Junos OS Login Classes Overview

 

Junos OS login class allow you to define access privileges, permission for using CLI commands and statements, and session idle time for each login classes. You can apply login class to an individual user account, there by specifying certain privileges and permissions to the user. Read this topic for more information.

Junos OS Login Classes Overview

All users who can log in to the router or switch must be in a login class. With login classes, you define the following:

  • Access privileges that users have when they are logged in to the router or switch

  • Commands and statements that users can and cannot specify

  • How long a login session can be idle before it times out and the user is logged out

You can define any number of login classes and then apply one login class to an individual user account.

The Junos operating system (Junos OS) contains a few predefined login classes, which are listed in Table 1. The predefined login classes cannot be modified.

Table 1: Predefined System Login Classes

Login Class

Permission Flag Set

operator

clear, network, reset, trace, and view

read-only

view

superuser or super-user

all

unauthorized

None

Note
  • You cannot modify a predefined login class name. If you issue the set command on a predefined class name, the Junos OS appends -local to the login class name. The following message also appears:

  • You cannot issue the rename or copy command on a predefined login class. Doing so results in the following error message:

Permission Bits

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission bits (see Table 2).

Two forms for the permissions control the individual parts of the configuration:

  • "Plain" form—Provides read-only capability for that permission type. An example is interface.

  • Form that ends in -control—Provides read and write capability for that permission type. An example is interface-control.

Table 2: Permission Bits for Login Classes

Permission Bit

Access

admin

Can view user account information in configuration mode and with the show configuration command.

admin-control

Can view user accounts and configure them (at the [edit system login] hierarchy level).

access

Can view the access configuration in configuration mode and with the show configuration operational mode command.

access-control

Can view and configure access information (at the [edit access] hierarchy level).

all

Has all permissions.

clear

Can clear (delete) information learned from the network that is stored in various network databases (using the clear commands).

configure

Can enter configuration mode (using the configure command) and commit configurations (using the commit command).

control

Can perform all control-level operations (all operations configured with the -control permission bits).

field

Reserved for field (debugging) support.

firewall

Can view the firewall filter configuration in configuration mode.

firewall-control

Can view and configure firewall filter information (at the [edit firewall] hierarchy level).

floppy

Can read from and write to the removable media.

interface

Can view the interface configuration in configuration mode and with the show configuration operational mode command.

interface-control

Can view chassis, class of service, groups, forwarding options, and interfaces configuration information. Can configure chassis, class of service, groups, forwarding options, and interfaces (at the [edit] hierarchy).

maintenance

Can perform system maintenance, including starting a local shell on the device and becoming the superuser in the shell (by issuing the su root command), and can halt and reboot the device (using the request system commands).

network

Can access the network by entering the ping, ssh, telnet, and traceroute commands.

reset

Can restart software processes using the restart command and can configure whether software processes are enabled or disabled (at the [edit system processes] hierarchy level).

rollback

Can use the rollback command to return to a previously committed configuration other than the most recently committed one.

routing

Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.

routing-control

Can view general routing, routing protocol, and routing policy configuration information and configure general routing (at the [edit routing-options] hierarchy level), routing protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit policy-options] hierarchy level).

secret

Can view passwords and other authentication keys in the configuration.

secret-control

Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.

security

Can view security configuration in configuration mode and with the show configuration operational mode command.

security-control

Can view and configure security information (at the [edit security] hierarchy level).

shell

Can start a local shell on the device by entering the start shell command.

snmp

Can view SNMP configuration information in configuration and operational modes.

snmp-control

Can view SNMP configuration information and configure SNMP (at the [edit snmp] hierarchy level).

system

Can view system-level information in configuration and operational modes.

system-control

Can view system-level configuration information and configure it (at the [edit system] hierarchy level).

trace

Can view trace file settings in configuration and operational modes.

trace-control

Can view trace file settings and configure trace file properties.

view

Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics.

Denying or Allowing Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can explicitly deny or allow the use of operational and configuration mode commands that are otherwise permitted or not allowed by a permission bit.

Defining Junos OS Login Classes

Login classes allow you to define the following:

  • Access privileges that users have when they are logged in to the router or switch

  • Commands and statements that users can and cannot specify

  • How long a login session can be idle before it times out and the user is logged out

All users who can log in to the router or switch must be in a login class. Therefore, you must define a Junos OS login class for each user or class of users. You can define any number of login classes depending on the types of permissions the users need.

To define a login class and its access privileges, include the class statement at the [edit system login] hierarchy level:

Example: Creating Login Classes with Specific Privileges

Login classes are used to assign certain permissions or restrictions to groups of users, ensuring that sensitive commands are only accessible to the appropriate users. By default, Juniper Networks devices have four types of login classes with preset permissions: operator, read-only, superuser or super-user, and unauthorized.

You can create new custom login classes to make different combinations of permissions that are not found in the default login classes. The following example shows how to create three custom login classes, each with specific privileges and timers to disconnect the class members after a period of inactivity. Inactivity timers help protect network security by disconnecting a user from the network if the user is away from his computer for too long, preventing potential security risks created by leaving an unattended account logged in to a switch or router. The permissions and inactivity timers shown here are only examples and should be customized to your organization.

The first class of users is called observation and they can only view statistics and configuration. They are not allowed to modify any configuration. The second class of users is called operation and they can view and modify the configuration. The third class of users is called engineering and they have unlimited access and control. All three login classes use the same inactivity timer of 5 minutes.