hello my name's Simon Bingham and this is part of my video series on journals and authentication so I've already completed a video where I discussed how to use classes and I'll cover that in a second but how you can create user classes so you can create you know say for example knock users or advanced users or super users they can access different parts of the command-line interface but in when we were doing that we were really we really always authenticating the user locally that means that the passwords and the credentials that the user will determine you know on on the switch or on the root to itself whether you can log in at all that doesn't really scale to too many devices if you have you know say hundreds of networking devices I mean you really don't want to be configuring hundreds and hundreds of passwords and try and keep them all synced up particularly when you have different classes of users or different user you different usernames so there was a solution for this and it's called radius the radius itself is an acronym which goes back to the days of dial-up services I think it's remote authentication dial in user services what it really means though is it's a system by which you can determine whether someone's authorized and what they can do or not be so in fact most radio services dovetail into things like Active Directory and and that as well so in effect you can say you know has has slightly left the company if he has he's been removed from Active Directory therefore he can't access the switch isn't here anymore so it's a basically a centralized way of administering your users so and now the the switch configuration of this is actually quite simple but in practices getting this working the difficult the difficulty is always on the back end so probably one of the most common radius servers being in use I think in enterprise networks is actually probably Microsoft 2008 I think I've got a network overseas I've never configured it myself but I don't want to get into config thing and all that because that's not what we're interested in is really a unit video so i've done is i've i've created a radius server called some using something called a sessional arjuna product called a steel-belted radius or func still voltage radius and it's a fairly basic radius over you can watch a fairly basic it's you know it's a missile base as I believe it's used in I'm service of fighter and bar environments so if you google something like func still belted radius you'll come up for you so and so if we do yeah so you can download this decision juniper and then get a 30-day 30-day trial version of it now also if you google do loss and I think it's something like I don't know do you know straight your certification and maybe funk radius or better radius you might possibly find this document this is a written by this gentleman here Steven Gill is it's exactly what you need just just getting the basics working without going too much into all the possible options and every variation so how does it work well you try to authenticate to this device and it then Falls your credentials via an authentication protocol to radius server the radius server then feed some values back saying either they're called returnless attributes so the research will check check your username password it also check can check things called check list attributes and so for example you could be I don't know this person a log log in to this IP IP address or something like that you can check I'll show it all anyway actually have happening and then this is what's called return lists attributes where you can return values from the radius server to the to the device that yourself that you trying to authenticate to so that could be and actually what you can do in this case is you can say for example it could be allow commands or deny commands on GOG juniper so you can hold that Centurion radio server and you can say okay this these are the skies allow commands or order my dinner like you man so what I'm gonna do is I'm really stolen and just demo this and talk talked about the demo rate so and let's bring up the config menu be using today so this is the conflict that I'm going to be using we will go ahead and configure this on my yoke series switch and see if we can log in it'll be just talk you through this it's all under the Edit system stanza and don't confuse this with a toe-to-toe doodle 1 X and radius which actually holds its details elsewhere so a door-to-door X is completely different to this so if you have already had some experience you know an already heard of the heard of this but in fact gino's does it in a quite a logical way because really were talking about authenticating your management access to the to the device here so without further ado I'm gonna I'm going to configure configure this device and let's do continue native system sets authentication authentication order let's do radius and then password st set radius server 175 $27 1 5 2 logs up to 3 now it might be quite important damn it my mistake what no no it's quite important to set your source address because that's how you configure you configure the device is the authenticators here on on the radius server which I'll show in a minute so it needs to know your source address stays the same so in my case it doesn't matter because I'm gonna layer two connection to all radius server but but in most cases and if you go to console each network need to define the source address so then we need to define the the users or well this is in fact the name that's gonna get back so let me show you so let's do certain login user I'm going to call him I've got something sighs I've already called full - admin I'm gonna put in the class suit for you - super user member is a predefined class on junipers it gives you access to everything so let's commit commit this and then let me just show you quickly the the radio sir because is actually interesting to see what's happening here so this is the administrator for steel-belted radios now what you have to do you have to configure the devices that you're going to be you know they're going to be sending this author or authentication information so in the case here I've defined my Juniper my Juniper switch already okay now if you have a look in here you have to define the IP address it's kamek that's the IP address is going to be coming from that's what I was talking about the source address is quite important and you can figure a shared secret which I use the word secret if you recall so that's that so I've also configured some users right now I've got a user here don't worry about that one but I've got using here called test right so this user is go for login and I've already pre-configured the past name to be the password to be test as well but what is important here is this isn't the username that used to login to the device itself this is the username has checked on a date database in this return list here and a Juniper local name is actually the username that it's gonna sent back to the Box saying this guy is full admin right and if you remember on on the Box what I can figure was that fallout of min is a super user so I hope that's not too much long ago and now you can also if you want you can add in here things like they think you can do to get Juniper allow commands and juniper deny commands and various bits and bobs you can you can do tunnel ID you can set VLANs home you can also set the firewall filters so there's a lot of things you can do things you sort of open this Pandora's box if you like you suddenly realize it's worth probably worth some of the pain because you can do quite a lot with it what I'm also gonna do while this is happening I'm gonna fire it why shop just crush them by the looks of it but what does fire wash Aqaba again and well we'll just get this to capture everything while this is going on now personally I thought all the pain here isn't setting up this isn't setting up the the you know the radius server itself because as various different authentication protocols you could be using and you know that's that's the bit this complex here not really the Juniper aspect so it's just to capture interfaces for now just be lazy into action all of them but you know let's just do radius right so what I'm gonna do is I'm gonna log into my switch we should see they tried to send me detail to radius over so let's see if this works so what I need to I need set manually I'm typing the IP address because otherwise it'll try and in the case of one ding here it'll try and log in as root user so let's just put this up here let's try and log into the IP address of my own switch so I'm gonna log in to 172 27.2 3 3.14 what's prompting me for a good sign right test test and then we're in if I'm testing his right eye now that we can see so we can see here as I just want war shocks the best place to see this you can see that the that was access requests and those are accessed accept and if we even dig down into into this we can see it I'm done them so some look at reply packet you can see some of the best information went back or forward years have a look the vendor specific attribute look there it is followed and that's what I was really looking for that you can see it's sending the full admin the JUnit vs a vendor specific attribute so this is actually the London Venice per se issues is really powerful actually because you'll find that then you can send all sorts of information back to the switch based on and sent a central de database I said it could be a firewall filter saying you know today only allow this person to go somewhere will do something so that's that's such people I'm not it's not leaving the my scope you can do all that stuff because really it's very simple you know the switch side is fairly simple you know the more complex bit is trying to really trying to configure figure the radio server and the best best place for that is that link link that I show you just there so okay that's it really AM that's working and you can see we've got a centralized with database now determining who could he couldn't who can do what just a food on the making this up let's quickly just gonna turn you in doing I've seen unless you a new session to go blah buddy buddy God we can see within Denali and you can see the access reject coming from the radio server back to this which okay thank you and that's it for me