How to Configure User Accounts in Junos

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

There are two ways that you can configure user accounts in Junos — manually on each device or using an authentication server. If you have a small number of devices and you don’t modify often, setting up individual accounts on each device is a straightforward way to provide access for network administrators.

For larger networks, however, using a centralized authentication server is much easier because you can store all account information in one place, and you update it only once when changes occur.

Local user configuration

We’ll show you the local user configuration method first. When you create an account on a device for an individual user, you assign a login name, password, and privileges, and you provide information about the user. This process is very similar to what you did for the initial device setup. Here’s an example that sets up a super-user account for a user named Mike:

[edit system login]
user@junos-device# set user mike class super-user
[edit system login]
user@junos-device# set user mike full-name “Mike Bushong”
[edit system login]
user@junos-device# set user mike authentication plain-text-password
New password:********
Retype new password:********

The first command defines an account for the user Mike and gives him super-user privileges (shown earlier in Table 6-3), which allow him to perform all operations on the router. The second command defines his full name. And the third command creates a password for Mike. Even though the command says it’s a plain-text-password (ASCII), the Junos OS software encrypts the password, as you can see when you display the configuration:

[edit system login]
user@junos-device# show
user mike {
 uid 2001;
 class super-user;
 authentication {
  encrypted-password "$1$BmFLXWlx$sYKMY7XrTRHv40AD3/Z7U1"; ## SECRET-DATA
 }
}

The system assigned the uid as a concise way to keep track of user information.

Authentication server user configuration

Larger organizations generally centralize the authentication process, setting up Remote Authentication Dial-In User Service (RADIUS) servers on the network. All account information is stored on the server. When a user attempts to log in to the router, the router queries the RADIUS server to validate the user.

Here’s how you set up centralized authentication:

  1. Enter configuration mode and configure the IP address and password (which RADIUS calls a “secret”) of the RADIUS server:

    [edit system]
    user@junos-device# set radius-server 192.168.10.1 secret 123456
    [edit system]
    user@junos-device# show
    radius-server {
     192.168.10.1 secret "$9$ZQUk.fTz6Ct5TcyevLX"; ## SECRET-DATA
    }

    Note that the password is encrypted.

  2. Make RADIUS the primary authentication method:

[edit system]
user@junos-device# set authentication-order [ radius password ]

With this configuration, when a user tries to log in to the router, the Junos OS software first attempts to authenticate the user against the RADIUS database. If this step succeeds, the user is allowed to log in. If it fails, the software checks for accounts configured on the router. If the user has a local account and the credentials match, the user can log in. Otherwise, access is denied.

Using a RADIUS server for authentication also lets you set up a single account for a group of users. Instead of setting up lots of individual accounts for people who have the same job responsibilities, you can create a shared account for the entire group. On the router, create the group account as follows:

[edit system login]
user@junos-device# set user architects class super-user
[edit system login]
user@junos-device# set user architects full-name “Network design team”

Your next step is to map the user on the RADIUS server to the group account name you just gave the user on the router. How you do this step depends on which RADIUS software you’re using on the server.