The router supports 30
virtual tty (vty) lines for Telnet, Secure Shell Server (SSH) and
FTP services. Each Telnet, SSH, or FTP session requires one vty line.
You can add security to your router by configuring the software to
validate login requests. There are two modes of authentication for
a vty line:
Simple authentication—Password-only authentication
through the local configuration
AAA authentication—Username and password authentication
through a set of authentication servers
You can enable AAA authorization, which allows
you to limit the services available to a user. Based on information
retrieved from a user’s profile, the user is either granted
or denied access to the requested server.
Configuring Simple Authentication
To configure simple authentication:
Specify a vty line or a range of vty lines on which you
want to enable the password.
host1(config)#line vty 8 13
host1(config-line)#
Specify the password for the vty lines.
host1(config-line)#password 0 mypassword
Enable login authentication on the lines.
host1(config-line)#login
Display your vty line configuration.
host1#show line vty 8
no access-class in
data-character-bits 8
exec-timeout never
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds
line
Use to specify the vty line(s) on which you want to
enable the password.
You can set a single line or a range of lines. The range
is 0–29.
Example
host1(config)#line vty 8 13
Use the no version to remove
a vty line or a range of lines from your configuration; users will
not be able to run Telnet, SSH, or FTP to lines that you remove. When
you remove a vty line, the system removes all lines above that line.
For example, no line vty 6 causes the system
to remove lines 6 through 29. You cannot remove
lines 0 through 4.
Use to specify a password on a single line or a range
of lines.
If you enable password checking but do not configure a
password, the system will not allow you to access virtual terminals.
Specify a password in plain text (unencrypted) or cipher
text (encrypted). In either case, the system stores the password as
encrypted.
Use the following keywords to specify the type of password
you will enter:
0 (zero)—Unencrypted password
5—Secret
7—Encrypted password
Note:
To use an encrypted password or a secret, you must follow the
procedure in Setting Basic Password Parameters to obtain the encrypted
password or secret. You cannot create your own encrypted password
or secret; you must use a system-generated password or secret.
access-class—Access-class associated with the vty
line
data-character-bits—Number of bits per character
7—Setting for the standard ASCII set
8—Setting for the international character set
exec-timeout—Time interval that the terminal waits
for expected user input
Never—Indicates that there is no time limit
exec-banner—Status for the exec banner: enabled
or disabled. This banner is displayed by the CLI after user authentication
(if any) and before the first prompt of a CLI session.
motd-banner—Status for the message of the day (MOTD)
banner: enabled or disabled. This banner is displayed by the CLI when
a connection is initiated.
login-timeout—Time interval during which the user
must log in.
Never—Indicates that there is no time limit
Example
host1#show line vty 0
no access-class in
data-character-bits 8
exec-timeout 3w 3d 7h 20m 0s
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds
Configuring AAA Authentication and AAA Authorization
Before you configure AAA authentication and AAA
authorization, you need to configure a RADIUS and/or TACACS+ authentication
server. Note that several of the steps in the configuration procedure
are optional.
To configure AAA new model authentication and authorization
for inbound sessions to vty lines on your router:
Specify AAA new model authentication.
host1(config)#aaa new-model
Create an authentication list that specifies the type(s)
of authentication methods allowed.
host1(config)#aaa authentication login my_auth_list
tacacs+ line enable
(Optional) Specify the privilege level by defining a method
list for authentication.
Use to allow privilege determination to be authenticated
through the TACACS+ or RADIUS server. This command specifies a list
of authentication methods that are used to determine whether a user
is granted access to the privilege command level.
The authentication methods that you can use in a list
include these options: radius, line, tacacs+, none, and enable.
To specify that the authentication should succeed even
if all methods return an error, specify none as the final method in the command line.
Requests sent to a TACACS+ or RADIUS server include the
username that is entered for login authentication.
If the authentication method list is empty, the local enable password is used.
Use to set AAA authentication at login. This command creates
a list that specifies the methods of authentication.
After you have specified aaa new-model as the authentication method for vty lines, an authentication list
called “ default” is automatically assigned to the vty
lines. To allow users to access the vty lines, you must create an
authentication list and either:
Name the list “ default.”
Assign a different name to the authentication list, and
assign the new list to the vty line using the login authentication command.
The authentication methods that you can use in a list
include these options: radius, line, tacacs+, none, and enable.
The system traverses the list of authentication methods
to determine whether a user is allowed to start a Telnet session.
If a specific method is available but the user information is not
valid (such as an incorrect password), the system does not continue
to traverse the list and denies the user a session.
If a specific method is unavailable, the system continues
to traverse the list. For example, if tacacs+ is the first authentication type element on the list and the TACACS+
server is unreachable, the system attempts to authenticate with the
next authentication type on the list, such as radius.
The system assumes an implicit denial of service if it
reaches the end of the authentication list without finding an available
method.
Example
host1(config)#aaa authentication login my_auth_list
tacacs+ radius line none
Use the no version to remove
the authentication list from your configuration.
Use to set the parameters that restrict access to a network.
Use the keyword exec to determine
if the user is allowed to run Exec mode commands. The commands that
you can execute from Exec mode provide only user-level access.
Use the keyword commands to
run authorization for all commands at the specified privilege level
(0–15). See Table 51 for a description
of privilege levels.
You can enter up to three authorization types to use in
an authorization method list. Options include: if-authenticated,
none, and tacacs+.
Note:
For information about TACACS+, see JUNOSe Broadband Access Configuration Guide.
Authorization method lists define the way authorization
is performed and the sequence in which the methods are performed.
You can designate one or more security protocols in the method list
to be used for authorization. If the initial method fails, the next
method in the list is used. The process continues until either there
is successful communication with a listed authorization method or
all methods defined are exhausted.
Use to reestablish
the default created when the aaa authorizationcommands command was issued.
After the aaa authorizationcommands command has been issued, aaa authorization config-commands is enabled by default, which means that all configuration commands
are authorized.
Example
host1(config)#aaa new-model
host1(config)#aaa authorization command 15
parks tacacs+ none
Use
to apply AAA authorization to a specific vty line or group of lines.
Use the exec keyword to apply
this authorization to CLI access in general.
Use the commands keyword to
apply this authorization to user commands of the privilege level you
specify.
You can specify the name of an authorization method list;
if no method list is specified, the default is used.
After you enable the aaa authorization command and define a named authorization method list (or use the
default method list) for a particular type of authorization, you must
apply the defined list to the appropriate lines for authorization
to take place.
You can set a single line or a range of lines. The range
is 0–29.
Example
host1(config)#line vty 6 10
Use the no version to remove
a vty line or a range of lines from your configuration; users will
not be able to run Telnet, SSH, or FTP to lines that you remove. When
you remove a vty line, the system removes all lines above that line.
For example, no line vty 6 causes the system
to remove lines 6 through 29. You cannot remove
lines 0 through 4.
Use to specify a password on a line or a range of lines
if you specified the line option with aaa authentication login command.
If you enable password checking but do not configure a
password, the system will not allow you to access virtual terminals.
Use the following keywords to specify the type of password
you will enter:
0 (zero)—Unencrypted password
5—Secret
7—Encrypted password
Note:
To use an encrypted password or a secret, you must follow the
procedure in Setting Basic Password Parameters to obtain the encrypted
password or secret. You cannot create your own encrypted password
or secret; you must use a system-generated password or secret.
