Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    TACACS+ and RADIUS Authentication/Authorization Attributes

    Both the TACACS+ and RADIUS authentication/authorization modules support attributes returned by the authorization server. In the case of TACACS+, the attributes are encoded as strings. In the case of RADIUS, Juniper Networks RADIUS vendor-specific attributes (VSAs) are used. These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 describes the supported authentication/authorization attributes.

    Table 1: Supported TACACS+ and RADIUS Authentication/Authorization Attributes

    TACACS+ Authorization AttributeRADIUS VSADescription

    Length

    String

    local-user-name

    Juniper-Local-User-Name (2636.1)

    Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.

    ≥3

    One or more octets containing printable ASCII characters

    allow-commands

    Juniper-Allow-Commands (2636.2)

    Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

    ≥3

    One or more octets containing printable ASCII characters, in the form of an extended regular expression

    deny-commands

    Juniper-Deny-Commands (2636.3)

    Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

    ≥3

    One or more octets containing printable ASCII characters, in the form of an extended regular expression

    allow-configuration

    Juniper-Allow-Configuration (2636.4)

    Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

    ≥3

    One or more octets containing printable ASCII characters, in the form of an extended regular expression

    deny-configuration

    Juniper-Deny-Configuration (2636.5)

    Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

    ≥3

    One or more octets containing printable ASCII characters, in the form of an extended regular expression

    Modified: 2015-06-24