Juniper Networks Vendor-Specific TACACS+ Attributes

 

Junos OS supports the configuration of Juniper Networks TACACS+ vendor-specific attributes (VSAs). These VSAs are encapsulated in a TACACS+ vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.

Table 1: Juniper Networks Vendor-Specific TACACS+ Attributes

Name

Description

Length

String

local-user-name

Indicates the name of the user template used by this user when logging in to a device.

≥3

One or more octets containing printable ASCII characters.

allow-commands

Contains an extended regular expression that enables the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

allow-configuration

Contains an extended regular expression that enables the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

deny-commands

Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

deny-configuration

Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

user-permissions

Contains information the server uses to specify user permissions.

Note: When the user-permissions attribute is configured to grant the Junos OS maintenance or all permissions on an IPv4 or IPv6 TACACS+ server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account.

≥3

One or more octets containing printable ASCII characters. See Understanding Junos OS Access Privilege Levels.

authentication-type

Indicates the authentication method (local database, or TACACS+ server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows ’local’. If the user is authenticated using TACACS+ server, the attribute value shows ’remote’.

≥5

One or more octets containing printable ASCII characters.

session-port

Indicates the source port number of the established session.

size of integer

Integer