Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Device Authentication in Junos Space Overview

    Junos Space Network Management Platform can authenticate a device by using credentials (username and password), keys (which use public-key cryptographic principles), or the devices’ SSH fingerprints. You can choose the authentication mode on the basis of the level of security needed for the managed devices. The authentication mode is displayed in the Authentication Status column on the Device Management page. You can also change the authentication mode.

    The following sections describe the authentication modes in Junos Space Platform:

    Credentials-Based Device Authentication

    To configure credentials-based authentication on your Junos Space setup, you need to ensure that the device login credentials with administrative privileges are configured on the device. If the device is reachable and the credentials are authenticated, these credentials are stored in the Junos Space Network Management Platform database. Junos Space Network Management Platform connects to the device by using these credentials. If you have configured key-based authentication on your Junos Space setup, you need to enter only the username to access the device.

    Key-Based Device Authentication

    Junos Space Network Management Platform supports 2048-bit or 4096-bit Rivest-Shamir-Adleman (RSA) algorithm, Digital Signature Standard (DSS), and Elliptic Curve Digital Signature Algorithm (ECDSA) public-key cryptographic principles to authenticate devices running Junos OS through key-based authentication. Key-based authentication is more secure than credentials-based authentication because the device credentials need not be stored in the Junos Space Network Management Platform database.

    RSA is an asymmetric-key or public-key algorithm that uses two keys that are mathematically related. Junos Space Network Management Platform includes a default set of public and private key pairs. The public key can be uploaded to the managed devices. The private key is encrypted and stored on the system on which Junos Space Network Management Platform is installed. For additional security, we recommend that you generate your own public and private key pair with a passphrase. A passphrase protects the private key on the Junos Space server. Creating long passphrases can be more difficult to break by brute-force attacks than shorter passphrases. A passphrase helps to prevent an attacker from gaining control of your Junos Space setup and trying to log in to your managed network devices. If you generate a new pair of keys, the keys are automatically uploaded to all active devices (that is, devices whose connection status is Up) that use Junos Space key-based authentication.

    You can also use custom keys. With the custom key-based authentication method, you upload a private key with a passphrase to the Junos Space server. The device is authenticated using the existing set of public keys on the device, the private key uploaded to the Junos Space server, and the appropriate public-key algorithm—that is, RSA, ECDSA, or DSS. This authentication method can be used to authenticate devices during device discovery and later during device management.

    If the keys are modified, the devices become unreachable and the authentication status changes to Key Conflict. You can use the Resolve Key Conflicts workflow to manually trigger the process of uploading new keys to these devices. To authenticate the devices, you can choose to upload the new keys generated from Junos Space Network Management Platform or use custom keys. If Junos Space key-based or custom key-based authentication fails, credentials-based authentication is automatically triggered.

    After key-based or custom key-based authentication is enabled, all further communication to the devices is through Junos Space key-based or custom key-based authentication, without passwords. You can also change the authentication mode from credentials-based to key-based or custom key-based for managed devices. For more information, see Modifying the Authentication Mode on the Devices.

    You need to ensure the following to use key-based authentication in Junos Space Network Management Platform:

    • The authentication keys are generated in the Administration workspace. For more information about generating and uploading keys to the devices, see Generating and Uploading Authentication Keys to Devices. The job result indicates whether the keys were successfully uploaded to the devices. On a multinode setup, the authentication keys are made available on all existing cluster nodes. Authentication keys are also made available on any subsequent nodes added to the setup.
    • The device’s administrator credentials and the name of the user who connects to the Junos Space Appliance to upload the keys to the device are available.

    SSH Fingerprint-Based Device Authentication

    To avoid man-in-the-middle attacks or proxy SSH connections between Junos Space Network Management Platform and a device, Junos Space Network Management Platform can store the SSH fingerprint of the device in the Junos Space Platform database and validate the fingerprint during subsequent connections with the device. A fingerprint is a sequence of 16 hexadecimal octets separated by colons. For example, c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:83. You can specify the fingerprint for Juniper Networks devices during device discovery and validate the fingerprint when the devices connect to Junos Space Network Management Platform for the first time. You can specify fingerprints for a maximum of 1024 devices simultaneously in the Device Discovery workflow. If you do not specify the fingerprint, Junos Space Network Management Platform obtains the fingerprint details when it connects to the device for the first time. For more information, see Viewing Managed Devices.

    Junos Space Network Management Platform does not recognize an SSH fingerprint change on a device during an active open connection with the device. SSH fingerprint changes are recognized only when the device reconnects to Junos Space Network Management Platform. The Authentication Status column on the Device Management page displays any conflicts or unverified authentication statuses.

    Conflicts between SSH fingerprints stored in the Junos Space Network Management Platform database and those on the device can be resolved manually from the Junos Space user interface. Alternatively, you can allow Junos Space Network Management Platform to automatically update any fingerprint changes. To allow Junos Space Network Management Platform to automatically update SSH fingerprints, disable the Manually Resolve Fingerprint Conflict check box on the Modify Application Settings page in the Administration workspace. If you enable this check box, the Authentication Status column displays Fingerprint Conflict if a device’s fingerprint changes. You need to manually resolve the fingerprint conflict. For more information, see Acknowledging SSH Fingerprints from Devices.

    Note: Key-based and fingerprint-based authentication modes are not supported in ww Junos OS devices.

    Junos Space Network Management Platform verifies that the fingerprint on the device matches that in the database when you perform the following tasks:

    • Staging a script on a device
    • Staging a device image on a device
    • Deploying a device image on a device
    • Activating a replacement device
    • Executing a script on a device
    • Connecting to a device by using SSH

    If the fingerprint on the device does not match the fingerprint stored in the Junos Space Network Management Platform database, the connection to the device is dropped. The connection status is displayed as Down and the authentication status is displayed as Fingerprint Conflict on the Device Management page.

    Supported Algorithms for Junos Space SSH

    Table 1lists the supported algorithms for Junos Space SSH:

    Table 1: Supported Algorithms for Junos Space SSH

    Algorithm Type

    FIPS Devices

    Non-FIPS Devices

    Key exchange algorithms

    ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1

    ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

    Host key algorithms

    ecdsa-sha2-nistp256, ecdsa-sha2-nistp384

    ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ssh-rsa, ssh-dss

    Encryption algorithms(client to server)

    aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc

    aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc

    Encryption algorithms(server to client)

    aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc

    aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc

    MAC algorithm

    hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com

    hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com, hmac-sha1, hmac-md5, hmac-md5-96, hmac-sha256

    Compression algorithm

    zlib@openssh.com

    zlib@openssh.com, none, zlib

    Modified: 2016-12-05