remote' (radius)

‎11-04-2008 06:03 AM

Hi,

 

I need a clarification reg.  user  ' remote ' in Juniper Routers.  If this is the only config(related to authentication-order & login) present on the Router, Is it possible  for a remote user to login , in case of both radius servers were not responding or not reachable ?  If we want the remote users to be able to access the router even  in case of radius failure, what changes(if needed) to be done  ?

 

User does'not have root password .

 

 

user@M120> show configuration system
host-name M120;
domain-name m120.net;
domain-search [ m120. m120.net. . ];
backup-router x.x.x.x;
time-zone UTC;
dump-on-panic;
authentication-order [ radius password ];
ports {
    console type vt100;
    auxiliary type vt100;
}
diag-port-authentication {
    encrypted-password "$1$4wwMyN4k$z0tBe2EMSFB1RhSrUx9We0"; ## SECRET-DATA
}
root-authentication {
    encrypted-password "$1$2D99xvJB$E1gyE6f5OtAhbJdfgdtEK0"; ## SECRET-DATA
}
name-server {
    x.x.x.x;
    y.y.y.y;
}
radius-server {
    a.b.c.d {
        port 1812;
        secret "$9$bcwoJmPDFefg34$6f567&*R"; ## SECRET-DATA
    }
    e.f.g.h {
        port 1812;
        secret "$f5HGJH^HJ&*$4546nAp0BES"; ## SECRET-DATA
    }
}
login {
    message "\n***************************************************************************\n*                                 *\n*                  This is the M120 router                                *\n*  
                                                                                                         *\n***************************************************************************\n\n";
    class remote-user {
        idle-timeout 15;
        permissions all;
    }
    user j-script {
        full-name "Juniper Script Acct";
        uid 2001;
        class remote-user;
        authentication {
            encrypted-password "$1$RDFGdgdt567&*45gYv70uX/"; ## SECRET-DATA
        }
    }
    user j-su {
        full-name "Juniper SU Admin Acct";
        uid 2000;
        class remote-user;
    }
    user remote {
        full-name "All Radius Users";
        uid 1000;
        class remote-user;
    }
}
services {
    ssh {
        connection-limit 40;
        rate-limit 20;
    }

 

Thanks
Pradeep
4 REPLIES 4
Highlighted
AAA/802.1x

Re: Juniper User 'Remote' (radius)

‎11-04-2008 11:52 AM

Hi Pradeep,

 

You cannot use the same user id to login if your RADIUS servers are dead.  If you want a user to have access if all RADIUS servers are unreachable/unresponsive, then you need to configure a local user as a last resort.  Then, assuming that you want this user to only be used if all RADIUS servers don't respond (not if they send an Access-Reject), you need the following...

 

system {

  login {

    authentication-order radius;

    user lastresort {

      full-name "Last Resort User";

      uid 2001;

      class superuser; 

      encrypted-password "...";

    }

    user remote {

      full-name "RADIUS user template";

      uid 2002;

      class ops;

    } 

    class superuser {

      permissions all;

    }

    class ops {

      permissions [ some other permissions ]; 

    }

  }

}

 

Rgds,

 

Guy 

Highlighted
AAA/802.1x

Re: Juniper User 'Remote' (radius)

‎11-05-2008 05:29 AM

If we configure  password in user 'remote' (which is the local database name for all users authenticated by RADIUS, won't it work ?  When it asks for username we  will provide 'remote' as the username and password  is the one configured in  user remote section.

 

user remote {

full-name "All Radius Users";

uid 1000;

encrypted-password "...";

class remote-user;

 

}

Thanks
Pradeep
Highlighted
AAA/802.1x

Re: Juniper User 'Remote' (radius)

‎11-05-2008 05:39 AM

Hi Pradeep,

 

I don't know 🙂  I've never tried it.

 

I would recommend using another username (other than remote) since users will have to know anyway that they have to enter a different username if their own fails with a very long delay.  The users will certainly not be able to login as "user" with the password in the user "remote".  That will definitely not work.

 

Rgds,

 

Guy 

Highlighted
AAA/802.1x

Re: Juniper User 'Remote' (radius)

‎11-05-2008 05:53 AM

Hi GuyDavies,

 

Thanks for the reply.I don't have a chance to work on test setup or lab environment. currently I am working in a live environment , where I don't see any local user  password config (apart from root account and J-script), thats why I got this doubt  that how a normal user can login incase of radius failure ?

 

Thanks once again for continuous replies. 

Thanks
Pradeep
Announcements

AAA/802.1X

IC Series Unified Access Control Appliances are hardened, centralized policy servers, combining the user identity, device security state and network location gathered by the UAC Agent to create unique network access control policy per user, per session.

RSS Icon
Feedback