subscriber (Access Profile)
Syntax
subscriber username {
delegated-pool delegated-pool-name;
framed-ip-address ipv4-address;
framed-ipv6-pool ipv6-pool-name;
framed-pool ipv4-pool-name;
password password;
target-logical-system logical-system-name<(target-routing-instance (default | routing-instance-name)>;
target-routing-instance (default | routing-instance-name);
}
Hierarchy Level
[edit access profile profile-name]
Description
Enable local authentication for subscribers by configuring a password to match the subscriber. Local authentication can take the form of either user password authentication or Challenge Handshake Authentication Protocol’ (CHAP) authentication. For user password authentication, the configured password is used to verify the subscriber’s login password. For CHAP authentication, the configured password acts as the challenge secret to verify the subscriber’s challenge password and challenge response credential.
Local authentication and authorization also requires the password option to be configured as an authentication-order method for the access profile.
You can also optionally configure several attributes, such as an address, address pool, logical system, or routing instance, to be authorized locally for the subscriber when authentication is successful.
Local authentication supports all subscriber types that are currently supported by subscriber management and services on MX Series routers.
Local authentication is useful when you do not want to use external authentication servers. The associated local authorization similarly is useful when you do not want to use external authorization servers. Another use case might be when you are migrating a network from E Series routers running JunosE software to MX Series routers running Junos OS. You may also want to configure local authentication and authorization as a backup for RADIUS authentication.
If you do not configure an address or address pool for local authorization, address assignment is based on network matching or the first address pool assigned to the routing instance.
Local authentication and authorization supports a chassis-wide
maximum of 100 subscribers. If subscribers are configured in access
profiles where authentication-order password is not configured,
local authentication does not occur, but these subscriber count against
the system limit of 100 subscribers for local authentication.
Options
| delegated-pool delegated-pool-name | (Optional) Specify the name of an address pool used to locally allocate a delegated IPv6 prefix for the subscriber. Corresponds to RADIUS standard attribute Delegated-IPv6-Prefix (123). |
| framed-ip-address ipv4-address | (Optional) Specify the IP address to be configured for the subscriber. Corresponds to RADIUS standard attribute Framed-IP-Address (8). |
| framed-ipv6-pool ipv6-pool-name | (Optional) Specify the name of an address pool used to assign a router advertisement IPv6 prefix or a DHCPv6 IA_NA/128 address for the subscriber. Corresponds to RADIUS standard attribute Framed-IPv6-Pool (100). |
| framed-pool ipv4-pool-name | (Optional) Specify the name of an address pool used to assign an IPv4 address for the subscriber. Corresponds to RADIUS standard attribute Framed-Pool (88). |
| password password | Specify the password used to authenticate the subscriber locally. Corresponds to RADIUS standard attributes User-Password (2) or CHAP-Password (3). |
| target-logical-system logical-system-name | (Optional) Specify the name of the logical system assigned to the subscriber. |
| target-routing-instance (default | routing-instance-name) | (Optional) Specify the name of the routing instance assigned to the subscriber; either the default routing instance or a nondefault routing instance. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 18.2R1.