Identifying and Authorizing Managers

In JUNOS software for Common Criteria, users who are allowed to make changes to the router are called managers. Managers have read and write privileges over key operational components, such as counters, or configuration parameters, such as routing protocols. Some managers are considered superusers and have the ability to change configuration statements and security parameters in addition to other management tasks. Other users are not managers and have only read access (view permission) to some restricted parameters.

User accounts provide one way for users to access the router. (Users can access the router without accounts if RADIUS or TACACS+ servers are configured, as described in Authorizing Users with RADIUS/TACACS+ .) For each account, you define the login name for the user and, optionally, information that identifies the user. After you have created an account, the software creates a home directory for the user.

For each user account, you can define the following:

• Username—(Required) Name that identifies the user. It must be unique within the router. Do not include spaces, colons, or commas in the username.
• User’s full name—(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.
• User identifier (UID)—(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range from 100 through 64,000 and should be unique on the router. If you do not assign a UID to a username, the software assigns one when you commit the configuration, using the lowest available number. You should ensure that the UID is unique. However, you can assign the same UID to different users. If you do, the CLI displays a warning when you commit the configuration and then assigns the duplicate UID.
• User access privilege—(Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy level, or one of the default classes listed in Table 10.

  Table 10: Default System Login Classes

  Login Class	Permission Bits Set
  operator	clear, network, reset, trace, view
  read-only	view
  superuser	all
  unauthorized	none

• Authentication method or methods and passwords that the user can use to access the router—(Optional when RADIUS or TACACS+ are configured) You can use SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the JUNOS software encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the plain-text-password option, you are prompted to enter and confirm the password:

  [edit system]

  user@host# set root-authentication plain-text-password

  New password: type password here

  Retype new password: retype password here

For information about SSH authentication, see the JUNOS System Basics Configuration Guide, the J2300, J4300, and J6300 Services Router Getting Started Guide, or the J4350 and J6350 Services Router Getting Started Guide.

An account for the user root is always present in the configuration. For more information about user accounts, see the JUNOS System Basics Configuration Guide or the J-series Services Router Administration Guide.

This section contains information about how to configure Common Criteria managers:

• Configuring Common Criteria Login Classes
• Authorizing Users with RADIUS/TACACS+

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.