Local User Template Accounts
You use local user template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router and referenced by the TACACS+ and RADIUS authentication servers.
When you configure local user templates and a user logs in, the JUNOS software issues a request to the authentication server to authenticate the user's login name. If a user is authenticated, the server returns the local username to the JUNOS software, which then determines whether a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the JUNOS software selects the appropriate local user template locally configured on the router. If a local user template does not exist for the authenticated user, the router defaults to the remote template.
To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file. For information about how to configure access privileges on the authentication server, see Configure Juniper Networks-Specific RADIUS Attributes and Configure Juniper Networks-Specific TACACS+ Attributes.
For information about creating user accounts, see Configure User Accounts. For an example of how to configure a template account, see Examples: Configure System Authentication.
To configure the local user template, include the local username and specify the privileges you want to provide to these local users at the [edit system login user] hierarchy level:
[edit]
system {
login {
user local-user-name {
full-name "local user account";
uid uid-value;
class class-name;
}
}
}
Local User Template Example:
In this example, you configure the sales and engineering local user templates:
[edit]
system {
login {
user sales {
uid uid-value;
class class-name;
}
user engineering {
uid uid-value;
class class-name;
}
}
}
Now you configure users on the TACACS+ authentication server:
user = simon {
...
service = junos-exec {
local-user-name = sales
allow-commands = "configure"
deny-commands = "shutdown"
}
}
user = rob {
...
service = junos-exec {
local-user-name = sales
allow-commands = "(request system) | (show rip neighbor)"
deny-commands = "<^clear"
}
}
user = harold {
...
service = junos-exec {
local-user-name = engineering
allow-commands = "monitor | help | show | ping | traceroute"
deny-commands = "configure"
}
}
user = jim {
...
service = junos-exec {
local-user-name = engineering
allow-commands = "show bgp neighbor"
deny-commands = "telnet | ssh"
}
}
When the login users simon and rob are authenticated, they use the sales local user template. When login users harold and jim are authenticated, they use the engineering local user template.
 |