Juniper AAA
Published: 18th of February 2019
Overview
Junos has a robust authentication, authorization and accounting (AAA) system ensuring authenticated users have access to only the things their permissions allow.
Authentication
Junos supports two categories of user authentication.
- Local - On box user database
- Remote - TACACS or RADIUS servers.
Local Authentication
Local authentication utilizes a user database configured on the local device. Local user passwords have the following restrictions.
- At least 6 Characters long
- Cannot include control characters
- At least one change of case
Local users have a home directory automatically generated for them.
Remote Authentication
There are two methods of remote user authentication.
- TACACS - Terminal Access Controller Access-Control System
- RADIUS - Remote Authentication Dial-In User Service
Authentication Order
Multiple authentication sources can be defined. When a user attempts to login, the configured authentication sources will be attempted in order until an authentication accept is received from one of the authentication sources.
system {
authentication-order [ radius tacplus password ];
}
In order to consult the local user database ONLY in the event of remote authentication server failure omit the password keyword.
system {
authentication-order [ radius tacplus ];
}
The local database will be used as a fallback authentication source if no remote authentication sources are available.
Accounting
When accounting is enabled, user activities such as logins, configuration changes, and interactive commands will be logged. The logs are sent to user defined TACACS or RADIUS servers.
Bibliography
Author Unknown (2012) JNCIA-Junos Study Guide-Part 1. Juniper Networks |
Links
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-accounting-configuring.html
https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/system-basics/user-access.html
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/access-privileges-operational-mode-commands-specifying.html