Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authenticate with the Junos XML Protocol Server for Cleartext or SSL Connections

A client application that uses cleartext or SSL protocol must authenticate with the Junos XML protocol server. (Applications that use the SSH or Telnet protocol use the protocol’s built-in authentication mechanism before emitting initialization tag elements, as described in Connecting to the Junos XML Protocol Server.)

See the following sections:

Submitting an Authentication Request

The client application begins the authentication process by emitting an <rpc> tag enclosing the <request-login> element. In the <request-login> element, it encloses the <username> element to specify the Junos OS account (username) under which to establish the connection. The account must already be configured on the Junos XML protocol server device, as described in Satisfying the Prerequisites for Establishing a Connection to the Junos XML Protocol Server. You can choose whether or not the application provides the account password as part of the initial tag sequence.

Note:

Starting in Junos OS Releases 13.3R7, 14.1R6, 14.2R4, 15.1R2, and 16.1R1, any XML special characters in the username or password elements of a <request-login> RPC request must be escaped. The following five symbols are considered special characters: greater than (>), less than (<), single quote ('), double quote ("), and ampersand (&). Both entity references and character references are acceptable escape sequence formats. For example, &amp; and &#38; are valid representations of an ampersand.

Providing the Password with the Username

To provide the password along with the username, the application emits the following tag sequence:

This tag sequence is appropriate if the application automates access to routing, switching, or security platform information and does not interact with users, or obtains the password from a user before beginning the authentication process.

Providing Only the Username

To omit the password and specify only the username, the application emits the following tag sequence:

This tag sequence is appropriate if the application does not obtain the password until the authentication process has already begun. In this case, the Junos XML protocol server returns the <challenge> tag within an <rpc-reply> element to request the password associated with the username. The element encloses the Password: string, which the client application can forward to the screen as a prompt for a user. The echo="no" attribute in the opening <challenge> tag specifies that the password string typed by the user does not echo on the screen. The tag sequence is as follows:

The client application obtains the password and emits the following tag sequence to forward it to the Junos XML protocol server:

Interpreting the Authentication Response

After it receives the username and password, the Junos XML protocol server emits the <authentication-response> element to indicate whether the authentication attempt is successful.

Server Response When Authentication Succeeds

If the password is correct, the authentication attempt succeeds and the Junos XML protocol server emits the following tag sequence:

The <message> element contains the Junos username under which the connection is established.

The <login-name> element contains the username that the client application provided to an authentication utility such as RADIUS or TACACS+. This element appears only if the username differs from the username contained in the <message> element.

The Junos XML protocol session begins, as described in Starting Junos XML Protocol Sessions.

Server Response When Authentication Fails

If the password is not correct or the <request-login> element is otherwise malformed, the authentication attempt fails and the Junos XML protocol server emits the following tag sequence:

The error-message string in the <message> element explains why the authentication attempt failed. The Junos XML protocol server emits the <challenge> tag up to two more times before rejecting the authentication attempt and closing the connection.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
13.3R7
Starting in Junos OS Releases 13.3R7, 14.1R6, 14.2R4, 15.1R2, and 16.1R1, any XML special characters in the username or password elements of a <request-login> RPC request must be escaped.