Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure a backup radius server and setup failover to an alternate authentication mechanism on the EX series ethernet switches

0

0

Article ID: KB15045 KB Last Updated: 28 Feb 2020Version: 2.0
Summary:

This article will first explain how to setup alternate authentication mechanisms on the EX switch and then provide details on setting up backup servers for RADIUS.

Solution:

A. Configuring an alternate authentication security mechanism:

When users log into the EX switch, the JUNOS software can authenticate the username and password against an account that is configured locally in the switch configuration file or against an account that is configured on a remote RADIUS or TACACS+ server. There are a number of methods to authenticate users attempting to log in to the switch. The default method is to use the username and password configured on the EX switch and to try no other method if the authentication fails.  This method is the equivalent of using the "set system authentication-order password" command with no options.

root# set system authentication-order password

To configure the switch to use a RADIUS or TACACS+ server as the primary user authentication method, you must change the order in which the JUNOS software tries different authentication methods. The first command displayed below configures RADIUS to be the primary user authentication method, and the second command configures TACACS+ as the primary method.
 
1. root# set system authentication-order [ radius password ]

2. root# set system authentication-order [ tacacs password ]

Both commands set the user account configured on the EX switch (local password) as the backup authentication method. Providing a backup method means that users will always be able to log in to the router if there are problems with the RADIUS or TACACS+ server.

With the configuration shown above when a user tries to log in to the switch, the switch first checks the username and password against the RADIUS or TACACS+ server. If they match, the user is authenticated and the switch logs her in. If the remote authentication fails, the switch checks its local configuration. If the user has a local account and the password matches, the user is logged in.
If there is no match in either place, the user is denied access to the switch.
 
root# set system authentication-order radius

The configuration shown above allows users to log in to the router only if the RADIUS server has an account for them and only if the RADIUS server is up. This means that as long as the RADIUS server is up, users not listed in the RADIUS database won't be able to log in to the router even if there is a configured account for them on the router. However, if the RADIUS server fails or becomes unreachable, the JUNOS software authenticates the users locally. If you configure multiple RADIUS servers, the software checks for locally configured user accounts only after all the servers fail.

TIP: Make sure you configure user accounts and assign passwords in the JUNOS configuration for some users so that login access to the router will be possible if the RADIUS or TACACS+ servers fail.

B. Configuring a backup radius server:

The Remote Authentication Dial-In User Service (RADIUS) provides a centralized method for authenticating users on the EX switch. RADIUS uses a client/server model. All transactions between the server and the client are authenticated by a password called a shared secret. To configure the EX switch as a RADIUS client, you set the IP address of your RADIUS server and the password (secret) that the switch should use to access the server. The secret on the switch and the RADIUS server must be the same. After you type the secret in the switch configuration, the CLI never displays it but shows it in a pseudoencrypted format.

You can configure a backup server in the following manner:

root# set system authentication-order [ radius password ]

root# set system radius-server <ip-address-1> secret <secret-1>
root# set system radius-server <ip-address-2> secret <secret-2>
root# set system radius-server <ip-address-3> secret <secret-3>
root# commit synchronize

where <ip-address> is the IP Address of the RADIUS server and <secret> is the common shared password

When you configure more than one server, initially the primary server is the one you configured first. After that, the primary server is the one that last responded.If the EX switch cannot reach this server,
it tries the remaining ones in the order configured.

Use the show command to see the order in which the router tries the servers:
 
root>edit system

[edit system]
root# show
radius-server {
192.168.63.10 secret   "$ABC111"; ## SECRET-DATA
10.0.16.1 secret   "$ABC222"; ## SECRET-DATA
192.168.0.23 secret  "$ABC333"; ## SECRET-DATA

}
(Notice that this example specifies different secrets for each server to improve network security)

A remote template will need to be defined on the EX switch for remote users trying to log in via RADIUS/TACACS. These user accounts are not defined locally on the EX. Please ensure that the following configuration snippet is included in the EX configuration:
 
root# set system login user remote class <class>
root# commit

NOTE: where <class> is a well defined login class with specific permissions on the EX. The defined classes with their permissions are:
 
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]

NOTE:  User login will fail if the remote template shown above is not configured on the EX switch
Modification History:

2020-02-28: Non-technical edits.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search