Symbols
A
- access privilege levels
- accounting
- applications
- description
- TACACS+, configuring
- admin permission
- admin-control permission
- all permission
- announcements at system login
- APIs (application programming interfaces)
- CORBA plug-in SPI
- CORBA remote API
- description
- SAE core API 1, 2
- application programming interfaces. See APIs
- architecture
- authentication 1, See also user accounts
- configuration example
- multiple methods
- RADIUS
- shared user accounts 1, 2
- TACACS+
- TACACS+, configuring
- TACACS+, configuring with C-Web interface
- TACACS+, configuring with SRC CLI
- template accounts
- authentication order
- configuring with C-Web interface
- configuring with SRC CLI 1, 2
- overview 1, 2
- removing authentication method
- removing authentication method with SRC CLI
B
C
- C Series Controller
- C Series Controllers
- C-Web interface
- committing a configuration
- configuration options
- configuring
- HTTP access 1, 2
- HTTPS access 1, 2
- logging properties
- copying an object
- deleting an object
- editing level
- elements
- getting Help
- icons
- layout
- loading configuration values
- logging out
- moving an object
- navigating
- overview 1, 2
- password, changing
- Policies, Services, and Subscribers
- renaming an object
- reverting a configuration
- starting
- updating configuration data
- username, changing
- C2000 Controller
- C3000 Controller
- C4000 Controller
- C5000 Controller
- clear permission
- cli
- client mode, NTP
- commands
- configuration statements
- configure permission
- control permission
- conventions
- customer support 1
- cweb-password
D
- date on system
- deployment scenarios
- DES (directory eventing system)
- differentiated QoS
- digital certificates. See security
- directory
- directory connection properties
- directory eventing system
- directory server
- documentation
- draft RFCs
- dynamic webpages
E
F
G
- Gigabit Ethernet interfaces, configuring IPv4
- Gigabit Ethernet interfaces, configuring IPv6
- GRE tunnel interfaces
- group interfaces, configuring 1
H
I
J
- Java Naming and Directory Interface. See JNDI
- java-heap-size, configuring
- JNDI (Java Naming and Directory Interface)
- Juniper Networks database
- adding Juniper Networks database to community
- changing modes
- community mode
- community mode configuration
- configuration example
- configuration statements
- configuring
- data recovery
- high availability
- loading sample data
- neighbors 1, 2
- overview 1, 2
- redundancy
- roles
- changing secondary to primary, SRC CLI
- overview 1, 2
- standalone mode
- verifying configuration
- Juniper-Allow-Commands attribute (RADIUS)
- Juniper-Allow-Configuration attribute (RADIUS)
- Juniper-Deny-Commands attribute (RADIUS)
- Juniper-Deny-Configuration attribute (RADIUS)
- Juniper-Local-User-Name attribute (RADIUS)
L
- LDAP (Lightweight Directory Access Protocol). See directory; directory server
- LDAP directory. See directory
- leases for licenses. See license server
- license
- license manager
- configuration statements
- configuring
- license server
- license usage
- Lightweight Directory Access Protocol. See LDAP
- load balancing
- local password authentication
- local properties
- logging, See also system log server
- login announcements, system
- login classes
- configuration
- configuration examples
- configuration prerequisites
- configuration statements
- configuration verification
- default classes
- idle timeout values
- options
- overview
- predefined
- privilege level options
- privilege levels
M
- maintenance permission
- manuals
- messages
- MII monitor
- configuring
- Monitoring Agent
- multicast
N
- NAS ID, configuring for SAE
- network
- network information collector. See NIC
- NIC (network information collector)
- notice icons
- NTP (Network Time Protocol)
- NTP,
O
- on-demand services 1, 2
- open interfaces
- operator login class
- operators, regular expression
- OSS integration
P
- passwords
- permissions
- policies
- Policies, Services, and Subscribers CLI. See SRC CLI
- Policies, Services, and Subscribers tasks. See C-Web interface
- policy management
- ports
- predefined login classes
- primary directory
- privilege levels 1
- product features 1, 2
R
- RADIUS
- RADIUS authentication. See authentication
- RADIUS authorization. See authentication
- read-only login class
- redundancy
- references
- regular expressions
- request license import file-name command
- reset permission
- residential portal
- resolving hostnames
- retrieving directory changes
- RFCs 1, 2, 3
- root account 1
- router running Junos OS
- router running JunosE Software
- routing permission
- routing-control permission
S
- SAE (service activation engine)
- configuring groups
- deleting default configurations
- SRC CLI 1, 2
- description 1, 2
- initial properties, overview
- starting
- stopping
- verifying status
- SAE (service activation engine), configuring initial properties
- SAE (service activation engine), configuring NAS ID
- SAE (service activation engine), configuring RADIUS address
- sample data
- secondary directory
- secret permission
- secret-control permission
- security
- digital certificates 1
- clearing certificates 1, 2
- clearing requests
- prerequisites
- requesting certificates 1, 2
- requesting certificates through SCEP
- viewing certificates
- security permission
- security-control permission
- server license. See license
- service activation engine. See SAE
- service permission
- service-control permission
- services
- shared user accounts
- shell permission
- SNMP agent
- access control, configuring on C Series Controllers
- community strings 1, 2
- named views
- SNMP groups
- VACM
- configuration statements 1, 2
- configuring
- description
- directory connection parameters, configuring
- Java Runtime Environment, configuring
- local properties, configuring
- logging, configuring
- monitoring
- named views, defining
- notification targets, configuring
- starting
- stopping
- system information, configuring
- trap history, configuring
- SNMP Agent
- snmp control permission
- snmp permission
- SNMP traps
- notification targets, configuring
- snmp-named-views-cli
- snmp-security-names-cli
- snmp-statements
- software standards
- SRC ACP (SRC Admission Control Plug-In)
- SRC CLI 1
- directory connections
- overview
- Policies, Services, and Subscribers CLI
- starting
- SRC components
- SRC software
- configuration prerequisites
- configuring
- creating, virtualized instance 1
- description
- features and benefits 1, 2
- financial advantages
- OSS integration
- recovering
- services
- snapshot on C Series Controller
- upgrading
- USB Storage Device
- virtualization
- virtualization, requirement
- SSH (secure shell)
- standards 1
- static host mapping
- static routes, configuring
- Steel-Belted Radius/SPE server 1, 2
- subscriber
- subscriber permission
- subscriber-control permission
- superuser login class
- support, technical See technical support
- symmetric active mode, NTP
- system authentication. See authentication
- system log server
- configuration prerequisites
- configuration statements
- message groups
- message severity levels
- messages
- messages, file
- messages, server
- messages, user notification
- overview
- system login
- system permission
- system-control permission
T
- TACACS+ authentication. See authentication
- tariff models
- technical support
- Telnet connection to remote host
- template authentication accounts
- text conventions defined
- third-party URLs
- tunnel interfaces
- tunnel interfaces, configuring
U
- UIDs
- unauthorized login class
- unresponsive directories
- usage data
- user accounts 1, See also login classes
- authentication
- configuring passwords
- configuring SSH authentication
- root password 1, 2
- authentication method and password
- configuration
- configuration verification 1, 2
- example
- overview 1, 2, 3
- shared
- user notification messages
V
W
- Web application server
- application deployment 1, 2
- channel stack
- configuration statements
- configuring the Web application server
- installing Web applications inside
- local properties
- multicast-address
- node-id
- overview
- removing Web applications from
- restarting
- shared cluster name
- shared cluster nodes
- shared cluster properties
- starting
- stopping
- viewing cluster history
- viewing cluster status
- viewing statistics
- Web Services Gateway
Download This Guide
Access to Individual Commands and Configuration Statements (SRC CLI)
By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, you can deny or allow the use of specified operational and configuration mode commands that would otherwise be permitted or not allowed by a specified privilege level.
Regular Expressions for Allow and Deny Statements
You can use extended regular expressions to specify which commands to allow or deny. By using extended regular expressions, you can list a number of commands in each statement.
You specify these regular expressions in the following statements at the [edit system login class] hierarchy level:
- allow-commands
- deny-commands
- allow-configuration
- deny-configuration
Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 19 lists common regular expression operators.
Table 19: Common Regular Expression Operators to Allow or Deny Operational Mode and Configuration Mode Commands
Operator | Match |
|---|---|
| Operation Mode and Configuration Mode | |
| | One of the two terms on either side of the pipe. |
^ | Character at the beginning of an expression. Used to denote where the command begins, where there might be some ambiguity. |
$ | Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, allow-commands "show interfaces$" means that the user can issue the show interfaces command but cannot issue show interfaces detail or show interfaces extensive. |
[ ] | Range of letters or digits. To separate the start and end of a range, use a hyphen ( - ). |
( ) | A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression. |
| Configuration Mode Only | |
* | 0 or more terms. |
+ | One or more terms. |
. (dot) | Any character except for a space. |
Guidelines for Using Regular Expressions
Keep in mind the following considerations when using regular expressions to specify which statements or commands to allow or deny:
- Regular expressions are not case-sensitive.
- If a regular expression contains a syntax error, authentication fails and the user cannot log in.
- If a regular expression does not contain any operators, all varieties of the command are allowed.
Follow these guidelines when using regular expressions:
- Enclose the following in quotation marks:
- A command name or regular expression that contains:
- Spaces
- Operators
- Wildcard characters
- An extended regular expression that connects two or more
terms with the pipe (|) symbol. For example: [edit system login class class-name ]user@host# set deny-configuration "(system login class) | (system services)"
- A command name or regular expression that contains:
- Do not use spaces between regular expressions separated with parentheses and connected with the pipe (|) symbol.
- Specify the full paths in the extended regular expressions
with the allow-configuration and deny-configuration options.
Note: You cannot define access to keywords such as set or edit.
Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the system, even if that session is idle. To close idle sessions automatically, you configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes.
For users who belong to a login class for which an idle timeout is configured, the CLI displays messages similar to the following when an idle user session times out.
If you configure a timeout value, the session closes after the specified time has elapsed, except if the user is running commands such as ssh, start shell, or telnet.
The C-Web interface session closes after the specified time has elapsed with no message, and returns to the login window.
Related Documentation
- Login Classes for SRC User Accounts
- Login Class Permission Options for the SRC Software
- Predefined Login Classes for the SRC Software
- Configuring a Login Class (SRC CLI)
