Related Documentation
- M Series
- Configuring TACACS+ Authentication
- MX Series
- Configuring TACACS+ Authentication
- PTX Series
- Configuring TACACS+ Authentication
- QFX Series
- Configuring TACACS+ Authentication
- T Series
- Configuring TACACS+ Authentication
Juniper Networks Vendor-Specific TACACS+ Attributes
Junos OS supports the configuration of Juniper Networks TACACS+ vendor-specific attributes (VSAs). These VSAs are encapsulated in a TACACS+ vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.
Table 1: Juniper Networks Vendor-Specific TACACS+ Attributes
Name | Description | Length | String |
|---|---|---|---|
local-user-name | Indicates the name of the user template used by this user when logging in to a device. | ≥3 | One or more octets containing printable ASCII characters. |
allow-commands | Contains an extended regular expression that enables the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands. |
allow-configuration | Contains an extended regular expression that enables the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies. |
deny-commands | Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands. |
deny-configuration | Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Configuration Mode Hierarchies. |
user-permissions | Contains information the server uses to specify user permissions. Note: When the user-permissions attribute is configured to grant the Junos OS maintenance or all permissions on a TACACS+ server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. | ≥3 | One or more octets containing printable ASCII characters. See Understanding Junos OS Access Privilege Levels. |
Related Documentation
- M Series
- Configuring TACACS+ Authentication
- MX Series
- Configuring TACACS+ Authentication
- PTX Series
- Configuring TACACS+ Authentication
- QFX Series
- Configuring TACACS+ Authentication
- T Series
- Configuring TACACS+ Authentication
