Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring QFabric System Login Classes

 

This example shows you how to assign the correct login class to users so they can access components within a QFabric system.

Requirements

This example uses the following hardware and software components:

  • One QFX3000-G QFabric system containing:

    • Two QFX3100 Director devices

    • Two QFX3008-I Interconnect devices

    • Eight QFX3500 Node devices

    • Junos OS Release 12.2 for these QFX Series components

  • Eight EX4200 switches, used to make two redundant Virtual Chassis with four members apiece

  • Junos OS Release 12.1R1.9 for the EX Series switches used in the Virtual Chassis

Before you begin:

Overview

The QFabric system offers three special preset login classes that provide different levels of access to individual components within a QFabric system (such as Node devices and Interconnect devices). The qfabric-admin class provides the ability to log in to individual QFabric system components and manage them. The qfabric-operator class enables the user to log in to individual components and view component-level operations and configurations. The qfabric-user class prevents access to individual QFabric system components.

You include these classes in your configuration at the [edit system login user username authentication remote-debug-permission] hierarchy level. The key task is to decide which class you should apply to users based on their need to access QFabric system components.

Note

To set QFabric system login classes for a root user, include the remote-debug-permission statement at the [edit system root-authentication] hierarchy level and specify the qfabric-admin class.

If you assign the qfabric-admin or the qfabric-operator class to a user, the QFabric system maps the user to a list of authorized users who are permitted to access components. To facilitate ease of use, the QFabric system uses the component password you specified during the initial setup of the Director group. When users assigned the qfabric-admin or the qfabric-operator class log in to a component by issuing the request component login operational mode command, the QFabric system verifies the class and sends the username and password to the component. The component accepts these credentials and permits access.

Note
  • The three QFabric system login classes give access to the components only. To provide access to the QFabric system as a whole through the default partition command-line interface (CLI), you must configure the usual Junos OS login classes or permissions (such as the super-user class). For more information about login classes, see Junos OS Login Classes Overview.

  • If you have completed the QFabric system initial setup and the system is operational, you can change the component password by issuing the device-authentication statement at the [edit system] hierarchy level in the QFabric default partition CLI.

Topology

This example defines three users: Adam, Oscar, and Ulf. Adam needs to manage QFabric system components, Oscar needs limited access, and Ulf should not have any access to the components. As a result, assign the qfabric-admin class to Adam, the qfabric-operator class to Oscar, and the qfabric-user class to Ulf. However, all three users should have all permissions to access the QFabric system CLI.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To provide the same access to the QFabric system CLI for all users, but different QFabric system component-level access to different users:

  1. Define and provide all-qfabric access and passwords to all three users. This administrator-defined class provides full permissions, enabling the users to log in to the QFabric system default partition and use the CLI. Alternatively, you can assign the super-user class to these users to accomplish the same goal.
  2. Provide qfabric-admin component access to Adam so he can manage QFabric system components.
  3. Provide qfabric-operator component access to Oscar so he can view the CLI at the QFabric system components.
  4. Assign qfabric-user component restrictions to Ulf to prevent him from accessing the QFabric system components.

Results

From configuration mode, confirm your configuration by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the QFabric system and component-level access configuration is working properly for all three users. Adam, Oscar, and Ulf should have equivalent, full-permission access to the QFabric system CLI. Adam should have management-level access to components. Oscar should have read-only access to components. Ulf should have no component-level access.

Verifying qfabric-admin Access

Purpose

Verify that Adam can access the QFabric system CLI at the default partition and manage QFabric system components.

Action

From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Adam to the QFabric system. Issue the ? command to view the CLI operational mode commands that Adam has permission to use on the QFabric system default partition.

Issue the request component login ? command to view the components that Adam can access. Next, issue the request component login component-name command to log in to a Node device without being prompted for a username or password.

Finally, issue the ? command to view the CLI operational mode commands that Adam has the permission to use on the Node device. Notice that the CLI prompt now indicates Adam’s component access level (qfabric-admin) as the username and the Node device identifier (EE3093) as the host.

Meaning

The output shows that Adam has received the proper permissions to access the QFabric system CLI and log in to individual components with management-level access.

Verifying qfabric-operator Access

Purpose

Verify that Oscar can access the QFabric system CLI at the default partition and view the CLI on the QFabric system components.

Action

From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Oscar to the QFabric system. Issue the ? command to view the CLI operational mode commands that Oscar has permission to use on the QFabric system default partition. Notice that these permissions are the same as those given to Adam.

Issue the request component login component-name command to log in to a Node device without being prompted for a username or password.

Finally, issue the ? command to view the CLI operational mode commands that Oscar has permission to use on the Node device. Notice that the CLI prompt now indicates Oscar’s component access level (qfabric-operator) as the username and the Node device identifier (EE3093) as the host. Additionally, Oscar has fewer CLI commands available than Adam because of Oscar’s read-only qfabric-operator login class.

Meaning

The output shows that Oscar has full permissions to access the QFabric system CLI, but only read-only access when he logs in to individual components. Oscar’s permissions on the QFabric system are the same as Adam’s, but Oscar has fewer permissions than Adam on the Node device.

Verifying qfabric-user Access

Purpose

Verify that Ulf has full access to the QFabric system CLI at the default partition but cannot access the QFabric system components.

Action

From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Ulf to the QFabric system. Issue the ? command to view the CLI operational mode commands that Ulf has permission to use on the QFabric system default partition. Notice that these permissions are the same as those given to Adam and Oscar.

When Ulf issues the request component login component-name command, the Node device denies his access attempt.

Meaning

The output shows that Ulf has full permissions to access the QFabric system CLI in the same way as Adam and Oscar. However, unlike Adam and Oscar, Ulf cannot access individual components because of the qfabric-user login class assigned to him.