[Contents] [Prev] [Next] [Index] [Report an Error]

Restricting User Access

Users who are authenticated through RADIUS or TACACS+ can be restricted to certain sets of commands and virtual routers (VRs). The levels of access are shown in Table 52. For information about TACACS+, see JUNOSe Broadband Access Configuration Guide.

Table 52: CLI User Access Levels

Access Level	Commands Available
0	disable, enable, exit, and help commands
1	Level 0 commands and all other commands available in User Exec mode
5	Level 1 commands and all Privileged show commands
10	All commands except support and privilege change commands
15	Commands that Juniper Networks Technical Support may provide and all other commands

Restricting Access to Commands with RADIUS

You can use RADIUS authentication to specify a level of commands that a user is allowed. If you do not configure RADIUS authentication for the console or virtual terminals, all users who successfully log in are automatically granted Level 1 access.

The vendor-specific attribute (VSA) Admin-Auth-Level supports the levels of access shown in Table 52. In addition to VSA access level support, the software provides access to levels 1 and 10 through the Initial-Auth-Level in the standard RADIUS Service-Type attribute. If the RADIUS Service-Type attribute is included in the RADIUS Access-Accept message, the standard attribute overrides any VSA setting.

If you are using the RADIUS Service-Type attribute to assign access levels, the system sets the Initial-Auth-Level as follows:

If the Service-Type attribute is set to “ administrative,” then the Initial-Auth-Level is set to 10.
If the Service-Type attribute is set to “ nas prompt” or “ login,” the Initial-Auth-Level is set to 1.

Per-User Enable Authentication

After a user has been authenticated through RADIUS, the RADIUS server provides the E-series router with the names of the privilege levels (for example, “ 10” ) that the user has enable access to. When the user attempts to access a privilege level through the enable command, the system either denies or approves the user’s request.

The decision to deny or approve the user’s request is based on the list the system received through RADIUS. See Table 53.

Table 53: Juniper Networks–Specific CLI Access VSA Descriptions

VSA	Description	Type	Length	Subtype	Subtype Length	Value
Initial-CLI- Access-Level	Specifies the initial level of access to CLI commands.	26	len	18	sublen	Single attribute; enter only: 0, 1, 5, 10, or 15
Alt-CLI- Access-Level	Specifies level of access to CLI commands.	26	len	20	sublen	Single attribute; enter only: 0, 1, 5, 10, or 15

Note: All levels to which a user can have access must explicitly be specified in the Admin-Auth-Set VSA.

The user is not prompted for a password, because the system knows whether or not the user should have access to the requested level. If the user is not authenticated through RADIUS, the router uses the system-wide enable passwords instead.

Restricting Access to Virtual Routers

You can use RADIUS authentication to specify whether users can access all virtual routers (VRs), one specific VR, or a set of specific VRs.

Note: This classification is independent of the command access levels configurable through the Initial-CLI-Access-Level VSA.

The VSA Allow-All-VR-Access controls access; the VSA Virtual-Router controls the VR to which the user logs in, and the VSA Alt-CLI-Virtual-Router-Name specifies which VRs other than the VR specified by the VSA virtual-router are accessible to restricted users. See Table 54.

Table 54: Juniper Networks–Specific Virtual Router Access VSA Descriptions

VSA	Description	Type	Length	Subtype	Subtype Length	Value
Allow-All-VR-Access	Specifies user access to all virtual routers.	26	len	19	sublen	Integer: 0 – disable, 1 – enable
Virtual-Router	Specifies the VR to which the user logs in or the only VR to which a user has access. The default setting is the default VR.	26	len	1	sublen	String: virtual-router -name
Alt-CLI-Virtual-Router- Name	Specifies a VR, other than the VR specified by the Virtual-Router VSA, to which the user has access. You can define this VSA multiple times to define a set of VRs to which a user has access.	26	len	21	sublen	String: virtual-router -name

VSA Configuration Examples

Consider a router on which five VRs have been configured. The VRs are called Boston, Chicago, Detroit, Los Angeles, and San Francisco. The following examples illustrate how to use the VSAs to control a user’s access to these VRs.

Example 1

In this example, you want the user to have access to all VRs and to log in to the default VR. Accept the default setting or set the following VSA:

Allow-All-VR-Access—1

Example 2

In this example, you want the user to have access to all VRs and to log in to the VR Boston. Set the VSAs as follows:

Allow-All-VR-Access—1
Virtual-Router—Boston

Example 3

In this example, you want the user to have access only to the VR Boston. Set the VSAs as follows:

Allow-All-VR-Access—0
Virtual-Router—Boston

Example 4

In this example, you want the user to log in to VR Boston, and to have access to VRs Chicago, Los Angeles, and San Francisco. Set the VSAs as follows:

Allow-All-VR-Access—0
Virtual-Router—Boston
Alt-CLI-Virtual-Router-Name—Chicago
Alt-CLI-Virtual-Router-Name—Los Angeles
Alt-CLI-Virtual-Router-Name—San Francisco

Commands Available to Users

If you do not configure RADIUS authentication for the console or virtual terminals, there are no restrictions on VR access for any user who successfully logs in to the router. For example, nonrestricted users can:

Issue the virtual-router command in Privileged Exec mode, to switch to another previously created virtual router.
Issue the virtual-router command in Global Configuration mode to create a new virtual router and switch to its context.
Access Global Configuration mode to configure the router and virtual routers.
View all settings for the router and all virtual routers.

User restricted to one or a set of specific VRs can see and use only a limited set of commands to monitor the status of those VRs and view some configuration settings on those VRs. More specifically, such users:

Can issue the virtual-router command in Privileged Exec mode to switch to another previously configured VR to which they have access.
Cannot create new VRs or access VRs other than those to which they have access.
Cannot access Global Configuration mode and cannot configure VRs to which they have access.
Cannot see or use any commands associated with the file system, boot settings, or system configuration.

The following table lists some, but not all, commands accessed from Exec mode that are available only to users with no VR restriction:

clear line	reload	show redundancy
clock set	reload slot	show secrets
copy	rename	show subsystems
copy running-configuration	redundancy force-switchover	show timing
delete	redundancy revert	show users
dir	show boot	show utilization
disconnect ssh	show config	srp switch
configure	show exception dump	synchronize
erase secrets	show ip ssh	–
halt	show line	–

[Contents] [Prev] [Next] [Index] [Report an Error]