Junos: User 'remote' authenticated successfully but no local login-id configured

A common mistake when configuring Junos to authenticate from a radius server is to configure radius server, authentication-order, but not to define a "remtoe" account local to Junos. This "remote" user is used for Junos to map radius successfully authenticated users. Without it, the following logs appear in /var/log/messages:

Code:

Jan 26 15:57:25  R1 sshd[12941]: Connection closed by 10.1.1.54 [preauth]
Jan 26 15:57:25  R1 inetd[1175]: /usr/sbin/sshd[12941]: exited, status 255
Jan 26 15:57:27  R1 sshd[12950]: User 'remote' authenticated successfully but no local login-id configured.
Jan 26 15:57:27  R1 sshd[12948]: error: PAM: unknown user for andrei from 10.1.1.54
Jan 26 15:57:27  R1 sshd: SSHD_LOGIN_FAILED: Login failed for user 'andrei' from host '10.1.1.54'

This can be overcome if the radius server sends a vendor specific radius attribute "Juniper-Local-User-Name". More details at Juniper Networks Vendor-Specific RADIUS Attributes.

How to configure Junos radius authentication:

Code:

# set system authentication-order radius
# set system radius-server 10.1.1.2 secret "<SECRET>"
# set system authentication-order radius
# set system authentication-order password
# set system login user remote class operator

More information at Juniper KB: SRX Getting Started - Configure RADIUS