Knowledge Search


×
 

SRX Getting Started - Configure RADIUS

  [KB16607] Show Article Properties


Summary:

This article provides information about configuring, verifying, and troubleshooting RADIUS authentication.

For other topics, go to the SRX Getting Started main page.

Symptoms:
  • Add an external RADIUS server.
  • Define authentication order.
  • Assign a class to remote authenticated users.
Cause:

Solution:

This section contains the following:


J-Web Configuration

For information about configuring RADIUS authentication using J-Web, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-security-admin-guide/index.html?managing-users-jweb.html.

Important: To completely set up RADIUS authentication, you must specify a system authentication order and create user template accounts.


CLI Configuration

For information about configuring RADIUS authentication, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-security-admin-guide/index.html?managing-users-config.html.

To configure RADIUS authentication:

Important:
To completely set up RADIUS authentication, you must specify a system authentication order and create user template accounts (steps 2 and 3, respectively).
  1. Add an external RADIUS server, and specify the port number and shared secret of the RADIUS server. In this example, the external RADIUS server is 10.0.0.100, with a port of 1812 and secret of abc.

  2. user@host#
    set system radius-server 10.0.0.100 port 1812 secret abc

  3. Specify the authentication order. In this example, user authentication is first attempted with the local password before RADIUS authentication is attempted.

  4. user@host# set system authentication-order radius
    user@host#
    insert system authentication-order password before radius

  5. Assign a class to the remote authenticated users. By default, JUNOS Software uses the remote template account when the authenticated user does not exist locally on the device, and when the authenticated user's record in the RADIUS server specifies a local user template, but the specified local user template does not exist locally on the device. 
  6. In this example, a user named remote, with a full name of "all remote users", who belongs to the operator login class is created.

    user@host# set system login user remote full-name "all remote users"
    user@host#
    set system login user remote class operator 
For more information about how to assign RADIUS authenticated users to a specific user template, see KB21685


Note:  By default, PAP is used in Junos, which is clear text. To enable mschap-v2, use the command below:
user@host# set system radius-options password-protocol mschap-v2


Technical Documentation

Junos 10.4
  • PDF -- See Chapter 7, Configuring System Authentication (page 97).
  • HTML - See Configuring RADIUS and TACACS+ System Authentication

    Note: Significant changes (examples, instructions, explanations) were made to the Junos 11.4 technical documentation. So, although your device is running Junos 10.4, you may refer to the Junos 11.4 technical documentation for detailed explanations.

Junos 11.4
  • PDF -- See Chapter 4, Configuring RADIUS and TACACS+ System Authentication (page 49).
  • HTML - See Configuring RADIUS and TACACS+ System Authentication

Related Links: