Supported Platforms
Related Documentation
- M, MX, PTX, T Series
- Configuring RADIUS Authentication
- QFX Series
- Configuring RADIUS Authentication
Juniper Networks Vendor-Specific RADIUS Attributes
Junos OS supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.
Table 1: Juniper Networks Vendor-Specific RADIUS Attributes
Name | Description | Type | Length | String |
|---|---|---|---|---|
Juniper-Local-User-Name | Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets. | 1 | ≥3 | One or more octets containing printable ASCII characters. |
Juniper-Allow-Commands | Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | 2 | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands. |
Juniper-Deny-Commands | Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | 3 | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands. |
Juniper-Allow-Configuration | Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | 4 | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies. |
Juniper-Deny-Configuration | Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | 5 | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies. |
Juniper-Interactive-Command | Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets. | 8 | ≥3 | One or more octets containing printable ASCII characters. |
Juniper-Configuration-Change | Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets. | 9 | ≥3 | One or more octets containing printable ASCII characters. |
Juniper-User-Permissions | Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets. Note: When the Juniper-User-Permissions attribute is configured to grant the Junos OS maintenance or all permissions on a RADIUS server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. | 10 | ≥3 | One or more octets containing printable ASCII characters. The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety. See Understanding Junos OS Access Privilege Levels. |
For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).
Related Documentation
- M, MX, PTX, T Series
- Configuring RADIUS Authentication
- QFX Series
- Configuring RADIUS Authentication
Published: 2012-08-06
Supported Platforms
Related Documentation
- M, MX, PTX, T Series
- Configuring RADIUS Authentication
- QFX Series
- Configuring RADIUS Authentication
