Junos
Junos

Junos | Radius - fallback to local user is not working

‎05-31-2019 04:06 AM

I'm at the end of my knowledge currently.

We have a setup where we're using radius to authenticate users for access to Junos devices.

Idea is to have primary access control by using radius. Only in case radius server isn't reachable for whatever reason local user should be used.

 

Configuration looks like this here (display set output)

set system ports console authentication-order radius

set system radius-server X.X.X.X port 1645
set system radius-server X.X.X.X secret "$9$z9YlF/tu0[...]Hmfz"
set system radius-server X.X.X.X retry 3
set system radius-server X.X.X.X source-address X.X.X.X

set system login retry-options tries-before-disconnect 3
set system login retry-options backoff-threshold 1
set system login retry-options backoff-factor 5
set system login retry-options minimum-time 20
set system login retry-options maximum-time 20
set system login retry-options lockout-period 120

set system login class RW login-alarms
set system login class RW login-tip
set system login class RW permissions all
set system login class RW allow-commands "^configure exclusive"
set system login class RW deny-commands "^edit|^configure"

set system login user RW uid 2001
set system login user RW class RW
set system login user fallback uid 2002
set system login user fallback class RW
set system login user fallback authentication encrypted-password $6$VdPyZmAp$mDZMNI[...]q."

 

As long as radius server is reachable authentication is working fine (fallback user is rejected, only maintained users can log in).

When I'm disabling radius server fallback user is not able to login to Junos devices.

 

Perhaps someone can help me.

 

Thanks in advance

Michael

 

7 REPLIES 7
Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 04:24 AM

Hello Michael,

 

Perhaps you can try to configure a fallback user with limited permissions. According to Authentication Order for RADIUS, TACACS+, and Local Password:

"In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also authenticated based on the authentication order that is configured for TACACS+, RADIUS, or password authentication using the authentication-order statement. For example, if the only configured authentication order is TACACS+, the superuser can only be authenticated by the TACACS+ server and password authentication cannot be used as an alternative. However, in Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even if password authentication is not configured explicitly using the authentication-order statement."

 

BTW, what is the platform and JUNOS release you're using?


Best regards,
Sergii
-------------------------------------------------------------------
Please accept the solution if your problem is resolved Smiley Happy
-------------------------------------------------------------------

Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 05:41 AM

Hi Michael,

 

 To allow to login via local password if RADIUS authentication fails we need to specify "password" under "authentication-order" as below :

  authentication-order [ radius password ]; 

 

Regards,

Rahul Gautam

 Please mark my solution as accepted if it helped.     

 

 

Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 06:34 AM

@RahulGautam  wrote:

Hi Michael,

 

 To allow to login via local password if RADIUS authentication fails we need to specify "password" under "authentication-order" as below :

  authentication-order [ radius password ]; 

 

Regards,

Rahul Gautam

 Please mark my solution as accepted if it helped.     

 

 


That's what I've tried initially. Problem here is, fallback user is as well working when there's an reject from radius.

Means, radius request for user fallback, reject returned from radius, fallback is authenticated locally. But this is not allowed in our security policy. Local password should only be possible when radius is not working well.

Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 06:41 AM

@Sergii wrote:

Hello Michael,

 

Perhaps you can try to configure a fallback user with limited permissions. According to Authentication Order for RADIUS, TACACS+, and Local Password:

"In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also authenticated based on the authentication order that is configured for TACACS+, RADIUS, or password authentication using the authentication-order statement. For example, if the only configured authentication order is TACACS+, the superuser can only be authenticated by the TACACS+ server and password authentication cannot be used as an alternative. However, in Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even if password authentication is not configured explicitly using the authentication-order statement."

 

BTW, what is the platform and JUNOS release you're using?


Best regards,
Sergii
-------------------------------------------------------------------
Please accept the solution if your problem is resolved Smiley Happy
-------------------------------------------------------------------


I've tried to change login class for user fallback.

set system login class RO login-tip
set system login class RO permissions secret
set system login class RO permissions view
set system login class RO permissions view-configuration

set system login user fallback uid 2002
set system login user fallback class RO
set system login user fallback authentication encrypted-password "$6$VdPyZm[...]Zsq."

 

But this is as well not working. In case radius server is not answering local fallback user is not able to be authenticated.

May 31 15:31:52.649 2019 <hostname> login: sendmsg to X.X.X.X(X.X.X.X).1645 failed: Can't assign requested address
Local password:May 31 15:31:52.649 2019 <hostname> login: sendpkt to 164.28.131.21(164.28.131.21).1645 failed: error: Can't assign requested address
May 31 15:31:52.652 2019 <hostname> login: sendmsg to X.X.X.X(X.X.X.X).1645 failed: Can't assign requested address
May 31 15:31:52.652 2019 <hostname> login: rad_send_request: Tried all servers unsucessfully
May 31 15:31:52.652 2019 <hostname> login: detected authentication server problem
May 31 15:31:52.652 2019 <hostname> login: will attempt local password authentication

 

I'm using different SW versions and HW devices.

SW in use 17.3R3-S3, 18.1R3-S1, 18.1R3-S4

HW in use QFX10k & 5k series, EX4600 and 3400 series, MX240 & 480

 

Same behaviour on all devices and SW versions.

 

Based on documentation local password should be used as default, when you have only radius as authentication method and radius is not reachable.

 

Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 06:48 AM

Hello Michael,

 

That's interesting. In your initial post I see only:

set system ports console authentication-order radius

And not:

set system authentication-order radius

You see this issue only for console connection, or you see it for normal ssh connections as well (and you just missed to include this command in the problem description)?

 

Best regards,

Sergii

Junos

Re: Junos | Radius - fallback to local user is not working

‎05-31-2019 07:32 AM

Hi Michael,

 

You need to configure authentication-order under system as below :

 

> show configuration system authentication-order
authentication-order [ radius password ];

 

 

Regards,

Rahul Gautam 

Please mark my solution as accepted if it helped.

Junos

Re: Junos | Radius - fallback to local user is not working

‎06-03-2019 12:05 AM

@Sergii wrote:

Hello Michael,

 

That's interesting. In your initial post I see only:

set system ports console authentication-order radius

And not:

set system authentication-order radius

You see this issue only for console connection, or you see it for normal ssh connections as well (and you just missed to include this command in the problem description)?

 

Best regards,

Sergii


I've added authentication order for console port later. But did not helped.

I've still same situation (for both, console & ssh).

- authentication order [radius password] enables me to use local user login when there's an reject from radius (this should not be in our company)

- authentication order radius is working fine but when I'm loosing connection to radius server junos is not going back to local password login as it is described in all documentation

 

I will try to figure this out with our professional support colleague.