Example: Configure CHAP Authentication with RADIUS
Configuration
You can send RADIUS messages through a routing instance to customer RADIUS servers in a private network. To configure the routing instance to send packets to a RADIUS server, include the routing-instance
statement at the [edit access profile profile-name radius-server]
hierarchy level and apply the profile to an interface with the access-profile
statement at the [edit interfaces interface-name unit logical-unit-number ppp-options chap]
hierarchy level.
In this example, PPP peers of interfaces at-0/0/0.0
and at-0/0/0.1
are authenticated by a RADIUS server reachable via routing instance A
. PPP peers of interfaces at-0/0/0.2
and at-0/0/0.3
are authenticated by a RADIUS server reachable via routing instance B
.
For more information about RADIUS authentication, see RADIUS Authentication.
CLI Quick Configuration
system { radius-server { 192.0.2.1 secret $ABC123; 192.0.2.2 secret $ABC123; } } routing-instances { A { instance-type vrf; ... } B { instance-type vrf; ... } } access { profile A-PPP-clients { authentication-order radius; radius-server { 192.0.2.3 { port 3333; secret "$ABC123"; # # SECRET-DATA timeout 3; retry 3; source-address 192.0.2.99; routing-instance A; } 192.0.2.4 { routing-instance A; secret $ABC123; } } } profile B-PPP-clients { authentication-order radius; radius-server { 192.0.2.5 { routing-instance B; secret $ABC123; } 192.0.2.6 { routing-instance B; secret $ABC123; } } } } interfaces { at-0/0/0 { atm-options { vpi 0; } unit 0 { encapsulation atm-ppp-llc; ppp-options { chap { access-profile A-PPP-clients; } } keepalives { interval 20; up-count 5; down-count 5; } vci 0.128; family inet { address 192.0.2.21/32 { destination 192.0.2.22; } } } unit 1 { encapsulation atm-ppp-llc; ... ppp-options { chap { access-profile A-PPP-clients; } } ... } unit 2 { encapsulation atm-ppp-llc; ... ppp-options { chap { access-profile B-PPP-clients; } } ... } unit 3 { encapsulation atm-ppp-llc; ... ppp-options { chap { access-profile B-PPP-clients; } } ... } ... } ... }
Users who log in to the router with telnet or SSH connections are
authenticated by the RADIUS server 192.0.2.1
. The backup RADIUS
server for these users is 192.0.2.2
.
Each profile may contain one or more backup RADIUS servers. In this example, PPP peers are
CHAP authenticated by the RADIUS server
192.0.2.3
(with 192.0.2.4
as the backup
server) or RADIUS server 192.0.2.5
(with
192.0.2.6
as the backup server).