Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring a Network Device collaborative Protection Profile for an Authorized Administrator


An account for root is always present in a configuration and is not intended for use in normal operation. In the evaluated configuration, the root account is restricted to the initial installation and configuration of the evaluated device.

An NDcPP Version 2 .0 authorized administrator must have all permissions, including the ability to change the router configuration.

To configure an authorized administrator:

  1. Create a login class named security-admin with all permissions.
  2. Configure the hashing algorithm used for password storage as sha256.

    The authentication algorithm for plain-text passwords must be configured as sha256 for EX4300 switches. For EX4600 and QFX5100 switches, the default password algorithm is sha512, and it is not necessary to configure the plain-text passwords for EX4600 switches and QFX5100 switches.

  3. Commit the changes.
  4. Define your NDcPP Version 2.0 authorized administrator.
  5. Load an SSH key file that was previously generated using ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH version 2).
  6. Set the log-key-changes configuration statement to log when SSH authentication keys are added or removed.

    When the log-key-changes configuration statement is enabled and committed (with the commit command in configuration mode), Junos OS logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs the differences since the last time the log-key-changes configuration statement was enabled. If the log-key-changes configuration statement was never enabled, then Junos OS logs all the authorized SSH keys.

  7. Commit the changes.