Restricting User Access Overview

Users who are authenticated through RADIUS or TACACS+ can be restricted to certain sets of commands and virtual routers (VRs). The levels of access are shown in Table 96. For information about TACACS+, see JunosE Broadband Access Configuration Guide.

Table 96: CLI User Access Levels

Access Level

Commands Available

0

disable, enable, exit, and help commands

1

Level 0 commands and all other commands available in User Exec mode

5

Level 1 commands and all Privileged show commands

10

All commands except support and privilege change commands

15

Commands that Juniper Networks Technical Support may provide and all other commands

Restricting Access to Commands with RADIUS

You can use RADIUS authentication to specify a level of commands that a user is allowed. If you do not configure RADIUS authentication for the console or virtual terminals, all users who successfully log in are automatically granted Level 1 access.

The vendor-specific attribute (VSA) Admin-Auth-Level supports the levels of access shown in Table 96. In addition to VSA access level support, the software provides access to levels 1 and 10 through the Initial-Auth-Level in the standard RADIUS Service-Type attribute. If the RADIUS Service-Type attribute is included in the RADIUS Access-Accept message, the standard attribute overrides any VSA setting.

If you are using the RADIUS Service-Type attribute to assign access levels, the system sets the Initial-Auth-Level as follows:

Per-User Enable Authentication

After a user has been authenticated through RADIUS, the RADIUS server provides the E Series router with the names of the privilege levels (for example, 10 ) that the user has enable access to. When the user attempts to access a privilege level through the enable command, the system either denies or approves the user’s request.

The decision to deny or approve the user’s request is based on the list the system received through RADIUS. See Table 97.

Table 97: Juniper Networks–Specific CLI Access VSA Descriptions

VSA

Description

Type

Length

Subtype

Subtype Length

Value

Initial-CLI- Access-Level

Specifies the initial level of access to CLI commands.

26

len

18

sublen

Single attribute; enter only: 0, 1, 5, 10, or 15

Alt-CLI- Access-Level

Specifies level of access to CLI commands.

26

len

20

sublen

Single attribute; enter only: 0, 1, 5, 10, or 15

Note: All levels to which a user can have access must explicitly be specified in the Admin-Auth-Set VSA.

The user is not prompted for a password, because the system knows whether or not the user should have access to the requested level. If the user is not authenticated through RADIUS, the router uses the system-wide enable passwords instead.

Restricting Access to Virtual Routers

You can use RADIUS authentication to specify whether users can access all virtual routers (VRs), one specific VR, or a set of specific VRs.

Note: This classification is independent of the command access levels configurable through the Initial-CLI-Access-Level VSA.

The VSA Allow-All-VR-Access controls access; the VSA Virtual-Router controls the VR to which the user logs in, and the VSA Alt-CLI-Virtual-Router-Name specifies which VRs other than the VR specified by the VSA virtual-router are accessible to restricted users. See Table 98.

Table 98: Juniper Networks–Specific Virtual Router Access VSA Descriptions

VSA

Description

Type

Length

Subtype

Subtype Length

Value

Allow-All-VR-Access

Specifies user access to all virtual routers.

26

len

19

sublen

Integer:
0 – disable,
1 – enable

Virtual-Router

Specifies the VR to which the user logs in or the only VR to which a user has access. The default setting is the default VR.

26

len

1

sublen

String: virtual-router -name

Alt-CLI-Virtual-Router-
Name

Specifies a VR, other than the VR specified by the Virtual-Router VSA, to which the user has access. You can define this VSA multiple times to define a set of VRs to which a user has access.

26

len

21

sublen

String: virtual-router -name

VSA Configuration Examples

Consider a router on which five VRs have been configured. The VRs are called Boston, Chicago, Detroit, Los Angeles, and San Francisco. The following examples illustrate how to use the VSAs to control a user’s access to these VRs.

Example 1

In this example, you want the user to have access to all VRs and to log in to the default VR. Accept the default setting or set the following VSA:

  • Allow-All-VR-Access—1

Example 2

In this example, you want the user to have access to all VRs and to log in to the VR Boston. Set the VSAs as follows:

  • Allow-All-VR-Access—1
  • Virtual-Router—Boston

Example 3

In this example, you want the user to have access only to the VR Boston. Set the VSAs as follows:

  • Allow-All-VR-Access—0
  • Virtual-Router—Boston

In this example, you want the user to log in to VR Boston, and to have access to VRs Chicago, Los Angeles, and San Francisco. Set the VSAs as follows:

  • Allow-All-VR-Access—0
  • Virtual-Router—Boston
  • Alt-CLI-Virtual-Router-Name—Chicago
  • Alt-CLI-Virtual-Router-Name—Los Angeles
  • Alt-CLI-Virtual-Router-Name—San Francisco

Commands Available to Users

If you do not configure RADIUS authentication for the console or virtual terminals, there are no restrictions on VR access for any user who successfully logs in to the router. For example, nonrestricted users can:

  • Issue the virtual-router command in Privileged Exec mode, to switch to another previously created virtual router.
  • Issue the virtual-router command in Global Configuration mode to create a new virtual router and switch to its context.
  • Access Global Configuration mode to configure the router and virtual routers.
  • View all settings for the router and all virtual routers.

User restricted to one or a set of specific VRs can see and use only a limited set of commands to monitor the status of those VRs and view some configuration settings on those VRs. More specifically, such users:

  • Can issue the virtual-router command in Privileged Exec mode to switch to another previously configured VR to which they have access.
  • Cannot create new VRs or access VRs other than those to which they have access.
  • Cannot access Global Configuration mode and cannot configure VRs to which they have access.
  • Cannot see or use any commands associated with the file system, boot settings, or system configuration.

The following table lists some, but not all, commands accessed from Exec mode that are available only to users with no VR restriction:

clear line

reload

show redundancy

clock set

reload slot

show secrets

copy

rename

show subsystems

copy running-configuration

redundancy force-switchover

show timing

delete

redundancy revert

show users

dir

show boot

show utilization

disconnect ssh

show config

srp switch

configure

show exception dump

synchronize

erase secrets

show ip ssh

halt

show line

Related Documentation