Media Flow Controller Configuration Tasks : Basic (System) Configurations : Authentication/Authorization and Users Options

Authentication/Authorization and Users Options
Several configurations or tasks can use an already configured authentication/authorization scheme (AAA, namespace pre-staging, users, file transfers, etc.). Authentication schemes can be complex to configure—this section does not attempt to guide you through the configuration steps for setting authentication or AAA options, but provides references to the CLI commands. Before configuring any authentication/authorization schemes, you must have this information: the hostname or IP address of the authenticating server, and a shared secret for authentication.
About MD5, SHA1, AES-128, and DES
The first two, md5 and sha1 are cryptographic hash algorithms.
md5—Message-Digest algorithm 5. Considered somewhat faster but less secure than sha1, but still supported for legacy systems. Generates a 128-bit (16 byte) hash.
sha1—Secure Hash algorithm 1. Considered more secure than md5 but still vulnerable to collision attacks. Generates a 160-bit (20 byte) hash.
The second two, AES-128 and DES are encryption standards used to encrypt and un-encyrpt data.
AES-128—Advanced Encryption Standard; 128 is a specific “block cipher.” AES is a newer standard than DES and considered much more secure. Generates a 128 bit encryption key. AES is an asymmetric encryption algorithm which means the sender uses the public key of the receiver to encrypt the message and the receiver uses it's private key to decrypt the message.
DES—Data Encryption Standard. This standard is older than AES-128 and considered less secure than AES-128 but still supported for legacy systems using it. Generates 56 bits encryption key. DES is a symmetric encryption algorithm which means that you use the same key to encrypt and decrypt the message.
About User Accounts
The system comes initially with three accounts already created:
admin—Full privileges to do anything on the system.
juniper_probe_ftpuser—The auto-created user for CMC probes.
cmcrendv—Default CMC user.
monitor—Privileges to read almost everything on the system, and perform some actions, but cannot modify configurations.
These accounts are both enabled, and by default have no password required for login (except cmcrendv, a new account/capability not fully supported in Release 2.0.2)
There are five states an account may be in:
“Account disabled” (not listed in /etc/passwd). The admin account cannot be disabled.
username foo disable
“Local password login disabled” (hashed password set to "*"). There is no locally-configured password to permit the user to log in. The user may still log in using an SSH authorized key if one is installed, or remote authentication (e.g. RADIUS or TACACS+). The admin account may not be in this state unless it has an SSH authorized key installed.
username foo disable password
“All password login disabled” (hashed password set to "!!"). No CLI command for this; the hashed password must be set to “!!”. Same as "Local password login disabled" (above) except that the user cannot be remotely authenticated (e.g. by a RADIUS or TACACS+ server). The user may still log in using an SSH authorized key if one is installed. The admin account may not be in this state unless it has an SSH authorized key installed.
“Local password set”. The user can log in by typing the password whose hashed version we have stored. This won't be necessary if an SSH authorized key is installed, or if a remote auth server comes earlier in the authentication order.
username foo password mypassword
“No password required for login” (hashed password set to ""). Anyone can log into this account without providing authentication. The admin and monitor accounts begin in this state (unless overridden by set defaults), but should be changed for better security.
username foo nopassword
Configuring User Accounts
Once your authentication settings are made, configure authentication and authorization parameters such as setting the default login authentication order and default authorization mapping for local and remote users. See aaa for CLI details.
Configure users. Media Flow Controller provides three capability sets for users: admin (full privileges), monitor (can view configurations but make no changes), and unpriv (very limited command access); see username for CLI details. In addition to the capabilities, you can set password options and disable a user account. Use show usernames to verify.
username <username> capability <capability>
no username <username>
username <username> disable password
username <username> nopassword
For a defined user, set a password. If no password is specified the user logs in with no password; if 0 is specified, enter a password in cleartext (the system encrypts it using the DES algorithm) and the user logs in with that password; if 7 is specified, you must enter the previously-created, DES encrypted password for that user at the command line. Important! Media Flow Controller default admin user does not have a default password; set an admin password to secure and restrict administration.
username password [ 0 <cleartext_password> | 7 <encrypted_password> | <cleartext_password>]
test-vos (config) # username bobo capability unpriv
test-vos (config) # username bobo password 12345
test-vos (config) # username bobo disable password
test-vos (config) # username bobo nopassword
To make these configurations using the Management Console, go to the System Config tab. Use the Users and Authentication pages; see System Config > AAA (authentication) and System Config > Users for details.

Report an Error
Media Flow Controller Administrator's Guide and CLI Command Reference
Copyright © 2010 Juniper Networks, Inc.