IN THIS PAGE
Example: Configuring QFabric System Login Classes
This example shows you how to assign the correct login class to users so they can access components within a QFabric system.
Requirements
This example uses the following hardware and software components:
One QFX3000-G QFabric system containing:
Two QFX3100 Director devices
Two QFX3008-I Interconnect devices
Eight QFX3500 Node devices
Junos OS Release 12.2 for these QFX Series components
Eight EX4200 switches, used to make two redundant Virtual Chassis with four members apiece
Junos OS Release 12.1R1.9 for the EX Series switches used in the Virtual Chassis
Before you begin:
Perform the initial setup of the QFabric system on the Director group, which includes the creation of a username and password for the QFabric system components. See Performing the QFabric System Initial Setup on a QFX3100 Director Group.
Overview
The QFabric system offers three special preset login classes that provide different levels of access to individual components within a QFabric system (such as Node devices and Interconnect devices). The qfabric-admin class provides the ability to log in to individual QFabric system components and manage them. The qfabric-operator class enables the user to log in to individual components and view component-level operations and configurations. The qfabric-user class prevents access to individual QFabric system components.
You include these classes in your configuration at the [edit system login user username authentication remote-debug-permission] hierarchy level. The key task is to decide which class you should apply to users based on their need to access QFabric system components.
To set QFabric system login classes for a root user, include the remote-debug-permission statement at the [edit system root-authentication] hierarchy level and specify the qfabric-admin class.
If you assign the qfabric-admin or the qfabric-operator class to a user, the QFabric system maps the user to a list of authorized users who are permitted to access components. To facilitate ease of use, the QFabric system uses the component password you specified during the initial setup of the Director group. When users assigned the qfabric-admin or the qfabric-operator class log in to a component by issuing the request component login operational mode command, the QFabric system verifies the class and sends the username and password to the component. The component accepts these credentials and permits access.
The three QFabric system login classes give access to the components only. To provide access to the QFabric system as a whole through the default partition command-line interface (CLI), you must configure the usual Junos OS login classes or permissions (such as the super-user class). For more information about login classes, see Junos OS Login Classes Overview.
If you have completed the QFabric system initial setup and the system is operational, you can change the component password by issuing the device-authentication statement at the [edit system] hierarchy level in the QFabric default partition CLI.
Topology
This example defines three users: Adam, Oscar, and Ulf. Adam needs to manage QFabric system components, Oscar needs limited access, and Ulf should not have any access to the components. As a result, assign the qfabric-admin class to Adam, the qfabric-operator class to Oscar, and the qfabric-user class to Ulf. However, all three users should have all permissions to access the QFabric system CLI.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To provide the same access to the QFabric system CLI for all users, but different QFabric system component-level access to different users:
- Define and provide all-qfabric access and passwords to
all three users. This administrator-defined class provides full permissions,
enabling the users to log in to the QFabric system default partition
and use the CLI. Alternatively, you can assign the super-user class
to these users to accomplish the same goal.[edit]user@qfabric# set system login class all-qfabric permissions alluser@qfabric# set system login user Adam class all-qfabricuser@qfabric# set system login user Adam authentication encrypted-password "$1$aoYSFkvE$G/dYqsTV5iSvVW2sND69U."user@qfabric# set system login user Oscar class all-qfabricuser@qfabric# set system login user Oscar authentication encrypted-password "$1$3e.3wJQ8$31SrzV0.efdRbk.ZJncKm0"user@qfabric# set system login user Ulf class all-qfabricuser@qfabric# set system login user Ulf authentication encrypted-password "$1$qt9Ncm0o$okNYSN8O4fVITE/SHBdYj0"
- Provide qfabric-admin component access to Adam so he can
manage QFabric system components.[edit]user@qfabric# set system login user Adam authentication remote-debug-permission qfabric-admin
- Provide qfabric-operator component access to Oscar so
he can view the CLI at the QFabric system components.[edit]user@qfabric# set system login user Oscar authentication remote-debug-permission qfabric-operator
- Assign qfabric-user component restrictions to Ulf to prevent
him from accessing the QFabric system components.[edit]user@qfabric# set system login user Ulf authentication remote-debug-permission qfabric-user
Results
From configuration mode, confirm your configuration by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the QFabric system and component-level access configuration is working properly for all three users. Adam, Oscar, and Ulf should have equivalent, full-permission access to the QFabric system CLI. Adam should have management-level access to components. Oscar should have read-only access to components. Ulf should have no component-level access.
Verifying qfabric-admin Access
Purpose
Verify that Adam can access the QFabric system CLI at the default partition and manage QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Adam to the QFabric system. Issue the ? command to view the CLI operational mode commands that Adam has permission to use on the QFabric system default partition.
> ssh Adam@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Adam@qfabric.network.net's password: Last login: Sun Nov 20 14:12:29 2011 from 192.168.28.19 Juniper QFabric Director 11.3.5510 2011-10-21 16:31:44 UTC RUNNING ON DIRECTOR DEVICE : dg0 Adam@qfabric> Adam@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Issue the request component login ? command to view the components that Adam can access. Next, issue the request component login component-name command to log in to a Node device without being prompted for a username or password.
Adam@qfabric> request component login ?
Possible completions:
<[Enter]> Execute this command
<node-name> Inventory name for the remote node
BBAK0372 Node device
BBAK0394 Node device
DRE-0 Diagnostic routing engine
EE3093 Node device
FC-0 Fabric control
FC-1 Fabric control
FM-0 Fabric manager
NW-NG-0 Node group
WS001/RE0 Interconnect device control board
WS001/RE1 Interconnect device control board
| Pipe through a command
Adam@qfabric> request component login EE3093
Warning: Permanently added 'qfnode-ee3093,169.254.128.14' (RSA) to the list of known hosts.
--- JUNOS 11.3I built 2011-11-04 12:46:16 UTC
{master}
Finally, issue the ? command to view the CLI operational mode commands that Adam has the permission to use on the Node device. Notice that the CLI prompt now indicates Adam’s component access level (qfabric-admin) as the username and the Node device identifier (EE3093) as the host.
qfabric-admin@EE3093> ? Possible completions: clear Clear information in the system file Perform file operations help Provide help information load Load information from file monitor Show real-time debugging information mtrace Trace multicast path from source to receiver op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information ssh Start secure shell on another host start Start shell telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Meaning
The output shows that Adam has received the proper permissions to access the QFabric system CLI and log in to individual components with management-level access.
Verifying qfabric-operator Access
Purpose
Verify that Oscar can access the QFabric system CLI at the default partition and view the CLI on the QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Oscar to the QFabric system. Issue the ? command to view the CLI operational mode commands that Oscar has permission to use on the QFabric system default partition. Notice that these permissions are the same as those given to Adam.
> ssh Oscar@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Oscar@qfabric.network.net's password: Last login: Sun Nov 19 19:21:29 2011 from 192.168.28.14 Juniper QFabric Director 11.3.5510 2011-10-22 18:33:41 UTC RUNNING ON DIRECTOR DEVICE : dg1 Oscar@qfabric> Oscar@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Issue the request component login component-name command to log in to a Node device without being prompted for a username or password.
Oscar@qfabric> request component login EE3093
Warning: Permanently added 'qfnode-ee3093,169.254.128.14' (RSA) to the list of known hosts.
--- JUNOS 11.3I built 2011-11-04 12:46:16 UTC
{master}
Finally, issue the ? command to view the CLI operational mode commands that Oscar has permission to use on the Node device. Notice that the CLI prompt now indicates Oscar’s component access level (qfabric-operator) as the username and the Node device identifier (EE3093) as the host. Additionally, Oscar has fewer CLI commands available than Adam because of Oscar’s read-only qfabric-operator login class.
qfabric-operator@EE3093> ? Possible completions: file Perform file operations help Provide help information load Load information from file op Invoke an operation script quit Exit the management session request Make system-level requests save Save information to file set Set CLI properties, date/time, craft interface message show Show system information start Start shell test Perform diagnostic debugging
Meaning
The output shows that Oscar has full permissions to access the QFabric system CLI, but only read-only access when he logs in to individual components. Oscar’s permissions on the QFabric system are the same as Adam’s, but Oscar has fewer permissions than Adam on the Node device.
Verifying qfabric-user Access
Purpose
Verify that Ulf has full access to the QFabric system CLI at the default partition but cannot access the QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric command and enter the password to open an SSH session for Ulf to the QFabric system. Issue the ? command to view the CLI operational mode commands that Ulf has permission to use on the QFabric system default partition. Notice that these permissions are the same as those given to Adam and Oscar.
> ssh Ulf@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Ulf@qfabric.network.net's password: Last login: Sun Nov 17 17:12:24 2011 from 192.168.28.22 Juniper QFabric Director 11.3.5510 2011-10-23 19:23:31 UTC RUNNING ON DIRECTOR DEVICE : dg0 Ulf@qfabric> Ulf@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
When Ulf issues the request component login component-name command, the Node device denies his access attempt.
Ulf@qfabric> request component login EE3093 error: User Ulf does not have sufficient permissions to login to device EE3093
Meaning
The output shows that Ulf has full permissions to access the QFabric system CLI in the same way as Adam and Oscar. However, unlike Adam and Oscar, Ulf cannot access individual components because of the qfabric-user login class assigned to him.