Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS User Access and Authentication Administration Guide for Junos OS User Accounts

User Access and Authentication Administration Guide for Junos OS

Junos OS Junos OS Evolved
keyboard_arrow_up
close
keyboard_arrow_left
User Access and Authentication Administration Guide for Junos OS
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Administrative Roles

date_range 30-Nov-23
arrow_backward
arrow_forward

Junos OS enables you to define a system user to act as a specific kind of administrator for the system. You can assign an administrative role to a user by configuring a login class to have the administrative role attributes. You can assign one of the role attributes such as audit-officer crypto-officer, security-officer, ids-officer to an administrative user.

How to Design Administrative Roles

A system user can be a member of a class that allows the user to act as a specific kind of administrator for the system. Requiring a specific role to view or modify an item restricts the extent of information a user can obtain from the system. It also limits how much of the system is open to modification or observation by a user. You (the system administrator) should use the following guidelines when you are designing administrative roles:

  • Do not allow any user to log in to the system as root.

  • Restrict each user to the smallest set of privileges needed to perform the user’s duties.

  • Do not allow any user to belong to a login class containing the shell permission flag. The shell permission flag allows users to run the start shell command from the CLI.

  • Allow users to have rollback permissions. Rollback permissions allow users to undo an action performed by an administrator but does not allow them to commit the changes.

You can assign an administrative role to a user by configuring a login class to have the privileges required for the role. You can configure each class to allow or deny access to configuration statements and commands by name. These restrictions override and take precedence over any permission flags also configured in the class. You can assign one of the following role attributes to an administrative user:

  • Crypto-administrator—Allows the user to configure and monitor cryptographic data.

  • Security-administrator—Allows the user to configure and monitor security data.

  • Audit-administrator—Allows the user to configure and monitor audit data.

  • IDS-administrator—Allows the user to monitor and clear the intrusion detection service (IDS) security logs.

Each role can perform the following specific management functions:

  • Cryptographic Administrator

    • Configures the cryptographic self-test.

    • Modifies the cryptographic security data parameters.

  • Audit Administrator

    • Configures and deletes the audit review search-and-sort feature.

    • Searches and sorts audit records.

    • Configures search and sort parameters.

    • Manually deletes audit logs.

  • Security Administrator

    • Invokes, determines, and modifies the cryptographic self-test behavior.

    • Enables, disables, determines, and modifies the audit analysis and audit selection functions, and configures the device to automatically delete audit logs.

    • Enables or disables security alarms.

    • Specifies limits for quotas on Transport Layer connections.

    • Specifies the limits, network identifiers, and time periods for quotas on controlled connection-oriented resources.

    • Specifies the network addresses permitted to use Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP).

    • Configures the time and date used in time stamps.

    • Queries, modifies, deletes, and creates the information flow or access control rules and attributes for the unauthenticated information flow security function policy (SFP), the authenticated information flow security function policy, the unauthenticated device services, and the discretionary access control policy.

    • Specifies initial values that override default values when object information is created under unauthenticated information flow SFP, the authenticated information flow SFP, the unauthenticated target of evaluation (TOE) services, and the discretionary access control policy.

    • Creates, deletes, or modifies the rules that control the address from which management sessions can be established.

    • Specifies and revokes security attributes associated with the users, subjects, and objects.

    • Specifies the percentage of audit storage capacity at which the device alerts administrators.

    • Handles authentication failures and modifies the number of failed authentication attempts through SSH or from the CLI that can occur before progressive throttling is enforced for further authentication attempts and before the connection is dropped.

    • Manages basic network configuration of the device.

  • IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections, and audit data.

You must set the security-role attribute in the classes created for these administrative roles. This attribute restricts which users can show and clear the security logs, actions that cannot be performed through configuration alone.

For example, you must set the security-role attribute in the ids-admin class created for the IDS administrator role if you want to restrict clearing and showing IDS logs to the IDS administrator role. Likewise, you must set the security-role to one of the other admin values to restrict that class from being able to clear and show non-IDS logs only.

Note:

When a user deletes an existing configuration, the configuration statements under the hierarchy level of the deleted configuration (the child objects that the user does not have permission to modify) remain in the device.

Example: How to Configure Administrative Roles

This example shows how to configure individual administrative roles for a distinct, unique set of privileges apart from all other administrative roles.

Requirements

No action beyond device initialization is required before configuring this feature.

Overview

This example illustrates how to configure four admin user roles:

  • audit-officer of the class audit-admin

  • crypto-officer of the class crypto-admin

  • security-officer of the class security-admin

  • ids-officer of the class ids-admin

When a security-admin class is configured, the privileges for creating administrators are revoked from the user who created the security-admin class. Creation of new users and logins is at the discretion of the security-officer.

In this example, you create the four administrative user roles shown in the preceding list (audit admin, crypto admin, security admin, and ids admin). For each role, you assign relevant permission flags for the role. You then allow or deny access to configuration statements and commands by name for each administrative role. These specific restrictions take precedence over the permission flags configured in the class. For example, only the crypto-admin can run the request system set-encryption-key command, which requires having the security permission flag to access it. Only the security-admin can include the system time-zone statement in the configuration, which requires having the system-control permission flag.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit in configuration mode.

content_copy zoom_out_map
set system login class audit-admin permissions security 
set system login class audit-admin permissions trace 
set system login class audit-admin permissions maintenance 
set system login class audit-admin allow-commands "^clear (log|security log)" 
set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
set system login class audit-admin security-role audit-administrator 
set system login class crypto-admin permissions admin-control
set system login class crypto-admin permissions configure 
set system login class crypto-admin permissions maintenance 
set system login class crypto-admin permissions security-control 
set system login class crypto-admin permissions system-control 
set system login class crypto-admin permissions trace 
set system login class crypto-admin allow-commands "^request system set-encryption-key" 
set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"
set system login class crypto-admin allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"]
set system login class crypto-admin security-role crypto-administrator 
set system login class security-admin permissions all 
set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell"
set system login class security-admin deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation"]
set system login class security-admin security-role security-administrator 
set system login class ids-admin permissions configure
set system login class ids-admin permissions security-control
set system login class ids-admin permissions trace 
set system login class ids-admin permissions maintenance 
set system login class ids-admin allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"] 
set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" 
set system login class ids-admin deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] 
set system login class ids-admin security-role ids-admin 
set system login user audit-officer class audit-admin 
set system login user crypto-officer class crypto-admin 
set system login user security-officer class security-admin
set system login user ids-officer class ids-admin 
set system login user audit-officer authentication plain-text-password
set system login user crypto-officer authentication plain-text-password
set system login user security-officer authentication plain-text-password
set system login user ids-officer authentication plain-text-password
Step-by-Step Procedure

To configure administrative roles:

  1. Create the audit-admin login class.

    content_copy zoom_out_map
    [edit]
user@host# edit system login class audit-admin
[edit system login class audit-admin]
user@host# set permissions security 
user@host# set permissions trace 
user@host# set permissions maintenance

  2. Configure the audit-admin login class restrictions.

    content_copy zoom_out_map
    [edit system login class audit-admin]
user@host# set allow-commands "^clear (log|security log)" 
user@host# set deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set security-role audit-administrator

  3. Create the crypto-admin login class.

    content_copy zoom_out_map
    [edit]
user@host# edit system login class crypto-admin
[edit system login class crypto-admin]
user@host# set permissions admin-control
user@host# set permissions configure 
user@host# set permissions maintenance 
user@host# set permissions security-control 
user@host# set permissions system-control 
user@host# set permissions trace

  4. Configure the crypto-admin login class restrictions.

    content_copy zoom_out_map
    [edit system login class crypto-admin]
user@host# set allow-commands "^request system set-encryption-key" 
user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"]
user@host# set security-role crypto-administrator

  5. Create the security-admin login class.

    content_copy zoom_out_map
    [edit]
user@host# edit system login class security-admin
[edit system login class security-admin]
user@host# set permissions all

  6. Configure the security-admin login class restrictions.

    content_copy zoom_out_map
    [edit system login class security-admin]
user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell"
user@host# set deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"]
user@host# set security-role security-administrator

  7. Create the ids-admin login class.

    content_copy zoom_out_map
    [edit]
user@host# edit system login class ids-admin
[edit system login class ids-admin]
user@host# set permissions configure
user@host# set permissions maintenance
user@host# set permissions security-control
user@host# set permissions trace

  8. Configure the ids-admin login class restrictions.

    content_copy zoom_out_map
    [edit system login class ids-admin]
user@host# set allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"
user@host# set deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" 
user@host# set deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"]
user@host# set security-role ids-administrator

  9. Assign users to the roles.

    content_copy zoom_out_map
    [edit]
user@host# edit system login
[edit system login]
user@host# set user audit-officer class audit-admin 
user@host# set user crypto-officer class crypto-admin 
user@host# set user security-officer class security-admin
user@host# set user ids-officer class ids-admin

  10. Configure passwords for the users.

    content_copy zoom_out_map
    [edit system login]
user@host# set user audit-officer authentication plain-text-password
user@host# set user crypto-officer authentication plain-text-password
user@host# set user security-officer authentication plain-text-password
user@host# set user ids-officer authentication plain-text-password

Results

In configuration mode, confirm your configuration by entering the show system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
user@host# show system
system {
    login {
        class audit-admin {
            permissions [ maintenance security trace ];
            allow-commands "^clear (log|security log)";
            deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
            security-role audit-administrator;
        }
        class crypto-admin {
            permissions [ admin-control configure maintenance security-control system-control trace ];
            allow-commands "^request (system set-encryption-key)";
            deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
            allow-configuration-regexps [ "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" ];
            security-role crypto-administrator;
        }
        class security-admin {
            permissions [all];
            deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell";
            deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation" ];
            security-role security-administrator;
        }
        class ids-admin {
             permissions [ configure maintenance security-control trace ];
            deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type 
            (authentication | cryptographic-self-test | decryption-failures | encryption-failures
             | ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
             non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename) 
            |^request (security|system set-encryption-key) | ^rollback |
            ^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
            allow-configuration-regexps [ "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" ];
            deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-
            failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
            key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)" 
            security-role ids-administrator;
        }
        user audit-officer {
            class audit-admin;
            authentication {
                 encrypted-password "$1$ABC123"; ## SECRET-DATA 
            }
        }
        user crypto-officer {
            class crypto-admin;
            authentication {
                 encrypted-password "$1$ABC123."; ## SECRET-DATA 
            }
        }
        user security-officer {
            class security-admin;
            authentication {
                 encrypted-password "$1$ABC123."; ##SECRET-DATA 
            }
        }
        user ids-officer {
            class ids-admin;
            authentication {
                encrypted-password "$1$ABC123/"; ## SECRET-DATA
            }
        }
    }
}

After you configure the device, enter commit in configuration mode.

Verification

Confirm that the configuration is working properly.

Verify the Login Permissions

Purpose

Verify the login permissions for the current user.

Action

In operational mode, enter the show cli authorization command to verify the user's login permissions.

content_copy zoom_out_map
user@host> show cli authorization
Current user: 'example' class 'super-user'
Permissions:
    admin       -- Can view user accounts
    admin-control-- Can modify user accounts
    clear       -- Can clear learned network info
    configure   -- Can enter configuration mode
    control     -- Can modify any config
    edit        -- Can edit full files
    field       -- Can use field debug commands
    floppy      -- Can read and write the floppy
    interface   -- Can view interface configuration
    interface-control-- Can modify interface configuration
    network     -- Can access the network
    reset       -- Can reset/restart interfaces and daemons
    routing     -- Can view routing configuration
    routing-control-- Can modify routing configuration
    shell       -- Can start a local shell
    snmp        -- Can view SNMP configuration
    snmp-control-- Can modify SNMP configuration
    system      -- Can view system configuration
    system-control-- Can modify system configuration
    trace       -- Can view trace file settings
    trace-control-- Can modify trace file settings
    view        -- Can view current values and statistics
    maintenance -- Can become the super-user
    firewall    -- Can view firewall configuration
    firewall-control-- Can modify firewall configuration
    secret      -- Can view secret statements
    secret-control-- Can modify secret statements
    rollback    -- Can rollback to previous configurations
    security    -- Can view security configuration
    security-control-- Can modify security configuration
    access      -- Can view access configuration
    access-control-- Can modify access configuration
    view-configuration-- Can view all configuration (not including secrets)
    flow-tap    -- Can view flow-tap configuration
    flow-tap-control-- Can modify flow-tap configuration
    idp-profiler-operation-- Can Profiler data
    pgcp-session-mirroring-- Can view pgcp session mirroring configuration
    pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
    storage     -- Can view fibre channel storage protocol configuration
    storage-control-- Can modify fibre channel storage protocol configuration
    all-control -- Can modify any configuration
Individual command authorization:
    Allow regular expression: none
    Deny regular expression: none
    Allow configuration regular expression: none
    Deny configuration regular expression: none

This output summarizes the login permissions.

How to Configure a Local Administrator Account

Superuser privileges give a user permission to use any command on the router and are generally reserved for a select few users such as system administrators. You (the system administrator) need to protect the local administrator account with a password to prevent unauthorized users from gaining access to superuser commands. These superuser commands can be used to alter the system configuration. Users with RADIUS authentication should also configure a local password. If the RADIUS server does not respond, the login process reverts to local password authentication on the local administrator account.

The following example shows how to configure a password-protected local administration account called admin with superuser privileges:

content_copy zoom_out_map
[edit]
system {
    login {
        user admin {
            uid 1000;
            class superuser;
            authentication {
                encrypted-password "<PASSWORD>"; ## SECRET-DATA
            }
        }
    }
}
arrow_backward PREVIOUS User Accounts
NEXT arrow_forward User Access Privileges
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top