[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Managing User Authentication with a Configuration Editor
This section contains the following topics:
Setting Up RADIUS Authentication
To use RADIUS authentication, you must configure at least one
RADIUS server.
The procedure provided in this section identifies the RADIUS
server, specifies the secret (password) of the RADIUS server, and
sets the source address of the services router's RADIUS requests to
the loopback address of the device. The procedure uses the
following sample values:
- The RADIUS server's IP address is 172.16.98.1.
- The RADIUS server's secret is Radiussecret1.
- The loopback address of the device is 10.0.0.1.
To configure RADIUS authentication:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 72.
- If you are finished configuring the network, commit
the configuration.
To completely set up RADIUS authentication, you must create
user template accounts and specify a system authentication order.
- Go on to one of the following procedures:
Table 72: Setting Up RADIUS Authentication
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System level in the configuration
hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system
|
Add a new RADIUS server
|
- In the Radius server box, click Add new entry.
- In the Address box, type the IP address of the
RADIUS server:
172.16.98.1
|
Set the IP address of the RADIUS server:
set radius-server address 172.16.98.1
|
Specify the shared secret (password) of the RADIUS server. The
secret is stored as an encrypted value in the configuration database.
|
In the Secret box, type the shared secret of the RADIUS server:
Radiussecret1
|
Set the shared secret of the RADIUS server:
set radius-server 172.16.98.1 secret Radiussecret1
|
Specify the source address to be included in the RADIUS server
requests by the device. In most cases, you can use the loopback
address of the device.
|
In the Source address box, type the loopback address of the device:
10.0.0.1
|
Set the device's loopback address as the source address:
set radius-server 172.16.98.1 source-address 10.0.0.1
|
Setting Up TACACS+ Authentication
To use TACACS+ authentication, you must configure at least one
TACACS+ server.
The procedure provided in this section identifies the TACACS+
server, specifies the secret (password) of the TACACS+ server, and
sets the source address of the services router's TACACS+ requests
to the loopback address of the device. This procedure uses
the following sample values:
- The TACACS+ server's IP address is 172.16.98.24.
- The TACACS+ server's secret is Tacacssecret1.
- The loopback address of the device is 10.0.0.1.
To configure TACACS+ authentication:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 73.
- If you are finished configuring the network, commit
the configuration.
To completely set up TACACS+ authentication, you must create
user template accounts and specify a system authentication order.
- Go on to one of the following procedures:
Table 73: Setting Up TACACS+
Authentication
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System level in the configuration
hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system
|
Add a new TACACS+ server
|
- In the Tacplus server box, click Add new entry.
- In the Address box, type the IP address of the
TACACS+ server:
172.16.98.24
|
Set the IP address of the TACACS+ server:
set tacplus-server address 172.16.98.24
|
Specify the shared secret (password) of the TACACS+ server.
The secret is stored as an encrypted value in the configuration database.
|
In the Secret box, type the shared secret of the TACACS+ server:
Tacacssecret1
|
Set the shared secret of the TACACS+ server:
set tacplus-server 172.16.98.24 secret Tacacssecret1
|
Specify the source address to be included in the TACACS+ server
requests by the device. In most cases, you can use the loopback
address of the device.
|
In the Source address box, type the loopback address of the device:
10.0.0.1
|
Set the device's loopback address as the source address:
set tacplus-server 172.16.98.24 source-address 10.0.0.1
|
Configuring Authentication Order
The procedure provided in this section configures the services
router to attempt user authentication with the local password first,
then with the RADIUS server, and finally with the TACACS+ server.
To configure authentication order:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 74.
- If you are finished configuring the network, commit
the configuration.
To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and create user template
accounts.
- Go on to one of the following procedures:
Table 74: Configuring
Authentication Order
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System level in the configuration
hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system
|
Add RADIUS authentication to the authentication order.
|
- In the Authentication order box, click Add new entry.
- In the list, select radius.
- Click OK.
|
Insert the radius statement in the authentication order:
insert system authentication-order radius after password
|
Add TACACS+ authentication to the authentication order.
|
- In the Authentication Order box, click Add new entry.
- In the list, select tacplus.
- Click OK.
|
Insert the tacplus statement in the authentication
order:
insert system authentication-order tacplus after radius
|
Controlling User Access
This section contains the following topics:
Defining Login
Classes
You can define any number of login classes. You then apply one
login class to an individual user account, as described in Creating User Accounts and Setting Up Template Accounts.
The procedure provided in this section creates a sample login
class named operator-and-boot with the following privileges:
- The operator-and-boot login class can reboot
the services router using the request system reboot command.
- The operator-and-boot login class can also use
commands defined in the clear, network, reset, trace, and view permission bits. For more information,
see Permission Bits.
To define login classes:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 75.
- If you are finished configuring the network, commit
the configuration.
- Go on to one of the following procedures:
Table 75: Defining
Login Classes
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System Login level in the
configuration hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
- Next to Login, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system login
|
Create a login class named operator-and-boot with the
ability to reboot the device.
|
- Next to Class, click Add new
entry.
- Type the name of the login class:
operator-and-boot
- In the Allow commands box, type the request
system reboot command enclosed in quotation marks:
“request system reboot”
- Click OK.
|
Set the name of the login class and the ability to use the request system reboot command:
set class operator-and-boot allow-commands “request
system reboot”
|
Give the operator-and-boot login class operator privileges.
|
- Next to Permissions, click Add new entry.
- In the Value list, select clear.
- Click OK.
- Next to Permissions, click Add
new entry.
- In the Value list, select network.
- Click OK.
- Next to Permissions, click Add
new entry.
- In the Value list, select reset.
- Click OK.
- Next to Permissions, click Add
new entry.
- In the Value list, select trace.
- Click OK.
- Next to Permissions, click Add
new entry.
- In the Value list, select view.
- Click OK.
|
Set the permission bits for the operator-and-boot login
class:
set class operator-and-boot permissions [clear network reset
trace view]
|
Creating User Accounts
User accounts provide one way for users to access the services
router. (Users can access the router without accounts if you configured
RADIUS or TACACS+ servers, as described in Setting Up RADIUS Authentication and Setting Up TACACS+ Authentication.)
The procedure provided in this section creates a sample user
named cmartin with the following characteristics:
- The user cmartin belongs to the superuser login class.
- The user cmartin uses an encrypted password, $1$14c5.$sBopasdFFdssdfFFdsdfs0.
To create user accounts:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 76.
- If you are finished configuring the network, commit
the configuration.
Table 76: Creating User
Accounts
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System Login level in the
configuration hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
- Next to Login, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system login
|
Create a user named cmartin who belongs to the superuser login class.
|
- Next to User, click Add new
entry.
- In the User name box, type cmartin.
- In the Class box, type superuser.
- Click OK.
|
Set the username and the login class for the user:
set user cmartin class superuser
|
Define the encrypted password for cmartin.
|
- Next to Authentication, click Configure.
- In the Encrypted password box, type
$1$14c5.$sBopasdFFdssdfFFdsdfs0
- Click OK.
|
Set the encrypted password for cmartin.
set user cmartin authentication encrypted-password $1$14c5.$sBopasdFFdssdfFFdsdfs0
|
Setting Up Template Accounts
You can create template accounts that are shared by a set of
users when you are using RADIUS or TACACS+ authentication. When a
user is authenticated by a template account, the CLI username is the
login name, and the privileges, file ownership, and effective user
ID are inherited from the template account.
This section contains the following topics:
Creating a
Remote Template Account
You can create a remote template that is applied to users authenticated
by RADIUS or TACACS+ that do not belong to a local template account.
By default, JUNOS Software uses the remote template
account when
- The authenticated user does not exist locally on theservices
router.
- The authenticated user's record in the RADIUS or TACACS+
server specifies local user, or the specified local user does not
exist locally on the device.
The procedure provided in this section creates a sample user
named remote that belongs to the operator login
class.
To create a remote template account:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 77.
- If you are finished configuring the network, commit
the configuration.
To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and specify a system
authentication order.
- Go on to one of the following procedures:
Table 77: Creating
a Remote Template Account
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System Login level in the
configuration hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
- Next to Login, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system login
|
Create a user named remote who belongs to the operator login class.
|
- Next to User, click Add new
entry.
- In the User name box, type remote.
- In the Class box, type operator.
- Click OK.
|
Set the username and the login class for the user:
set user remote class operator
|
Creating
a Local Template Account
You can create a local template that is applied to users authenticated
by RADIUS or TACACS+ that are assigned to the local template account.
You use local template accounts when you need different types of templates.
Each template can define a different set of permissions appropriate
for the group of users who use that template.
The procedure provided in this section creates a sample user
named admin that belongs to the superuser login
class.
To create a local template account:
- Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
- Perform the configuration tasks described in Table 78.
- If you are finished configuring the network, commit
the configuration.
To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and specify a system
authentication order
- Go on to one of the following procedures:
Table 78: Creating a
Local Template Account
Task
|
J-Web Configuration Editor
|
CLI Configuration Editor
|
Navigate to the System Login level in the
configuration hierarchy.
|
- In the J-Web interface, select CLI
Tools>Point and Click CLI.
- Next to System, click Configure or Edit.
- Next to Login, click Configure or Edit.
|
From the [edit] hierarchy level, enter
edit system login
|
Create a user named admin who belongs to the superuser login class.
|
- Next to User, click Add new
entry.
- In the User name box, type admin.
- In the Class box, type superuser.
- Click OK.
|
Set the username and the login class for the user:
set user admin class superuser
|
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]