Configuring Radius Authentication And Accounting Servers; Server Access - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual

JunosE 11.3.x Broadband Access Configuration Guide

Configuring RADIUS Authentication and Accounting Servers

Server Access

18
If you specify a name and password, the router associates both the new name and
password with the user.
Example
host1(config-domain-map)#override-user name boston password abc
Use the no version to revert to the original username.
See override-user
The number of RADIUS servers you can configure depends on available memory.
The order in which you configure servers determines the order in which the router contacts
those servers on behalf of clients.
Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server.
The RADIUS server uses the configured IP address, the UDP port number, and the secret
key to make the connection. The RADIUS client waits for a response for a configurable
timeout period and then retransmits the request. The RADIUS client retransmits the
request for a user-configurable retry limit.
If there is no response from the primary RADIUS server, the RADIUS client submits the
request to the secondary RADIUS server using the timeout period and retry limit
configured for the secondary RADIUS server.
If the connection attempt fails for the secondary RADIUS server, the router submits
the request to the tertiary server and so on until it either is granted access on behalf
of the client or there are no more configured servers.
If another authentication server is not configured, the router attempts the next method
in the method list; for accounting server requests, the information is dropped.
For example, suppose that you have configured the following authentication servers:
Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication
request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then
Auth3, and so on until an available server is found. If Auth5, the last configured
authentication server, is not available, the router attempts the next method in the methods
list. If the only method configured is RADIUS, then the router notifies the client that the
request has been denied.
The router offers two options by which servers are accessed:
Direct—The first authentication or accounting server that you configure is treated as
the primary authentication or accounting server, the next server configured is the
secondary, and so on.
Round-robin—The first configured server is treated as a primary for the first request,
the second server configured as primary for the second request, and so on. When the
Copyright © 2010, Juniper Networks, Inc.