[j-nsp] backup routing engine authente from in-band interface

Saku Ytti saku at ytti.fi
Thu Nov 9 03:57:24 EST 2023


On Thu, 9 Nov 2023 at 10:38, Chen Jiang via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:

> Just want to confirm if Juniper backup routing engine could authenticate
> users from in-band interface like ge-0/0/0 to the AAA server?
>
> If not, do we have a solution? The scenario is MX960 with dual RE and no
> OOB network. But need to authenticate users login backup RE from AAA.

No solution. Well sort of hacky solution, if you route AAA server
statically over FXP/EM. But generally speaking, hard no, only local
authentication on backup RE.

But luckily they've fixed this awkward mismatch, and no remote
authentication on either console on EVO at all. Another thing that
might surprise people is that the lo0 filter no longer applies to
EM/FXP ports in EVO.

Ideally we'd all be asking vendors to implement true lights out
ethernet ports, with dedicated control-planes, like Cisco CMP. So we
could get rid of problematic RS232 and useless in-band MGMT ports
(EM/FXP are actively dangerous).
-- 
  ++ytti


More information about the juniper-nsp mailing list