Junos OS

Hello,

I managed to configure authentication and authorization via external RADIUS server on  my EX devices.

I realized that

I can configure more than one radius-server but it's not clear how and why  the JunOS uses them.

I.E. with this configuration 

system {
    authentication-order [ radius password ];
    radius-server {
        aaa.bbb.ccc.ddd {
            port 1812;
            accounting-port 1813;
            secret "keepitsecret!"; ## SECRET-DATA
            timeout 10;
            retry 2;
            source-address <mysourceip>;
        }
        EEE.FFF.GGG.HHH {
            port 1812;
            accounting-port 1813;
            secret "keepitsecret!"; ## SECRET-DATA
            timeout 10;
            retry 2;
            source-address <mysourceip>;
        }
    }
    radius-options {
        password-protocol mschap-v2;
    }
    login {
        user SU {
            uid 2001;
            class super-user;
        }
    }
}

should I suppose that the first server aaa.bbb.ccc.ddd is contacted as first and if it's non answering then the second eee.fff.ggg.hhh will be contacted?

Or are they contacted using a roud-robin algorithm?

For the 802.1x you can set an access profile specifying this but I wasn't able to find a similar config for the system login.

Thanks

They are processes in order of configuration as noted here in the documentation.

Configure RADIUS Server Details
To use RADIUS authentication on the device, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server. The device queries the RADIUS servers in the order in which they are configured. If the primary server (the first one configured) is unavailable, the device attempts to contact each server in the list until it receives a response.

https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-radius-authentication.html

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 07-29-2024 06:51
From: Mauro
Subject: RADIUS system authentication - More than one radius server configured

Hello,

I managed to configure authentication and authorization via external RADIUS server on  my EX devices.

I realized that

I can configure more than one radius-server but it's not clear how and why  the JunOS uses them.

I.E. with this configuration 

system {
    authentication-order [ radius password ];
    radius-server {
        aaa.bbb.ccc.ddd {
            port 1812;
            accounting-port 1813;
            secret "keepitsecret!"; ## SECRET-DATA
            timeout 10;
            retry 2;
            source-address <mysourceip>;
        }
        EEE.FFF.GGG.HHH {
            port 1812;
            accounting-port 1813;
            secret "keepitsecret!"; ## SECRET-DATA
            timeout 10;
            retry 2;
            source-address <mysourceip>;
        }
    }
    radius-options {
        password-protocol mschap-v2;
    }
    login {
        user SU {
            uid 2001;
            class super-user;
        }
    }
}

should I suppose that the first server aaa.bbb.ccc.ddd is contacted as first and if it's non answering then the second eee.fff.ggg.hhh will be contacted?

Or are they contacted using a roud-robin algorithm?

For the 802.1x you can set an access profile specifying this but I wasn't able to find a similar config for the system login.

Thanks