Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Evolved User Access and Authentication Administration Guide for Junos OS Evolved Login Classes and Login Settings

User Access and Authentication Administration Guide for Junos OS Evolved

Junos OS Junos OS Evolved
keyboard_arrow_up
close
keyboard_arrow_left
User Access and Authentication Administration Guide for Junos OS Evolved
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Login Settings

date_range 30-Nov-23
arrow_backward
arrow_forward

Junos OS Evolved enables you to define various settings for users when they log in to a device. You (the system administrator) can configure:

  • Messages or announcements to display before or after login
  • Whether to display system alarms upon login
  • Login tips
  • Timeout values for idle sessions
  • Whether to lock a user account after a number of failed authentication attempts

Display a System Login Announcement or Message

Sometimes you want to make announcements only to authorized users after they log in to a device. For example, you might want to announce an upcoming maintenance event. At other times, it might be appropriate to display a message, such as a security warning, to any user that connects to the device.

By default, Junos OS Evolved does not display any login message or announcement. You can configure the device to display a login message or announcement by including the message statement or the announcement statement at the [edit system login] hierarchy level. Whereas the device displays a login message after a user connects to the device but before the user logs in, it displays an announcement only after the user successfully logs in to the device.

You can format the message or announcement text using the following special characters. If the text contains spaces, enclose it in quotation marks:

  • \n—New line

  • \t—Horizontal tab

  • \'—Single quotation mark

  • \"—Double quotation mark

  • \\—Backslash

To configure an announcement that only authorized users can see and a message that any user can see:

  1. Include the announcement statement and the message statement at the [edit system login] hierarchy level.
    content_copy zoom_out_map
    [edit system login]
user@host# set announcement text
user@host# set message text

    For example:

    content_copy zoom_out_map
    system {
    login {
        announcement  "\tJuly 27th 1:00 AM to 8:00\n\nPlanned Network Maintenance\n\nAFFECTED  LOCATIONS:  Sunnyvale\n\nPLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC recommended firmware version\n\nPURPOSE: This activity will help to minimize the impact of unplanned power outages as well as address known issues within our currently installed firmware version(s)\n\nWHAT TO EXPECT: During the maintenance window for your site, the office network will not be available.\n\n"; 
        message "\n\tAcme Router Lab\n\n\tUNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!\n\n\tPlease contact \'jsmith@example.com\' to gain\n\taccess to this equipment if you need authorization.\n\n"
    }
}
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit system login]
user@host# commit
  3. Connect to the device to verify the presence of the new message.

    The preceding configuration example displays the following login message after the user connects to the device. The example displays the announcement after the user logs in:

    content_copy zoom_out_map
    server% ssh host

        Acme Router Lab

        UNAUTHORIZED USE OF THIS ROUTER
        IS STRICTLY PROHIBITED!

        Please contact 'jsmith@example.com' to gain
        access to this equipment if you need authorization.


Password:

        July 27th 1:00 AM to 8:00

Planned Network Maintenance

AFFECTED  LOCATIONS:  Sunnyvale

PLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC recommended firmware version

PURPOSE: This activity will help to minimize the impact of unplanned power outages as well as address known issues within our currently installed firmware version(s)

WHAT TO EXPECT: During the maintenance window for your site, the office network will not be available.

Display System Alarms Upon Login

You can configure Juniper Networks devices to execute the show system alarms command whenever a user in a given login class logs in to the device.

To display alarms whenever a user in a specific login class logs in to the device:

  1. Configure the login-alarms statement for the appropriate login class.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# set login-alarms

    For example, to display alarms whenever a user in the admin login class logs in to the device:

    content_copy zoom_out_map
    [edit system login class admin]
user@host# set login-alarms
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# commit

When a user in the given login class logs in to the device, the device displays the current alarms.

content_copy zoom_out_map
$ ssh user@host.example.com
Password:
--- JUNOS 21.1R2.6-EVO Linux (none) 4.8.28-WR2.2.1_standard-g3999f55 #1 SMP PREEMPT Fri Jun 4 00:19:58 PDT 2021 x86_64 x86_64 x86_64 GNU/Linux

2 alarms currently active
Alarm time               Class  Description
2021-07-22 15:00:14 PDT  Minor  port-1/0/0: Optics does not support configured speed
2021-07-22 15:00:14 PDT  Minor  port-1/0/1: Optics does not support configured speed

Configure Login Tips

You can configure the Junos OS Evolved CLI to display a tip whenever a user in the given login class logs in to the device. The device does not display tips by default.

To enable tips:

  1. Configure the login-tip statement at the [edit system login class class-name] hierarchy level.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# set login-tip
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# commit

When you configure the login-tip statement, the device displays a tip to any user in the specified class who logs in to the device.

content_copy zoom_out_map
$ ssh user@host.example.com
Password:

JUNOS tip:
In configuration mode, the [edit] banner displays the current location
in the configuration hierarchy.

user@host>

Configure the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI displays the operational mode or configuration mode prompt but there is no input from the keyboard. By default, a login session remains established until a user logs out of the device, even if that session is idle. To close idle sessions automatically, you must configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes. Automatically closing idle login sessions helps to prevent malicious users from gaining access to the device and performing operations with an authorized user account.

You can configure an idle timeout only for user-defined classes. You cannot configure this option for the system predefined classes: operator, read-only, super-user or superuser, and unauthorized.

To define the timeout value for idle login sessions:

  1. Specify the number of minutes that a session can be idle before the system automatically closes the session.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# set idle-timeout minutes

    For example, to automatically disconnect idle sessions of users in the admin class after fifteen minutes:

    content_copy zoom_out_map
    [edit system login class admin]
user@host# set idle-timeout 15
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit system login class class-name]
user@host# commit

If you configure a timeout value, the CLI displays messages similar to the following when timing out an idle user. The CLI starts displaying these messages 5 minutes before disconnecting the user.

content_copy zoom_out_map
user@host> Session will be closed in 5 minutes if there is no activity.
Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session

If you configure a timeout value, the session closes after the specified time elapses, except in the following cases:

  • The user is running the ssh or telnet command.

  • The user is logged into the local UNIX shell.

  • The user is monitoring interfaces using the monitor interface or the monitor traffic command.

Login Retry Options

You can configure login retry options on Juniper Network devices to protect the devices from malicious users. You can configure the following options:

  • The number of times a user can enter invalid login credentials before the system closes the connection.

  • Whether and for how long to lock a user account after the user reaches the threshold of failed authentication attempts.

Limiting the login attempts and locking the user account help to protect the device from malicious users attempting to access the system by guessing the password of an authorized user account. You can unlock the user account or define a time period for the user account to remain locked.

You configure login retry options at the [edit system login retry-options] hierarchy level. Junos OS Evolved allows three unsuccessful login attempts before the device disconnects the user. You cannot modify the default threshold for failed login attempts.

The lockout-period statement instructs the device to lock the user account for the specified amount of time if the user reaches the threshold of unsuccessful login attempts. The lock prevents the user from performing activities that require authentication, until the lockout time period has elapsed or a system administrator manually clears the lock. Any existing locks are ignored when the user attempts to log in from the local console.

To configure login retry options:

  1. Configure the number of minutes that the user account remains locked after a user reaches the threshold of failed login attempts.
    content_copy zoom_out_map
    [edit system login retry-options]
user@host# set lockout-period minutes

    For example, to lock a user account for 120 minutes after a user reaches the threshold of failed login attempts:

    content_copy zoom_out_map
    [edit system login retry-options]
user@host# set lockout-period 120

  2. Commit the configuration.

    content_copy zoom_out_map
    [edit system login retry-options]
user@host# commit
Note:

To clear the console during an administrator-initiated logout, include newline (\n) characters when you configure the message statement at the [edit system login] hierarchy level. To completely clear the console, the administrator can enter 50 or more \n characters in the message string. For example:

content_copy zoom_out_map
user@host# set system login message "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n Welcome to Junos!!!"
arrow_backward PREVIOUS Login Classes Overview
NEXT arrow_forward User Accounts
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top