 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The JUNOS software supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 14 lists the Juniper Networks VSAs you can configure.
Table 14: Juniper Networks Vendor-Specific RADIUS Attributes
|
Name |
Description |
Type |
Length |
String |
|---|---|---|---|---|
|
Juniper-Local-User-Name |
Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets. |
1 |
≥3 |
One or more octets containing printable ASCII characters. |
|
Juniper-Allow-Commands |
Contains an extended regular expression that allows the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. |
2 |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
Juniper-Deny-Commands |
Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. |
3 |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
Juniper-Allow-Configuration |
Contains an extended regular expression that allows the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. |
4 |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
Juniper-Deny-Configuration |
Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. |
5 |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
Juniper-Interactive-Command |
Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets. |
8 |
≥3 |
One or more octets containing printable ASCII characters. |
|
Juniper-Configuration-Change |
Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets. |
9 |
≥3 |
One or more octets containing printable ASCII characters. |
|
Juniper-User-Permissions |
Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets. Note: When the Juniper-User-Permissions attribute is configured to grant the JUNOS maintenance or all permissions on a RADIUS server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships . Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. For information about configuring user template accounts, see Configuring Template Accounts for RADIUS and TACACS+ Authentication. |
10 |
≥3 |
One or more octets containing printable ASCII characters. The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety. See Table 11. |
For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).
| Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |