 |
Note: If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the JUNOS software uses the RADIUS servers configured at the [edit system radius-server] hierarchy level. |
With RADIUS accounting enabled, Juniper Network routers, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.
Tasks for configuring RADIUS system accounting are:
To audit user events, include the following statements at the [edit system accounting] hierarchy level:
- [edit system accounting]
- events [ events ];
- destination {
-
- radius {
-
- server {
-
- server-address {
- accounting-port port-number;
- secret password;
- source-address address;
- retry number;
- timeout seconds;
- }
- }
- }
- }
To specify the events you want to audit when using a RADIUS server for authentication, include the events statement at the [edit system accounting] hierarchy level:
- [edit system accounting]
- events [ events ];
events is one or more of the following:
To configure RADIUS server accounting, include the server statement at the [edit system accounting destination radius] hierarchy level:
- server {
-
- server-address {
- accounting-port port-number;
- secret password;
- source-address address;
- retry number;
- timeout seconds;
- }
- }
server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include multiple server statements.
|
Note: If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the JUNOS software uses the RADIUS servers configured at the [edit system radius-server] hierarchy level. |
accounting-port port-number specifies the RADIUS server accounting port number.
The default port number is 1813.
|
Note: If you enable RADIUS accounting at the [edit access profile profile-name accounting-order] hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a value for the accounting-port statement. |
You must specify a secret (password) that the local router passes to the RADIUS client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ “).
In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 address configured on one of the router interfaces.
Optionally, you can specify the number of times that the router attempts to contact a RADIUS authentication server by including the retry statement. By default, the router retries three times. You can configure the router to retry from 1 through 10 times.
Optionally, you can specify the length of time that the local router waits to receive a response from a RADIUS server by including the timeout statement. By default, the router waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds.