Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

TACACS+ and RADIUS Authentication/Authorization Attributes

 

Both the TACACS+ and RADIUS authentication/authorization modules support attributes returned by the authorization server. In the case of TACACS+, the attributes are encoded as strings. In the case of RADIUS, Juniper Networks RADIUS vendor-specific attributes (VSAs) are used. These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 describes the supported authentication/authorization attributes.

Table 1: Supported TACACS+ and RADIUS Authentication/Authorization Attributes

TACACS+ Authorization AttributeRADIUS VSADescription

Length

String

local-user-name

Juniper-Local-User-Name (2636.1)

Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.

≥3

One or more octets containing printable ASCII characters

allow-commands

Juniper-Allow-Commands (2636.2)

Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression

deny-commands

Juniper-Deny-Commands (2636.3)

Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression

allow-configuration

Juniper-Allow-Configuration (2636.4)

Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression

deny-configuration

Juniper-Deny-Configuration (2636.5)

Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression