- play_arrow Login Classes and Login Settings
- play_arrow User Accounts
- play_arrow Passwords for User Access
- play_arrow Trusted Platform Module
- play_arrow Remote Access Management
- play_arrow Access Control
- Access Control Authentication Methods
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- RADIUS Server Configuration for Authentication
- RADIUS over TLS (RADSEC)
- 802.1X Authentication
- MAC RADIUS Authentication
- Service-Type Attribute and Jumbo Frame Handling Overview
- 802.1X and RADIUS Accounting
- Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
- Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Static MAC Bypass of 802.1X and MAC RADIUS Authentication
- Configuring PEAP for MAC RADIUS Authentication
- Captive Portal Authentication
- Flexible Authentication Order on EX Series Switches
- Server Fail Fallback and Authentication
- Authentication Session Timeout
- Central Web Authentication
- Dynamic VLAN Assignment for Colorless Ports
- VoIP on EX Series Switches
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control in Enhanced LAN Mode
- 802.1X for MX Series Routers in Enhanced LAN Mode Overview
- Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in Enhanced LAN Mode
- Understanding 802.1X and RADIUS Accounting on MX Series Routers in Enhanced LAN Mode
- Understanding 802.1X and VoIP on MX Series Routers in Enhanced LAN Mode
- Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LAN Mode
- Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LAN Mode
- Understanding Server Fail Fallback and Authentication on MX Series Routers in Enhanced LAN Mode
- Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LAN Mode
- Configuring 802.1X Interface Settings on MX Series Routers in Enhanced LAN Mode
- Configuring LLDP-MED on MX Series Routers in Enhanced LAN Mode
- Configuring LLDP on MX Series Routers in Enhanced LAN Mode
- Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode
- Understanding Captive Portal Authentication on the MX Series Routers
- Understanding Authentication Session Timeout on MX Series Routers
- Authentication Process Flow for MX Series Routers in Enhanced LAN Mode
- Specifying RADIUS Server Connections on an MX Series Router in Enhanced LAN Mode
- Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN Mode
- Designing a Captive Portal Authentication Login Page on an MX Series Router
- Configuring Static MAC Bypass of Authentication on MX Series Routers in Enhanced LAN Mode
- Controlling Authentication Session Timeouts on an MX Series Router in Enhanced LAN Mode
- Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LAN Mode
- Example: Configuring MAC RADIUS Authentication on an MX Series Router
- Example: Setting Up Captive Portal Authentication on an MX Series Router
- Example: Connecting a RADIUS Server for 802.1X to an MX Series Router
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an MX Series Router
- Example: Configuring Static MAC Bypass of Authentication on an MX Series Router
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication on MX Series Routers
- play_arrow Device Discovery
- play_arrow Domain Name Security
- play_arrow Permission Flags
- access
- access-control
- admin
- admin-control
- all
- clear
- configure
- control
- field
- firewall
- firewall-control
- floppy
- flow-tap
- flow-tap-control
- flow-tap-operation
- idp-profiler-operation
- interface
- interface-control
- maintenance
- network
- pgcp-session-mirroring
- pgcp-session-mirroring-control
- reset
- rollback
- routing
- routing-control
- secret
- secret-control
- security
- security-control
- shell
- snmp
- snmp-control
- system
- system-control
- trace
- trace-control
- view
- view-configuration
- play_arrow Configuration Statements and Operational Commands
TACACS+ Authentication
Junos OS supports TACACS+ for central authentication of users on network devices. To use TACACS+ authentication on the device, you (the network administrator) must configure information about one or more TACACS+ servers on the network. You can also configure TACACS+ accounting on the device to collect statistical data about the users logging in to or out of a LAN and send the data to a TACACS+ accounting server.
Configure TACACS+ Authentication
TACACS+ authentication is a method of authenticating users who attempt to access a network device.
To configure TACACS+, perform the following tasks:
- Configure TACACS+ Server Details
- Configure TACACS+ to Use the Management Instance
- Configure the Same Authentication Service for Multiple TACACS+ Servers
- Configure Juniper Networks Vendor-Specific TACACS+ Attributes
Configure TACACS+ Server Details
To use TACACS+ authentication on the device, configure information about one or
more TACACS+ servers on the network by including one
tacplus-server
statement at the [edit
system]
hierarchy level for each TACACS+ server. The device queries
the TACACS+ servers in the order in which they are configured. If the primary
server (the first one configured) is unavailable, the device attempts to contact
each server in the list until it receives a response.
The network device can map TACACS+-authenticated users to a locally defined user
account or user template account, which determines authorization. By default,
Junos OS assigns TACACS+-authenticated users to the
user template account remote
, if configured, when:
The authenticated user does not have a user account configured on the local device.
The TACACS+ server either does not assign the user to a local user template, or the template that the server assigns is not configured on the local device.
The TACACS+ server can assign an authenticated user to a different user template
to grant different administrative permissions to that user. The user retains the
same login name in the CLI but inherits the login class, access privileges, and
effective user ID from the assigned template. If the TACACS+-authenticated user
does not map to any locally defined user account or user template, and the
remote
template is not configured, then authentication
fails.
The remote
username is a special case in Junos OS and must always be lowercase. It acts as a
template for users who are authenticated by a remote server but do not have
a locally configured user account on the device. Junos OS applies the permissions of the
remote
template to those authenticated users without a
locally defined account. All users mapped to the remote
template are in the same login class.
Because remote authentication is configured on multiple devices, it is commonly
configured inside of a configuration group. The steps shown here are in a
configuration group called global
. Using a configuration group
is optional.
To configure authentication by a TACACS+ server:
Configure TACACS+ to Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. You can also route TACACS+ packets through a management interface in a non-default VRF instance.
To route TACACS+ packets through the mgmt_junos
management
instance:
Enable the
mgmt_junos
management instance.content_copy zoom_out_map[edit system] user@host# set management-instance
Configure the
routing-instance mgmt_junos
statement for the TACACS+ authentication server and the TACACS+ accounting server, if configured.content_copy zoom_out_map[edit system] user@host# set tacplus-server server-address routing-instance mgmt_junos user@host# set accounting destination tacplus server server-address routing-instance mgmt_junos
Configure the Same Authentication Service for Multiple TACACS+ Servers
You can configure the same authentication service for multiple TACACS+ servers by
including statements at the [edit system tacplus-server]
and
[edit system tacplus-options]
hierarchy levels.
To assign the same authentication service to multiple TACACS+ servers:
The following example shows how to configure the same authentication service for multiple TACACS+ servers:
[edit system] tacplus-server { 10.2.2.2 secret "$ABC123"; ## SECRET-DATA 10.3.3.3 secret "$ABC123"; ## SECRET-DATA } tacplus-options { service-name bob; }
Configure Juniper Networks Vendor-Specific TACACS+ Attributes
Junos OS can map TACACS+-authenticated users to a locally defined user account or user template account, which determines authorization. You can also optionally configure a user's access privileges by defining Juniper Networks vendor-specific TACACS+ attributes on the TACACS+ server. You define the attributes in the TACACS+ server configuration file on a per-user basis. The network device retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user.
To specify these attributes, include a service
statement of the
following form in the TACACS+ server configuration file:
service = junos-exec { local-user-name = <username-local-to-router> allow-commands = "<allow-commands-regex>" allow-configuration-regexps = "<allow-configuration-regex>" deny-commands = "<deny-commands-regex>" deny-configuration-regexps = "<deny-configuration-regex>" }
You can define the service
statement in a user
statement or a group
statement.
Example: Configure a TACACS+ Server for System Authentication
This example configures system authentication through a TACACS+ server.
Requirements
Before you begin:
Perform the initial device configuration. See the Getting Started Guide for your device.
Set up at least one TACACS+ server on your network.
Overview
In this example, you add a new TACACS+ server with an IP address of 172.16.98.1. You specify the shared secret password of the TACACS+ server as Tacacssecret1. The device stores the secret in the configuration database as an encrypted value. Finally, you specify the source address that the device uses in TACACS+ server requests. In most cases, you can use the loopback address of the device, which in this example is 10.0.0.1.
You can configure support for multiple user authentication methods, such as local password authentication, TACACS+, and RADIUS, on the network device, When you configure multiple authentication methods, you can prioritize the order in which the device tries the different methods. In this example, you configure the device to use TACACS+ authentication services first and, if that fails, to then attempt local password authentication.
A TACACS+-authenticated user must map to a local user account or a local user
template account on the network device, which determines authorization. By default,
if a TACACS+-authenticated user does not map to a local user account or a specific
user template, the user is assigned to the remote
user template, if
configured. This example configures the remote
user template.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them
into a text file, remove any line breaks, change any details necessary to
match your network configuration, copy and paste the commands into the CLI
at the [edit]
hierarchy level, and then enter
commit
in configuration mode.
set system tacplus-server 172.16.98.1 set system tacplus-server 172.16.98.1 secret Tacacssecret1 set system tacplus-server 172.16.98.1 source-address 10.0.0.1 set system authentication-order [tacplus password] set system login user remote class operator
Step-by-Step Procedure
To configure a TACACS+ server for system authentication:
Add a new TACACS+ server and set its IP address.
content_copy zoom_out_map[edit system] user@host# set tacplus-server 172.16.98.1
Specify the shared secret (password) of the TACACS+ server.
content_copy zoom_out_map[edit system] user@host# set tacplus-server 172.16.98.1 secret Tacacssecret1
Specify the device’s loopback address as the source address.
content_copy zoom_out_map[edit system] user@host# set tacplus-server 172.16.98.1 source-address 10.0.0.1
Specify the device's order of authentication, and include the
tacplus
option.content_copy zoom_out_map[edit system] user@host# set authentication-order [tacplus password]
- Configure the
remote
user template and its login class.content_copy zoom_out_map[edit system] user@host# set login user remote class operator
Results
In configuration mode, confirm your configuration by entering the
show system
command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
The following output includes only those portions of the configuration hierarchy that are relevant to this example:
[edit] user@host# show system login { user remote { class operator; } } authentication-order [ tacplus password ]; tacplus-server { 172.16.98.1 { secret "$9$ABC123"; ## SECRET-DATA source-address 10.0.0.1; } }
After you configure the device, enter commit
in
configuration mode.
Verification
Confirm that the configuration is working properly.
Verify the TACACS+ Server Configuration
Purpose
Verify that the TACACS+ server authenticates users.
Action
Log in to the network device, and verify that the login is successful. To verify that the device uses the TACACS+ server for authentication, you can attempt to log in with an account that does not define a local authentication password in the configuration.
Juniper Networks Vendor-Specific TACACS+ Attributes
Junos OS supports configuring Juniper Networks TACACS+ vendor-specific attributes (VSAs) on the TACACS+ server. Table 1 lists the supported Juniper Networks VSAs.
Some of the attributes accept extended regular expressions, as defined in POSIX 1003.2. If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. For more information, see:
Name | Description | Length | String |
---|---|---|---|
| Indicates the name of the user template assigned to this user when the user logs in to a device. | ≥3 | One or more octets containing printable ASCII characters. |
| Contains an extended regular expression that enables the user to run commands in addition to those commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
allow-commands-regexps | Contains an extended regular expression that enables the user to run commands in addition to those commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
| Contains an extended regular expression that enables the user to view and modify configuration statements in addition to those statements authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
allow-configuration-regexps | Contains an extended regular expression that enables the user to view and modify configuration statements in addition to those statements authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
| Contains an extended regular expression that denies the user permission to run commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
deny-commands-regexps | Contains an extended regular expression that denies the user permission to run commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
| Contains an extended regular expression that denies the user permission to view or modify configuration statements authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
deny-configuration-regexps | Contains an extended regular expression that denies the user permission to view or modify configuration statements authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. |
| Contains information the server uses to specify user permissions. Note: When the TACACS+ server defines the
| ≥3 | One or more octets containing printable ASCII characters. |
| Indicates the authentication method (local database or TACACS+ server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows 'local'. If the user is authenticated using a TACACS+ server, the attribute value shows 'remote'. | ≥5 | One or more octets containing printable ASCII characters. |
| Indicates the source port number of the established session. | size of integer | Integer |
Use Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Commands
Junos OS can map RADIUS- and TACACS+-authenticated users to a locally defined user account or user template account, which defines the user's access privileges. You can also optionally configure a user's access privileges by defining Juniper Networks RADIUS and TACACS+ vendor-specific attributes (VSAs) on the respective authentication server.
A user's login class defines the set of permissions that determines which operational mode and configuration mode commands a user is authorized to execute and which areas of the configuration a user can view and modify. A login class can also define regular expressions that allow or deny a user the ability to execute certain commands or view and modify certain areas of the configuration, in addition to what the permission flags authorize. A login class can include the following statements to define user authorization:
permissions
allow-commands
allow-commands-regexps
allow-configuration
allow-configuration-regexps
deny-commands
deny-commands-regexps
deny-configuration
deny-configuration-regexps
Similarly, a RADIUS or TACACS+ server configuration can use Juniper Networks VSAs to define specific permissions or regular expressions that determine a user's access privileges. For the list of supported RADIUS and TACACS+ VSAs, see the following:
- Juniper Networks Vendor-Specific RADIUS Attributes
- Juniper Networks Vendor-Specific TACACS+ Attributes
You can define user permissions on the RADIUS or TACACS+ server as a list of space-separated values.
A RADIUS server uses the following attribute and syntax:
content_copy zoom_out_mapJuniper-User-Permissions += "flag1 flag2 flag3",
For example:
content_copy zoom_out_mapJuniper-User-Permissions += "interface interface-control configure",
A TACACS+ server uses the following attribute and syntax:
content_copy zoom_out_mapuser-permissions = "flag1 flag2 flag3"
For example:
content_copy zoom_out_mapuser-permissions = "interface interface-control configure"
A RADIUS or TACACS+ server can also define Juniper Networks VSAs that use a single extended regular expression (as defined in POSIX 1003.2) to allow or deny a user the ability to execute certain commands or view and modify areas of the configuration. You enclose multiple commands or configuration hierarchies in parentheses and separate them using a pipe symbol. If the regular expression contains any spaces, operators, or wildcard characters, enclose it in quotation marks. When you configure authorization parameters both locally and remotely, the device merges the regular expressions received during TACACS+ or RADIUS authorization with any regular expressions defined on the local device.
A RADIUS server uses the following attributes and syntax:
content_copy zoom_out_mapJuniper-Allow-Commands += "(cmd1)|(cmd2)|(cmdn)", Juniper-Deny-Commands += "(cmd1)|(cmd2)|(cmdn)", Juniper-Allow-Configuration += "(config1)|(config2)|(confign)", Juniper-Deny-Configuration += "(config1)|(config2)|(confign)",
For example:
content_copy zoom_out_mapJuniper-Allow-Commands += "(test)|(ping)|(quit)", Juniper-Deny-Commands += "(request)|(restart)", Juniper-Allow-Configuration += "(groups re0)|(system radius-server)", Juniper-Deny-Configuration += "(system radius-options)|(system accounting)",
A TACACS+ server uses the following attributes and syntax:
content_copy zoom_out_mapallow-commands = "(cmd1)|(cmd2)|(cmdn)" deny-commands = "(cmd1)|(cmd2)|(cmdn)" allow-configuration = "(config1)|(config2)|(confign)" deny-configuration = "(config1)|(config2)|(confign)"
For example:
content_copy zoom_out_mapallow-commands = "(test)|(ping)|(quit)" deny-commands = "(request)|(restart)" allow-configuration = "(groups re0)|(system tacplus-server)" deny-configuration = "(system tacplus-options)|(system accounting)"
RADIUS and TACACS+ servers also support configuring attributes that correspond to the
same *-regexps
statements that you can configure on the local device.
The *-regexps
TACACS+ attributes and the *-Regexps
RADIUS attributes use the same regular expression syntax as the previous attributes, but
they enable you to configure regular expressions with variables.
A RADIUS server uses the following attributes and syntax:
content_copy zoom_out_mapJuniper-Allow-Configuration-Regexps += "(config1)|(config2)|(confign)", Juniper-Deny-Configuration-Regexps += "(config1)|(config2)|(confign)",
A TACACS+ server uses the following attributes and syntax:
content_copy zoom_out_mapallow-commands-regexps = "(cmd1)|(cmd2)|(cmdn)" deny-commands-regexps = "(cmd1)|(cmd2)|(cmdn)" allow-configuration-regexps = "(config1)|(config2)|(confign)" deny-configuration-regexps = "(config1)|(config2)|(confign)"
For example, the TACACS+ server configuration might define the following attributes:
content_copy zoom_out_mapallow-commands-regexps = "(show cli .*)|(ping 10.1.1..*)" deny-commands-regexps = "(configure .*)|(edit)|(commit)|(rollback .*)"
On a RADIUS or TACACS+ server, you can also define the attributes using a simplified syntax where you specify each individual expression on a separate line.
For a RADIUS server, specify the individual regular expressions using the following syntax:
Juniper-User-Permissions += "permission-flag1", Juniper-User-Permissions += "permission-flag2", Juniper-User-Permissions += "permission-flagn", Juniper-Allow-Commands += "cmd1", Juniper-Allow-Commands += "cmd2", Juniper-Allow-Commands += "cmdn", Juniper-Deny-Commands += "cmd1", Juniper-Deny-Commands += "cmd2", Juniper-Deny-Commands += "cmdn", Juniper-Allow-Configuration += "config1", Juniper-Allow-Configuration += "config2", Juniper-Allow-Configuration += "confign", Juniper-Deny-Configuration += "config1", Juniper-Deny-Configuration += "config2", Juniper-Deny-Configuration += "confign",
For a TACACS+ server, specify the individual regular expressions using the following syntax:
user-permissions1 = "permission-flag1" user-permissions2 = "permission-flag2" user-permissionsn = "permission-flagn" allow-commands1 = "cmd1" allow-commands2 = "cmd2" allow-commandsn = "cmdn" deny-commands1 = "cmd1" deny-commands2 = "cmd2" deny-commandsn = "cmdn" allow-configuration1 = "config1" allow-configuration2 = "config2" allow-configurationn = "confign" deny-configuration1 = "config1" deny-configuration2 = "config2" deny-configurationn = "confign"
In the TACACS+ server syntax, numeric values 1 through n must be unique but need not be sequential. For example, the following syntax is valid:
content_copy zoom_out_mapallow-commands1="cmd1" allow-commands3="cmd3" allow-commands2="cmd2" deny-commands3="cmd3" deny-commands2="cmd2" deny-commands1="cmd1"
The RADIUS or TACACS+ server imposes a limit on the number of individual regular expression lines.
When you issue the
show cli authorization
command, the command output displays the regular expression in a single line, even if you specify each individual expression on a separate line.
Users can verify their class, permissions, and command and configuration authorization by
issuing the show cli authorization
operational mode command.
user@host> show cli authorization
When you configure the authorization parameters both locally on the network device and remotely on the RADIUS or TACACS+ server, the device merges the regular expressions received during TACACS+ or RADIUS authorization with any locally configured regular expressions. If the final expression contains a syntax error, the overall result is an invalid regular expression.
Configuring TACACS+ System Accounting
You can configure TACACS+ accounting on a device to collect statistical data about users logging in to or out of a LAN and send the data to a TACACS+ accounting server. The statistical data can be used for general network monitoring, analyzing and tracking usage patterns, or billing a user based on the duration of the session or type of services accessed.
To configure TACACS+ accounting, specify:
One or more TACACS+ accounting servers to receive the statistical data from the device
The type of accounting data to collect
You can use the same server for both TACACS+ accounting and authentication, or you can use separate servers. You can specify a list of TACACS+ accounting servers. The device queries the servers in the order in which they are configured. If the primary server (the first one configured) is unavailable, the device attempts to contact each server in the list until it receives a response.
When you enable TACACS+ accounting, Juniper Networks devices, acting as TACACS+ clients, can notify the TACACS+ server about user activities such as software logins, configuration changes, and interactive commands.
Configure TACACS+ Server Accounting
To configure TACACS+ server accounting:
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.