- play_arrow Overview
- play_arrow Introduction
-
- play_arrow Device Templates
- play_arrow Overview
- play_arrow Template Definitions
- Creating a Template Definition
- Finding Configuration Options in a Template Definition
- Working with Rules in a Template Definition
- Specifying Device-Specific Values in Template Definitions
- Managing CSV Files for a Template Definition
- Publishing a Template Definition
- Viewing a Template Definition
- Modifying a Template Definition
- Cloning a Template Definition
- Importing a Template Definition
- Exporting a Template Definition
- Unpublishing a Template Definition
- Deleting a Template Definition
- play_arrow Configuring Devices using Device Templates
- play_arrow Configuring Devices using Quick Templates
- play_arrow Device Template Administration
- Viewing Template Details
- Viewing the Device-Template Association (Device Templates)
- Viewing Template Definition Statistics
- Viewing Device Template Statistics
- Comparing Templates or Template Versions
- Comparing a Device Template Configuration with a Device Configuration
- Cloning a Template in Junos Space Network Management Platform
- Exporting and Importing a Quick Template in Junos Space Network Management Platform
- Deleting Device Templates from Junos Space Network Management Platform
-
- play_arrow CLI Configlets
- play_arrow Overview
- play_arrow CLI Configlets
- Creating a CLI Configlet
- Modifying a CLI Configlet
- Viewing CLI Configlet Statistics
- Viewing a CLI Configlet
- Exporting CLI Configlets
- CLI Configlet Examples
- Deleting CLI configlets
- Cloning a CLI Configlet
- Importing CLI Configlets
- Applying a CLI Configlet to Devices
- Comparing CLI Configet Versions
- Marking and Unmarking CLI Configlets as Favorite
- play_arrow Configuration Views
- Configuration Views Overview
- Configuration View Variables
- Configuration View Workflow
- XML Extensions
- Creating a Configuration View
- Viewing a Configuration View
- Modifying a Configuration View
- Deleting Configuration Views
- Exporting and Importing Configuration Views
- Viewing Configuration Views Statistics
- Default Configuration Views Examples
- play_arrow XPath and Regular Expressions
- play_arrow Configuration Filters
-
- play_arrow Images and Scripts
- play_arrow Overview
- play_arrow Managing Device Images
- Device Images Overview
- Importing Device Images to Junos Space
- Viewing Device Images
- Modifying Device Image Details
- Staging Device Images
- Staging Satellite Software Packages on Aggregation Devices
- Verifying the Checksum
- Viewing and Deleting MD5 Validation Results
- Deploying Device Images
- Deploying Satellite Software Packages on Aggregation and Satellite Devices
- Viewing Device Image Deployment Results
- Viewing Device Association of Images
- Undeploying JAM Packages from Devices
- Removing Device Images from Devices
- Deleting Device Images
- play_arrow Managing Scripts
- Scripts Overview
- Promoting Scripts Overview
- Importing Scripts to Junos Space
- Viewing Script Details
- Modifying Scripts
- Modifying Script Types
- Comparing Script Versions
- Staging Scripts on Devices
- Verifying the Checksum of Scripts on Devices
- Viewing Verification Results
- Enabling Scripts on Devices
- Executing Scripts on Devices
- Executing Scripts on Devices Locally with JUISE
- Viewing Execution Results
- Exporting Scripts in .tar Format
- Viewing Device Association of Scripts
- Marking and Unmarking Scripts as Favorite
- Disabling Scripts on Devices
- Removing Scripts from Devices
- Deleting Scripts
- Script Annotations
- Script Example
- play_arrow Managing Operations
- play_arrow Managing Script Bundles
- Script Bundles Overview
- Creating a Script Bundle
- Viewing Script Bundles
- Modifying a Script Bundle
- Staging Script Bundles on Devices
- Enabling Scripts in Script Bundles on Devices
- Executing Script Bundles on Devices
- Disabling Scripts in Script Bundles on Devices
- Viewing Device Associations of Scripts in Script Bundles
- Deleting Script Bundles
-
- play_arrow Reports
- play_arrow Reports Overview
- play_arrow Report Definitions
- play_arrow Reports
-
- play_arrow Network Monitoring
- play_arrow Overview
- play_arrow Managing Nodes
- play_arrow Searching for Nodes and Assets
- play_arrow Managing Outages
- play_arrow Using the Network Monitoring Dashboard
- play_arrow Managing and Configuring Events
- play_arrow Managing and Configuring Alarms
- play_arrow Managing and Configuring Notifications
- play_arrow Managing Reports and Charts
- play_arrow Network Monitoring Topology
- play_arrow Network Monitoring Administration
- Configuring Network Monitoring System Settings
- Updating Network Monitoring After Upgrading the Junos Space Network Management Platform
- Configuring SNMP Community Names by IP
- Configuring SNMP Data Collection per Interface
- Managing Thresholds
- Compiling SNMP MIBs
- Managing SNMP Collections
- Managing SNMPv3 Trap Configuration
- Managing Data Collection Groups
- Managing and Unmanaging Interfaces and Services
- Starting, Stopping, and Restarting Services
-
- play_arrow Configuration Files
- play_arrow Overview
- play_arrow Managing Configuration Files
-
- play_arrow Jobs
- play_arrow Overview
- play_arrow Managing Jobs
- Viewing Statistics for Jobs
- Viewing Your Jobs
- Viewing Jobs
- Viewing Objects on Which a Job is Executed
- Viewing Job Recurrence
- Rescheduling and Modifying the Recurrence Settings of Jobs
- Retrying a Job on Failed Devices
- Reassigning Jobs
- Canceling Jobs
- Clearing Your Jobs
- Archiving and Purging Jobs
- Common Error Messages in Device-Related Operations
-
- play_arrow Role-Based Access Control
- play_arrow Overview
- play_arrow Roles
- Roles Overview
- Predefined Roles Overview
- Creating a User-Defined Role
- Managing Roles
- Modifying User-Defined Roles
- Deleting User-Defined Roles
- Cloning Predefined and User-Defined Roles
- Exporting User-Defined Roles from Junos Space Network Management Platform
- Importing Roles to Junos Space Network Management Platform
- play_arrow User Accounts
- Configuring Users to Manage Objects in Junos Space Overview
- Creating Users in Junos Space Network Management Platform
- Modifying a User
- Deleting Users
- Disabling and Enabling Users
- Unlocking Users
- Viewing Users
- Exporting User Accounts from Junos Space Network Management Platform
- Changing Your Password on Junos Space
- Clearing User Local Passwords
- Viewing User Statistics
- play_arrow User Groups
- play_arrow Domains
- play_arrow Remote Profiles
- play_arrow API Access Profiles
- play_arrow User Sessions
-
- play_arrow Audit Logs
- play_arrow Administration
- play_arrow Overview
- play_arrow Managing Nodes in the Junos Space Fabric
- Fabric Management Overview
- Overall System Condition and Fabric Load History Overview
- Junos Space Nodes and FMPM Nodes in the Junos Space Fabric Overview
- Dedicated Database Nodes in the Junos Space Fabric Overview
- Adding a Node to an Existing Junos Space Fabric
- Viewing Nodes in the Fabric
- Monitoring Nodes in the Fabric
- Viewing Alarms from a Fabric Node
- Shutting Down or Rebooting Nodes in the Junos Space Fabric
- Deleting a Node from the Junos Space Fabric
- Resetting MySQL Replication
- Modifying the Network Settings of a Node in the Junos Space Fabric
- Load-Balancing Devices Across Junos Space Nodes
- Replacing a Failed Junos Space Node
- Generating and Uploading Authentication Keys to Devices
- Configuring the ESX or ESXi Server Parameters on a Node in the Junos Space Fabric
- Creating a System Snapshot
- Deleting a System Snapshot
- Restoring the System to a Snapshot
- NAT Configuration for Junos Space Network Management Platform Overview
- Configuring the NAT IP Addresses and Ports on Junos Space Platform
- Modifying the NAT IP Addresses and Ports on Junos Space Platform
- Disabling the NAT Configuration on Junos Space Platform
- play_arrow Backing up and Restoring the Junos Space Platform Database
- play_arrow Managing Licenses
- play_arrow Managing Junos Space Platform and Applications
- Managing Junos Space Applications Overview
- Upgrading Junos Space Network Management Platform Overview
- Junos Space Store Overview
- Configuring and Managing Junos Space Store
- Running Applications in Separate Server Instances
- Managing Junos Space Applications
- Modifying Settings of Junos Space Applications
- Modifying Junos Space Network Management Platform Settings
- Managing File Integrity Check
- Starting, Stopping, and Restarting Services
- Adding a Junos Space Application
- Upgrading a Junos Space Application
- Upgrading Junos Space Network Management Platform
- Synchronizing Time Across Junos Space Nodes
- Upgrading to Junos Space Network Management Platform Release 21.1R1
- Uninstalling a Junos Space Application
- play_arrow Managing Troubleshooting Log Files
- System Status Log File Overview
- Customizing Node System Status Log Checking
- Customizing Node Log Files to Download
- Configuring JBoss and OpenNMS Logs in Junos Space
- Generating JBoss Thread Dump for Junos Space Nodes
- Downloading the Troubleshooting Log File in Server Mode
- Downloading the Troubleshooting Log File in Maintenance Mode
- Downloading Troubleshooting System Log Files Through the Junos Space CLI
- play_arrow Managing Certificates
- Certificate Management Overview
- Changing User Authentication Modes
- Installing a Custom SSL Certificate on the Junos Space Server
- Uploading a User Certificate
- Uploading a CA Certificate and Certificate Revocation List
- Deleting a CA Certificate or Certificate Revocation List
- Adding and Activating X.509 Certificate Parameters for X.509 Certificate Parameter Authentication
- Modifying an X.509 Certificate Parameter
- Deleting X.509 Certificate Parameters
- play_arrow Configuring Authentication Servers
- Remote Authentication Overview
- Junos Space Authentication Modes Overview
- Junos Space Login Behavior with Remote Authentication Enabled
- Managing Remote Authentication Servers
- Creating a Remote Authentication Server
- Modifying Authentication Settings
- Configuring a RADIUS Server for Authentication and Authorization
- Configuring a TACACS+ Server for Authentication and Authorization
- play_arrow Managing SMTP Servers
- play_arrow Email Listeners
- play_arrow Managing Git Repositories
- play_arrow Audit Log Forwarding
- Audit Log Forwarding in Junos Space Overview
- Viewing Audit Log Forwarding Criterion
- Adding Audit Log Forwarding Criterion
- Modifying Audit Log Forwarding Criterion
- Deleting Audit Log Forwarding Criterion
- Enabling Audit Log Forwarding Criterion
- Testing the System Log Server Connection for Audit Log Forwarding
- play_arrow Configuring a Proxy Server
- play_arrow Managing Tags
- Tags Overview
- Creating a Tag
- Managing Tags
- Managing Hierarchical Tags
- Sharing a Tag
- Renaming Tags
- Deleting Tags
- Tagging an Object
- Untagging Objects
- Filtering the Inventory by Using Tags
- Viewing Tagged Objects
- Viewing Tags for a Managed Object
- Exporting Tags from Junos Space Network Management Platform
- play_arrow Managing DMI Schemas
- DMI Schema Management Overview
- Viewing and Managing DMI Schemas
- Viewing Missing DMI Schemas
- Setting a Default DMI Schema
- Configuring Access to Juniper Networks DMI Schema Repository by Using the Configure Juniper Repository Action
- Adding Missing DMI Schemas or Updating Outdated DMI Schemas in Junos Space Network Management Platform
- Creating a Compressed TAR File for Updating DMI Schema
- Viewing and Deleting Unused DMI Schemas
- play_arrow Managing Hardware Catalog
- play_arrow Managing the Purging Policy
- play_arrow Disaster Recovery
-
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Device Authentication in Junos Space Overview
Junos Space Network Management Platform can authenticate a device by using credentials (username and password), keys (which use public-key cryptographic principles), or the devices’ SSH fingerprints. You can choose the authentication mode on the basis of the level of security needed for the managed devices. The authentication mode is displayed in the Authentication Status column on the Device Management page. You can also change the authentication mode.
The following sections describe the authentication modes in Junos Space Platform:
Credentials-Based Device Authentication
To configure credentials-based authentication on your Junos Space setup, you need to ensure that the device login credentials with administrative privileges are configured on the device. If the device is reachable and the credentials are authenticated, these credentials are stored in the Junos Space Platform database. Junos Space Platform connects to the device by using these credentials. If you have configured key-based authentication on your Junos Space setup, you need to enter only the username to access the device.
Key-Based Device Authentication
From Junos Space Network Management Platform Release 16.1R1 onward, Junos Space Platform supports 4096-bit Rivest-Shamir-Adleman (RSA) algorithm, Digital Signature Standard (DSS), and Elliptic Curve Digital Signature Algorithm (ECDSA) public-key cryptographic principles to authenticate devices running Junos OS through key-based authentication. Junos Space Platform continues to support the 2048-bit RSA algorithm. Key-based authentication is more secure than credentials-based authentication because the device credentials need not be stored in the Junos Space Platform database.
RSA is an asymmetric-key or public-key algorithm that uses two keys that are mathematically related. Junos Space Platform includes a default set of public and private key pairs. The public key can be uploaded to the managed devices. The private key is encrypted and stored on the system on which Junos Space Platform is installed. For additional security, we recommend that you generate your own public and private key pair with a passphrase. A passphrase protects the private key on the Junos Space server. Creating long passphrases can be more difficult to break by brute-force attacks than shorter passphrases. A passphrase helps to prevent an attacker from gaining control of your Junos Space setup and trying to log in to your managed network devices. If you generate a new pair of keys, the keys are automatically uploaded to all active devices (that is, devices whose connection status is Up) that use Junos Space key-based authentication.
From Junos Space Network Management Platform Release 16.1R1 onward, you can also upload custom private keys to the Junos Space server and authenticate devices without the need to upload keys to devices from Junos Space Platform. With the custom key-based authentication method, you upload a private key with a passphrase to the Junos Space server. The device is authenticated using the existing set of public keys on the device, the private key uploaded to the Junos Space server, and the appropriate public-key algorithm—that is, RSA, ECDSA, or DSS. This authentication method can be used to authenticate devices during device discovery and later during device management.
If the keys are modified, the devices become unreachable and the authentication status changes to Key Conflict. You can use the Resolve Key Conflicts workflow to manually trigger the process of uploading new keys to these devices. To authenticate the devices, you can choose to upload the new keys generated from Junos Space Platform or use custom keys. If Junos Space key-based or custom key-based authentication fails, credentials-based authentication is automatically triggered.
After key-based or custom key-based authentication is enabled, all further communication to the devices is through Junos Space key-based or custom key-based authentication, without passwords. You can also change the authentication mode from credentials-based to key-based or custom key-based for managed devices. For more information, see Modifying the Authentication Mode on the Devices.
You need to ensure the following to use key-based authentication in Junos Space Platform:
The authentication keys are generated in the Administration workspace. For more information about generating and uploading keys to the devices, see Generating and Uploading Authentication Keys to Devices. The job result indicates whether the keys were successfully uploaded to the devices. On a multinode setup, the authentication keys are made available on all existing cluster nodes. Authentication keys are also made available on any subsequent nodes added to the setup.
The device’s administrator credentials and the name of the user who connects to the Junos Space Appliance to upload the keys to the device are available.
SSH Fingerprint-Based Device Authentication
To avoid man-in-the-middle attacks or proxy SSH connections between Junos Space Platform and a device, Junos Space Platform can store the SSH fingerprint of the device in the Junos Space Platform database and validate the fingerprint during subsequent connections with the device. A fingerprint is a sequence of 16 hexadecimal octets separated by colons. For example, c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:83. You can specify the fingerprint for Juniper Networks devices during device discovery and validate the fingerprint when the devices connect to Junos Space Platform for the first time. You can specify fingerprints for a maximum of 1024 devices simultaneously in the Device Discovery workflow. If you do not specify the fingerprint, Junos Space Platform obtains the fingerprint details when it connects to the device for the first time. For more information, see Viewing Managed Devices.
Junos Space Platform does not recognize an SSH fingerprint change on a device during an active open connection with the device. SSH fingerprint changes are recognized only when the device reconnects to Junos Space Platform. The Authentication Status column on the Device Management page displays any conflicts or unverified authentication statuses.
Conflicts between SSH fingerprints stored in the Junos Space Platform database and those on the device can be resolved manually from the Junos Space user interface. Alternatively, you can allow Junos Space Platform to automatically update any fingerprint changes. To allow Junos Space Platform to automatically update SSH fingerprints, disable the Manually Resolve Fingerprint Conflict check box on the Modify Application Settings page in the Administration workspace. If you enable this check box, the Authentication Status column displays Fingerprint Conflict if a device’s fingerprint changes. You need to manually resolve the fingerprint conflict. For more information, see Acknowledging SSH Fingerprints from Devices.
Key-based and fingerprint-based authentication modes are not supported in ww Junos OS devices.
Arbitrary devices in disaster recovery must use password-based authentication.
Junos Space Platform verifies that the fingerprint on the device matches that in the database when you perform the following tasks:
Staging a script on a device
Staging a device image on a device
Deploying a device image on a device
Activating a replacement device
Executing a script on a device
Connecting to a device by using SSH
If the fingerprint on the device does not match the fingerprint stored in the Junos Space Platform database, the connection to the device is dropped. The connection status is displayed as Down and the authentication status is displayed as Fingerprint Conflict on the Device Management page.
Supported Algorithms for Junos Space SSH
Table 1 lists the supported algorithms for Junos Space SSH:
Algorithm Type | FIPS Devices | Non-FIPS Devices |
|---|---|---|
Key exchange algorithms | ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1 | ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 |
Host key algorithms | ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 | ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ssh-rsa, ssh-dss |
Encryption algorithms(client to server) | aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc | aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc |
Encryption algorithms(server to client) | aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc | aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc |
MAC algorithm | hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com | hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com, hmac-sha1, hmac-md5, hmac-md5-96, hmac-sha256 |
Compression algorithm | zlib@openssh.com | zlib@openssh.com, none, zlib |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
