Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Restricting User Access Overview

    Users who are authenticated through RADIUS or TACACS+ can be restricted to certain sets of commands and virtual routers (VRs). The levels of access are shown in Table 1. For information about TACACS+, see JunosE Broadband Access Configuration Guide.

    Table 1: CLI User Access Levels

    Access Level

    Commands Available

    0

    disable, enable, exit, and help commands

    1

    Level 0 commands and all other commands available in User Exec mode

    5

    Level 1 commands and all Privileged show commands

    10

    All commands except support and privilege change commands

    15

    Commands that Juniper Networks Technical Support may provide and all other commands

    Restricting Access to Commands with RADIUS

    You can use RADIUS authentication to specify a level of commands that a user is allowed. If you do not configure RADIUS authentication for the console or virtual terminals, all users who successfully log in are automatically granted Level 1 access.

    The vendor-specific attribute (VSA) Admin-Auth-Level supports the levels of access shown in Table 1. In addition to VSA access level support, the software provides access to levels 1 and 10 through the Initial-Auth-Level in the standard RADIUS Service-Type attribute. If the RADIUS Service-Type attribute is included in the RADIUS Access-Accept message, the standard attribute overrides any VSA setting.

    If you are using the RADIUS Service-Type attribute to assign access levels, the system sets the Initial-Auth-Level as follows:

    • If the Service-Type attribute is set to administrative, then the Initial-Auth-Level is set to 10.
    • If the Service-Type attribute is set to nas prompt or login, the Initial-Auth-Level is set to 1.

    Per-User Enable Authentication

    After a user has been authenticated through RADIUS, the RADIUS server provides the E Series router with the names of the privilege levels (for example, 10 ) that the user has enable access to. When the user attempts to access a privilege level through the enable command, the system either denies or approves the user’s request.

    The decision to deny or approve the user’s request is based on the list the system received through RADIUS. See Table 2.

    Table 2: Juniper Networks–Specific CLI Access VSA Descriptions

    VSA

    Description

    Type

    Length

    Subtype

    Subtype Length

    Value

    Initial-CLI- Access-Level

    Specifies the initial level of access to CLI commands.

    26

    len

    18

    sublen

    Single attribute; enter only: 0, 1, 5, 10, or 15

    Alt-CLI- Access-Level

    Specifies level of access to CLI commands.

    26

    len

    20

    sublen

    Single attribute; enter only: 0, 1, 5, 10, or 15

    Note: All levels to which a user can have access must explicitly be specified in the Admin-Auth-Set VSA.

    The user is not prompted for a password, because the system knows whether or not the user should have access to the requested level. If the user is not authenticated through RADIUS, the router uses the system-wide enable passwords instead.

    Restricting Access to Virtual Routers

    You can use RADIUS authentication to specify whether users can access all virtual routers (VRs), one specific VR, or a set of specific VRs.

    Note: This classification is independent of the command access levels configurable through the Initial-CLI-Access-Level VSA.

    The VSA Allow-All-VR-Access controls access; the VSA Virtual-Router controls the VR to which the user logs in, and the VSA Alt-CLI-Virtual-Router-Name specifies which VRs other than the VR specified by the VSA virtual-router are accessible to restricted users. See Table 3.

    Table 3: Juniper Networks–Specific Virtual Router Access VSA Descriptions

    VSA

    Description

    Type

    Length

    Subtype

    Subtype Length

    Value

    Allow-All-VR-Access

    Specifies user access to all virtual routers.

    26

    len

    19

    sublen

    Integer:
    0 – disable,
    1 – enable

    Virtual-Router

    Specifies the VR to which the user logs in or the only VR to which a user has access. The default setting is the default VR.

    26

    len

    1

    sublen

    String: virtual-router -name

    Alt-CLI-Virtual-Router-
    Name

    Specifies a VR, other than the VR specified by the Virtual-Router VSA, to which the user has access. You can define this VSA multiple times to define a set of VRs to which a user has access.

    26

    len

    21

    sublen

    String: virtual-router -name

    VSA Configuration Examples

    Consider a router on which five VRs have been configured. The VRs are called Boston, Chicago, Detroit, Los Angeles, and San Francisco. The following examples illustrate how to use the VSAs to control a user’s access to these VRs.

    Example 1

    In this example, you want the user to have access to all VRs and to log in to the default VR. Accept the default setting or set the following VSA:

    • Allow-All-VR-Access—1

    Example 2

    In this example, you want the user to have access to all VRs and to log in to the VR Boston. Set the VSAs as follows:

    • Allow-All-VR-Access—1
    • Virtual-Router—Boston

    Example 3

    In this example, you want the user to have access only to the VR Boston. Set the VSAs as follows:

    • Allow-All-VR-Access—0
    • Virtual-Router—Boston

    In this example, you want the user to log in to VR Boston, and to have access to VRs Chicago, Los Angeles, and San Francisco. Set the VSAs as follows:

    • Allow-All-VR-Access—0
    • Virtual-Router—Boston
    • Alt-CLI-Virtual-Router-Name—Chicago
    • Alt-CLI-Virtual-Router-Name—Los Angeles
    • Alt-CLI-Virtual-Router-Name—San Francisco

    Commands Available to Users

    If you do not configure RADIUS authentication for the console or virtual terminals, there are no restrictions on VR access for any user who successfully logs in to the router. For example, nonrestricted users can:

    • Issue the virtual-router command in Privileged Exec mode, to switch to another previously created virtual router.
    • Issue the virtual-router command in Global Configuration mode to create a new virtual router and switch to its context.
    • Access Global Configuration mode to configure the router and virtual routers.
    • View all settings for the router and all virtual routers.

    User restricted to one or a set of specific VRs can see and use only a limited set of commands to monitor the status of those VRs and view some configuration settings on those VRs. More specifically, such users:

    • Can issue the virtual-router command in Privileged Exec mode to switch to another previously configured VR to which they have access.
    • Cannot create new VRs or access VRs other than those to which they have access.
    • Cannot access Global Configuration mode and cannot configure VRs to which they have access.
    • Cannot see or use any commands associated with the file system, boot settings, or system configuration.

    The following table lists some, but not all, commands accessed from Exec mode that are available only to users with no VR restriction:

    clear line

    reload

    show redundancy

    clock set

    reload slot

    show secrets

    copy

    rename

    show subsystems

    copy running-configuration

    redundancy force-switchover

    show timing

    delete

    redundancy revert

    show users

    dir

    show boot

    show utilization

    disconnect ssh

    show config

    srp switch

    configure

    show exception dump

    synchronize

    erase secrets

    show ip ssh

    halt

    show line

    Published: 2014-08-12