[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
User Authentication Overview
This section contains the following topics:
User Authentication
JUNOS Software supports three methods of user authentication:
local password authentication, Remote Authentication Dial-In User
Service (RADIUS), and Terminal Access Controller Access Control System
Plus (TACACS+).
With local password authentication,
you configure a password for each user allowed to log into the
RADIUS and TACACS+ are authentication methods for validating
users who attempt to access the device using Telnet. Both are
distributed client/server systems—the RADIUS and TACACS+ clients
run on the device, and the server runs on a remote network
system.
You can configure the device to use RADIUS or TACACS+
authentication, or both, to validate users who attempt to access the device.
If you set up both authentication methods, you also can configure
which the device will try first.
User Accounts
User accounts provide one way for users to access the services
router. Users can access the device without accounts if you
configured RADIUS or TACACS+ servers, as described in Managing User Authentication and Managing User Authentication with a Configuration Editor.
After you have created an account, the device creates a home
directory for the user. An account for the user root is always
present in the configuration. For information about configuring the
password for the user root, see the JUNOS Software Administration Guide.
For each user account, you can define the following:
- Username—Name that identifies the user. It must
be unique within the device. Do not include spaces, colons,
or commas in the username.
- User's full name—If the full name contains spaces,
enclose it in quotation marks (“ ”). Do not include colons
or commas.
- User identifier (UID)—Numeric identifier that is
associated with the user account name. The identifier must be in the
range 100 through 64000 and must be unique within the device.
If you do not assign a UID to a username, the software assigns one
when you commit the configuration, preferring the lowest available
number.
- User's access privilege—You can create login classes
with specific permission bits or use one of the default classes listed
in Table 10.
- Authentication method or methods and passwords that
the user can use to access the device—You can use SSH
or an MD5 password, or you can enter a plain-text password that JUNOS
Software encrypts using MD5-style encryption before entering it in
the password database. If you configure the plain-text-password option,
you are prompted to enter and confirm the password.
Login Classes
All users who log into the services router must be in a login
class. You can define any number of login classes. You then apply
one login class to an individual user account. With login classes,
you define the following:
- Access privileges users have when they are logged into
the device. For more information, see Permission Bits.
- Commands and statements that users can and cannot specify.
For more information, see Denying or Allowing
Individual Commands.
- How long a login session can be idle before it times out
and the user is logged off.
The software contains a few predefined login classes, which
are listed in Table 10. The predefined
login classes cannot be modified.
Table 10: Predefined Login
Classes
Login Class
|
Permission Bits Set
|
operator
|
clear, network, reset, trace, view
|
read-only
|
view
|
super-user and superuser
|
all
|
unauthorized
|
None
|
Permission Bits
Each top-level command-line interface (CLI) command and each
configuration statement has an access privilege level associated with
it. Users can execute only those commands and configure and view only
those statements for which they have access privileges. The access
privileges for each login class are defined by one or more permission
bits (see Table 11).
Two forms for the permissions control the individual parts of
the configuration:
- "Plain" form—Provides read-only capability for that
permission type. An example is interface.
- Form that ends in -control—Provides read
and write capability for that permission type. An example is interface-control.
Table 11: Permission
Bits for Login Classes
Permission Bit
|
Access
|
admin
|
Can view user account information in configuration mode and
with the show configuration command.
|
admin-control
|
Can view user accounts and configure them (at the [edit
system login] hierarchy level).
|
access
|
Can view the access configuration in configuration mode and
with the show configuration operational mode command.
|
access-control
|
Can view and configure access information (at the [edit
access] hierarchy level).
|
all
|
Has all permissions.
|
clear
|
Can clear (delete) information learned from the network that
is stored in various network databases (using the clear commands).
|
configure
|
Can enter configuration mode (using the configure command)
and commit configurations (using the commit command).
|
control
|
Can perform all control-level operations (all operations configured
with the -control permission bits).
|
field
|
Reserved for field (debugging) support.
|
firewall
|
Can view the firewall filter configuration in configuration
mode.
|
firewall-control
|
Can view and configure firewall filter information (at the [edit firewall] hierarchy level).
|
floppy
|
Can read from and write to the removable media.
|
interface
|
Can view the interface configuration in configuration mode and
with the show configuration operational mode command.
|
interface-control
|
Can view chassis, class of service, groups, forwarding options,
and interfaces configuration information. Can configure chassis, class
of service, groups, forwarding options, and interfaces (at the [edit] hierarchy).
|
maintenance
|
Can perform system maintenance, including starting a local shell
on the device and becoming the superuser in the shell (by issuing
the su root command), and can halt and reboot the device
(using the request system commands).
|
network
|
Can access the network by entering the ping, ssh, telnet, and traceroute commands.
|
reset
|
Can restart software processes using the restart command
and can configure whether software processes are enabled or disabled
(at the [edit system processes] hierarchy level).
|
rollback
|
Can use the rollback command to return to a previously
committed configuration other than the most recently committed one.
|
routing
|
Can view general routing, routing protocol, and routing policy
configuration information in configuration and operational modes.
|
routing-control
|
Can view general routing, routing protocol, and routing policy
configuration information and configure general routing (at the [edit routing-options] hierarchy level), routing protocols (at
the [edit protocols] hierarchy level), and routing policy
(at the [edit policy-options] hierarchy level).
|
secret
|
Can view passwords and other authentication keys in the configuration.
|
secret-control
|
Can view passwords and other authentication keys in the configuration
and can modify them in configuration mode.
|
security
|
Can view security configuration in configuration mode and with
the show configuration operational mode command.
|
security-control
|
Can view and configure security information (at the [edit
security] hierarchy level).
|
shell
|
Can start a local shell on the device by entering the start
shell command.
|
snmp
|
Can view SNMP configuration information in configuration and
operational modes.
|
snmp-control
|
Can view SNMP configuration information and configure SNMP (at
the [edit snmp] hierarchy level).
|
system
|
Can view system-level information in configuration and operational
modes.
|
system-control
|
Can view system-level configuration information and configure
it (at the [edit system] hierarchy level).
|
trace
|
Can view trace file settings in configuration and operational
modes.
|
trace-control
|
Can view trace file settings and configure trace file properties.
|
view
|
Can use various commands to display current systemwide, routing
table, and protocol-specific values and statistics.
|
Denying or Allowing
Individual Commands
By default, all top-level CLI commands have associated access
privilege levels. Users can execute only those commands and view only
those statements for which they have access privileges. For each login
class, you can explicitly deny or allow the use of operational and
configuration mode commands that are otherwise permitted or not allowed
by a permission bit.
Template Accounts
You use local user template accounts when you need different
types of templates. Each template can define a different set of permissions
appropriate for the group of users who use that template. These templates
are defined locally on the services router and referenced by the TACACS+
and RADIUS authentication servers.
When you configure local user templates and a user logs in,
JUNOS Software issues a request to the authentication server to authenticate
the user's login name. If a user is authenticated, the server returns
the local username to the device, which then determines whether
a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the device selects
the appropriate local user template locally configured on the device.
If a local user template does not exist for the authenticated user,
the device defaults to the remote template.
For more information, see Setting Up Template Accounts.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]