TACACS+ and RADIUS Authentication/Authorization Attributes
Both the TACACS+ and RADIUS authentication/authorization modules support attributes returned by the authorization server. In the case of TACACS+, the attributes are encoded as strings. In the case of RADIUS, Juniper Networks RADIUS vendor-specific attributes (VSAs) are used. These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 describes the supported authentication/authorization attributes.
Table 1: Supported TACACS+ and RADIUS Authentication/Authorization Attributes
| TACACS+ Authorization Attribute | RADIUS VSA | Description | Length | String |
|---|---|---|---|---|
local-user-name | Juniper-Local-User-Name (2636.1) | Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets. | ≥3 | One or more octets containing printable ASCII characters |
allow-commands | Juniper-Allow-Commands (2636.2) | Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression |
deny-commands | Juniper-Deny-Commands (2636.3) | Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression |
allow-configuration | Juniper-Allow-Configuration (2636.4) | Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression |
deny-configuration | Juniper-Deny-Configuration (2636.5) | Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets. | ≥3 | One or more octets containing printable ASCII characters, in the form of an extended regular expression |
