Authentication Methods
One of the most fundamental ways to secure your device is to require users to log in with a username and password. Each user who accesses the device should have his own user account, and there are three ways you can authenticate that user on a device running JUNOS Software: local password on the device, Remote Authentication Dial-in User Service (RADIUS), and Terminal Access Control Access-Control System Plus (TACACS+).
Local Password Authentication
Local password authentication is very straightforward, involving the creation of a username and password on the device itself. You can create multiple user accounts for different users, and employ user classes to define a variety of access permissions for users accessing the device.
A typical local user account looks something like this:
[edit]
lab@r1# show system login user testuser
class super-user;
authentication {
encrypted-password "$1$/Nbl7qhu$2dNqBVVauFN..ynv4xa3L0"; ## SECRET-DATA
}Note
It is always a good practice to use a strong password. We cover password strength in the next section of this chapter.
RADIUS and TACACS+ Authentication
Devices running JUNOS Software can be RADIUS and/or TACACS+ clients. RADIUS and TACACS+ servers support a full range of authentication and authorization capabilities, and these capabilities can be fully leveraged by JUNOS devices. When using a RADIUS or TACACS+ server for authentication, a JUNOS device immediately sends the user’s credentials (username/password) to the authentication ...
Get JUNOS High Availability now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
