Supporting Exchange Of Extensible Authentication Protocol Messages - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual

JunosE 11.3.x Broadband Access Configuration Guide

Supporting Exchange of Extensible Authentication Protocol Messages

20
1483 subscribers, while granting IP subscriber management interfaces access without
authentication (using the none keyword).
You can specify the authentication or accounting method you want to use, or you can
specify multiple methods in the order in which you want them used. For example, if you
specify the radius keyword followed by the none keyword when configuring authentication,
AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available,
AAA uses no authentication. The JunosE Software currently supports radius and none
as accounting methods and radius, none, and local as authentication methods. See
"Configuring Local Authentication Servers" on page 39 for information about local
authentication.
You can configure authentication and accounting methods based on the following types
of subscribers:
ATM 1483
Tunnels (for example, L2TP tunnels)
PPP
RADIUS relay server
IP subscriber management interfaces
NOTE: IP subscriber management interfaces are static or dynamic
interfaces that are created or managed by the JunosE Software's subscriber
management feature.
Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods
for authenticating a peer before allowing network layer protocols to transmit over the
link. JunosE Software supports the exchange of EAP messages between JunosE
applications, such as PPP, and an external RADIUS authentication server.
The JunosE Software's AAA service accepts and passes EAP messages between the
JunosE application and the router's internal RADIUS authentication server. The internal
RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the
RADIUS client accepts the EAP messages from AAA, and sends the messages to the
external RADIUS server for authentication. The RADIUS client then passes the response
from the external RADIUS authentication server back to the AAA service, which then
sends a response to the JunosE application. The AAA service and the internal RADIUS
authentication service do not process EAP information—both simply act as pass-through
devices for the EAP message.
The router's local authentication server and TACACS+ authentication servers do not
support the exchange of EAP messages. These type of servers deny access if they receive
an authentication request from AAA that includes an EAP message. EAP messages do
not affect the none authentication configuration, which always grants access.
Copyright © 2010, Juniper Networks, Inc.