Restricting User Access

[Contents] [Prev] [Next] [Index] [Report an Error]

Restricting User Access
Users who are authenticated via RADIUS or TACACS+ can be restricted to certain sets of commands and virtual routers (VRs). The levels of access are shown in Table 6-2.

Table 6-2 CLI user access levels

Access Level

Commands Available

0

disable, enable, exit, and help commands

1

Level 0 commands and all other commands available in User Exec mode

5

Level 1 commands and all Privileged show commands

10

All commands except support commands

15

Commands that Juniper Networks Technical Support may provide and all other commands

Note: For information about TACACS+, see the ERX Broadband Access Configuration Guide, Chapter 4, Configuring TACACS+.

Restricting Access to Commands with RADIUS

You can use RADIUS authentication to specify a level of commands that a user is allowed. If you do not configure RADIUS authentication for the console or virtual terminals, all users who successfully log in are automatically granted Level 1 access.

The vendor-specific attribute (VSA) admin-auth-level supports the levels of access shown in Table 6-2. In addition to VSA access level support, the software provides access to levels 1 and 10 through the initial-auth-level in the standard RADIUS service-type attribute. If the RADIUS service-type attribute is included in the RADIUS access-accept message, the standard attribute overrides any VSA setting.

If you are using the RADIUS service-type attribute to assign access levels, the system sets the initial-auth-level as follows:

If the service-type attribute is set to "administrative," then the initial-auth-level is set to 10.

If the service-type attribute is set to "nas prompt" or "login," the initial-auth-level is set to 1.

Per-User Enable Authentication

Once a user is authenticated through RADIUS, the RADIUS server provides the ERX system with the names of the privilege levels (for example, "10") that the user has enable access to. When the user attempts to access a privilege level through the enable command, the system either denies or approves the user's request. The decision to deny or approve the user's request is based on the list the system received through RADIUS. See Table 6-3.

Table 6-3 Juniper Networks-specific CLI access VSA descriptions

VSA

Description

Type

Length

Subtype

Subtype Length

Value

Juniper-Initial-CLI-
Access-Level

Specifies the initial level of access to CLI commands.

26

len

18

sublen

Single attribute; enter only: 0, 1, 5, 10, or 15

Juniper-Alt-CLI-
Access-Level

Specifies level of access to CLI commands.

26

len

20

sublen

Single attribute; enter only: 0, 1, 5, 10, or 15

Note: All levels to which a user can have access must explicitly be specified in the Admin-Auth-Set VSA.

The user is not prompted for a password, since the system knows whether or not the user should have access to the requested level. If the user is not authenticated through RADIUS, the system uses the system-wide enable passwords instead.

Restricting Access to Virtual Routers

You can use RADIUS authentication to specify whether users can access all virtual routers (VRs), one specific VR, or a set of specific VRs.

Note: This classification is independent of the command access levels configurable via the Juniper-Initial-CLI-Access-Level VSA.

The VSA Juniper-Allow-All-VR-access controls access; the VSA Juniper-Virtual-Router controls the VR to which the user logs in, and the VSA Juniper-Alt-CLI-Virtual-Router-Name specifies which VRs other than the VR specified by the VSA Juniper-virtual-router are accessible to restricted users. See Table 6-4.

Table 6-4 Juniper Networks-specific virtual router access VSA descriptions

VSA

Description

Type

Length

Subtype

Subtype Length

Value

Juniper-Allow-All-VR-
Access

Specifies user access to all virtual routers.

26

len

19

sublen

Integer:
0 - disable,
1 - enable

Juniper-Virtual-Router

Specifies the VR to which the user logs in or the only VR to which a user has access. The default setting is the default VR.

26

len

1

sublen

String: virtual-router-name

Juniper-Alt-CLI-Virtual-Router-Name

Specifies a VR, other than the VR specified by the Juniper-Virtual-Router VSA, to which the user has access. You can define this VSA multiple times to define a set of VRs to which a user has access.

26

len

21

sublen

String: virtual-router-name

VSA Configuration Examples

Consider a system on which five VRs have been configured. The VRs are called Boston, Chicago, Detroit, Los Angeles, and San Francisco. The following examples illustrate how to use the VSAs to control a user's access to these VRs.

Example 1

In this example, you want the user to have access to all VRs and to log in to the default VR. Accept the default setting or set the following VSA:

Juniper-Allow-All-VR-Access - 1

Example 2

In this example, you want the user to have access to all VRs and to log in to the VR Boston. Set the VSAs as follows:

Juniper-Allow-All-VR-Access - 1

Juniper-Virtual-Router - Boston

Example 3

In this example, you want the user to have access only to the VR Boston. Set the VSAs as follows:

Juniper-Allow-All-VR-Access - 0

Juniper-Virtual-Router - Boston

Example 4

In this example, you want the user to log in to VR Boston, and to have access to VRs Chicago, Los Angeles, and San Francisco. Set the VSAs as follows:

Juniper-Allow-All-VR-Access - 0

Juniper-Virtual-Router - Boston

Juniper-Alt-CLI-Virtual-Router-Name - Chicago

Juniper-Alt-CLI-Virtual-Router-Name - Los Angeles

Juniper-Alt-CLI-Virtual-Router-Name- San Francisco

Commands Available to Users

If you do not configure RADIUS authentication for the console or virtual terminals, there are no restrictions on VR access for any user who successfully logs onto the system. For example, nonrestricted users can

Issue the virtual-router command in Privileged Exec mode, to switch to another previously created virtual router.

Issue the virtual-router command in Global Configuration mode to create a new virtual router and switch to its context.

Access Global Configuration mode to configure the system and virtual routers.

View all settings for the system and all virtual routers.

User restricted to one or a set of specific VRs can see and use only a limited set of commands to monitor the status of those VRs and view some configuration settings on those VRs. More specifically, such users

Can issue the virtual-router command in Privileged Exec mode to switch to another previously configured VR to which they have access.

Cannot create new VRs or access VRs other than those to which they have access.

Cannot access Global Configuration mode and cannot configure VRs to which they have access.

Cannot see or use any commands associated with the file system, boot settings, or system configuration.

Table 6-5 lists some, but not all, commands accessed from User Exec or Privileged Exec mode that are available only to users with no VR restriction.

Table 6-5 User Exec or Privileged Exec mode commands

clear line

reload

show redundancy

clock set

reload slot

show secrets

copy

rename

show subsystems

copy running-configuration

redundancy force-failover

show timing

delete

redundancy revert

show users

dir

show boot

show utilization

disconnect ssh

show config

srp switch

configure

show exception dump

synchronize

erase secrets

show ip ssh

halt

show line

Access Level	Commands Available
0	disable, enable, exit, and help commands
1	Level 0 commands and all other commands available in User Exec mode
5	Level 1 commands and all Privileged show commands
10	All commands except support commands
15	Commands that Juniper Networks Technical Support may provide and all other commands

VSA	Description	Type	Length	Subtype	Subtype Length	Value
Juniper-Initial-CLI- Access-Level	Specifies the initial level of access to CLI commands.	26	len	18	sublen	Single attribute; enter only: 0, 1, 5, 10, or 15
Juniper-Alt-CLI- Access-Level	Specifies level of access to CLI commands.	26	len	20	sublen	Single attribute; enter only: 0, 1, 5, 10, or 15

VSA	Description	Type	Length	Subtype	Subtype Length	Value
Juniper-Allow-All-VR- Access	Specifies user access to all virtual routers.	26	len	19	sublen	Integer: 0 - disable, 1 - enable
Juniper-Virtual-Router	Specifies the VR to which the user logs in or the only VR to which a user has access. The default setting is the default VR.	26	len	1	sublen	String: virtual-router-name
Juniper-Alt-CLI-Virtual-Router-Name	Specifies a VR, other than the VR specified by the Juniper-Virtual-Router VSA, to which the user has access. You can define this VSA multiple times to define a set of VRs to which a user has access.	26	len	21	sublen	String: virtual-router-name

[Contents] [Prev] [Next] [Index] [Report an Error]

clear line	reload	show redundancy
clock set	reload slot	show secrets
copy	rename	show subsystems
copy running-configuration	redundancy force-failover	show timing
delete	redundancy revert	show users
dir	show boot	show utilization
disconnect ssh	show config	srp switch
configure	show exception dump	synchronize
erase secrets	show ip ssh
halt	show line