Mapping OpenConfig AAA Commands to Junos Operation

Note:

See OpenConfig Data Model Version topic to understand the data models supported version and its Junos OS release for Juniper Networks ACX Series, EX Series, MX Series, PTX Series, and QFX Series.

The following tables show the mapping of OpenConfig AAA configurations with the relevant configuration in Junos OS.

Table 1: Global AAA Configuration
Table 2: RADIUS Server Configuration
Table 3: Accounting Event Configuration
Table 4: Accounting-method Configuration
Table 5: Authorization Roles Configuration
Table 6: Authorization Permissions Configuration: Authorization Permissions Configuration
Table 7: Authorization Permissions Configuration
Table 8: Authorization Policies and request-regex Configuration
Table 9 Table 9: TACACS Server Configuration
Table 10: AAA Admin and User Configuration

Table 1: Global AAA Configuration
Command Name	OpenConfig Command Path	Junos Configuration
	Command path prefix: `/system/aaa`
Config-Name	`/server-groups/server-group/config/name`	Not supported Note: There is no equivalent configuration in the Junos OS for this path. The configured server group name is used in the RADIUS/TACACS attributes configuration.
Server-Config-Address	`/server-groups/server-group/servers/server/config/address`	Not supported Note: There is no equivalent configuration in the Junos OS for this path. The configured server address is used in the RADIUS/TACACS attributes configuration.
Server-Config-Name	`/server-groups/server-group/servers/server/config/name`	Not supported Note: There is no equivalent configuration in the Junos OS for this path. You can configure a server name to identify the server.
Config-Timeout	`/server-groups/server-group/servers/server/config/timeout`	Not supported Note: There is no equivalent configuration in the Junos OS for this path. However, the timeout configured is derived from the `timeout` parameter at the Junos OS `edit radius-server` or `edit tacplus-server` hierarchy level.

Table 2: RADIUS Server Configuration
Command Name	OpenConfig Command Path	Junos Configuration
	Command path prefix: `/system/aaa`
Auth-Port	`/server-groups/server-group/servers/server/radius/config/auth-port`	`set system radius-server address port port` Note: The `address` value is derived from the value configured after `server`. The `port` value is the same value as `auth-port.`
Retransmit-Attempts	`/server-groups/server-group/servers/server/radius/config/retransmit-attempts`	`set system radius-server address retryretry` Note: The `address` value is derived from the value configured after `server`. The `retry` value is the same value as that specified for `retransmit-attempts`.
Secret-Key	`/server-groups/server-group/servers/server/radius/config/secret-key`	`set system radius-server address secret secret` Note: The `address` value is derived from the value configured after `server`. The `secret` value is the same value as that specified for `secret-key`.
Source-Address	`/server-groups/server-group/servers/server/radius/config/source-address`	`set system radius-server address source-address source-address` Note: The `address` value is derived from the value configured after `server.` The `source-address` value is the same value as that specified for `source-address`.

Table 3: Accounting Event Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Event	openconfig-system:system { aaa { accounting { events { event <event-type>{ config { event-type <value> } } } } } }	system { accounting { events [ … ]; } }
The OpenConfig configuration has two values for for `event-type`: AAA_ACCOUNTING_EVENT which maps to Junos OS event type `interactive-commands` AAA_ACCOUNTING_EVENT_LOGIN which maps to Junos OS even type `login`

Table 4: Accounting-method Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Accounting-method	openconfig-system:system { aaa { accounting { config { accounting-method [ … ]; } } } }	system { accounting { destination { radius / tacplus { server { <name> secret <>; <name> secret <>; } } } } }
The OpenConfig values for `accounting-method` are `TACACS_ALL`, `RADIUS_ALL`, abd `LOCAL`. The OpenConfig `accounting-method` configuration in combination with the `server-groups` configuration generates the Junos hierarchy `/system/accounting/destination`.

Table 5: Authorization Roles Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Roles	openconfig-system:system { aaa { authorization { roles { role <rolename> { ……… ………. } } } } }	system { login { class <name> { ….. ….. } } }
The OpenConfig user-defined `role` maps to the Junos `login classes` parameter.

Table 6: Authorization Permissions Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Permissions	openconfig-system:system { aaa { authorization { roles { role <rolename> { permissions [ … ]; } }	system { login { class <name> { permissions [ … ]; } } }
The OpenConfig user-defined `permissions` is a leaf-list and maps to the Junos leaf-list `permissions` parameter. Possible OpenConfig values for `permissions` and their corresponding Junos values are: OpenConfig Junos ADMIN admin ADMIN CONTROL admin-control ALL all MAINTENANCE maintenance VIEW view VIEW_CONFIG view-configuration

Command Name

OpenConfig Configuration

Junos Configuration

Permissions

openconfig-system:system {
    aaa {
        authorization {
            roles {
                role <rolename> {
                  permissions [ …  ]; 
                }
        }

system {
    login {
        class <name> {
             permissions [ …  ];
        }
    }
}

The OpenConfig user-defined permissions is a leaf-list and maps to the Junos leaf-list permissions parameter.

Possible OpenConfig values for permissions and their corresponding Junos values are:

    
OpenConfig                               Junos
ADMIN                                    admin
ADMIN CONTROL                            admin-control
ALL                                      all
MAINTENANCE                              maintenance
VIEW                                     view
VIEW_CONFIG                              view-configuration

Table 7: Authorization Permissions Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Permissions	openconfig-system:system { aaa { authorization { roles { role foo { config { policies { policy PERMIT REQUEST_RPC { request-regex /gnmi.gNMI/Set; } } } } } } } }	system { login { class foo { allow-grpc-rpc-regexps /gnmi.gNMI/Set; } } }

Table 7: Authorization Permissions Configuration

Command Name

OpenConfig Configuration

Junos Configuration

Permissions

openconfig-system:system {
    aaa {
        authorization {
            roles {
                role foo {
                    config {
                        policies {
                               policy PERMIT REQUEST_RPC {
                                    request-regex /gnmi.gNMI/Set;
                               }
                            }
                        }
                    }
                }
        }
    }
}

system {
    login {
        class foo {
            allow-grpc-rpc-regexps /gnmi.gNMI/Set;
        }
    }
}

Table 8: Authorization Policies and request-regex Configuration
Command Name	OpenConfig Configuration	Junos Configuration
Policies	openconfig-system:system { aaa { authorization { roles { role foo { config { policies { policy <action> <request-type> { request-regex [ … ]; } } } } } } }	system { login { class foo { deny-commands-regexps [ … ]; OR allow-commands-regexps [ … ]; OR deny-configuration-regexps [ … ]; OR allow-configuration-regexps [ … ]; OR deny-grpc-rpc-regexps [ … ]; OR allow-grpc-rpc-regexps [ … ]; } } }
The OpenConfig `policies` configuration is translated into different allow and deny (*regexps) parameters. Possible OpenConfig values for `action`, `request-type`, and `request-regex` translate to the following Junos configuratio parameters: action request-type OpenConfig request-regex translates to: PERMIT REQUEST_CONFIG allow-configuration-regexps DENY REQUEST_CONFIG deny-configuration-regexps PERMIT REQUEST_RPC allow-grpc-rpc-regexps DENY REQUEST_RPC deny-grpc-rpc-regexps PERMIT REQUEST_COMMAND allow-commands-regexps DENY REQUEST_COMMAND deny-commands-regexps
Example	openconfig-system:system { aaa { authorization { roles { role foo { config { rolename foo; policies { policy DENY REQUEST_COMMAND { request-regex [ "clear interfaces" "show interfaces" ]; } } } } } } } }	system { login { class foo { deny-commands-regexps [ "clear interfaces" "show interfaces" ]; } } }
Example	openconfig-system:system { aaa { authorization { roles { role foo { config { policies { policy PERMIT REQUEST_RPC { request-regex /gnmi.gNMI/Set; } } } } } } } }	system { login { class foo { allow-grpc-rpc-regexps /gnmi.gNMI/Set; } } }

Table 9: TACACS Server Configuration
Command Name	OpenConfig Command Path	Junos Configuration
	Command path prefix: `/system/aaa`
Config-Port	`/server-groups/server-group/servers/server/tacacs/config/port`	`set system tacplus-server address port port` Note: The `address` value is derived from the value configured after `server.` The `port` value is the same value as that specified for `port`.
Secret-Key	`/server-groups/server-group/servers/server/tacacs/config/secret-key`	`set system tacplus-server address secret secret` Note: The `address` value is derived from the value configured after `server`. The `secret` value is the same value as that specified for `secret-key`.
Source-Address	`/server-groups/server-group/servers/server/tacacs/config/source-address`	`set system tacplus-server address source-address source-address` Note: The `address` value is derived from the value configured after `server`. The `source-address` value is the same value as that specified for `source-address`.

Table 10: AAA Admin and User Configuration
Command Name	OpenConfig Command Path	Junos Configuration
	Command path prefix: `/system/aaa`
Admin-Password	`/authentication/admin-user/config/admin-password`	`set system root-authentication plain-text-password` Note: The `plain-text-password-authentication` value is derived from the value configured for `admin-password`.
Admin-Password-Hashed	`/authentication/admin-user/config/admin-password-hashed`	`set system root-authentication encrypted-password encrypted-password` Note: The `encrypted-password` value is derived from the value configured for `admin-password-hashed`.
Authentication-Method	`/authentication/config/authentication-method`	`set system authentication-order` Note: The `authentication-order` value is derived from the value configured for `authentication-method`.
Password	`/authentication/users/user/config/password`	`set system login user user-name authentication plain-text-password plain-text-password` Note: The `user-name` value is derived from the value configured for `user`. The `plain-text-password` value is derived from the value configured for `password`.
Password-Hashed	`/authentication/users/user/config/password-hashed`	`set system login user user-name authentication encrypted-password encrypted-password` Note: The `user-name` value is derived from the value configured for `user`. The `encrypted-password` value is derived from the value configured for `password-hashed`.
Role	`/authentication/users/user/config/role`	`set system login user user-name class class` Note: The `user-name` value is derived from the value configured for `user`. The `class` value is derived from the value configured for `role`.
Username	`/authentication/users/user/config/username`	Not supported Note: There is no equivalent configuration in the Junos OS.