[an error occurred while processing this directive][an error occurred while processing this directive]

Juniper Networks Vendor-Specific RADIUS Attributes

The JUNOS Software supports the configuration of Juniper Networks RADIUS vendor-specific attributes (VSAs). These VSAs are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.

Table 1: Juniper Networks Vendor-Specific RADIUS Attributes

Name

Description

Type

Length

String

Juniper-Local-User-Name

Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.

1

≥3

One or more octets containing printable ASCII characters.

Juniper-Allow-Commands

Contains an extended regular expression that enables the user to run operational mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

2

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying JUNOS Software Operational Mode Commands.

Juniper-Deny-Commands

Contains an extended regular expression that denies the user permission to run operation mode commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

3

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying JUNOS Software Operational Mode Commands.

Juniper-Allow-Configuration

Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

4

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying JUNOS Software Configuration Mode Commands.

Juniper-Deny-Configuration

Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user’s login class permission bits. This attribute is used only in Access-Accept packets.

5

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying JUNOS Software Configuration Mode Commands.

Juniper-Interactive-Command

Indicates the interactive command entered by the user. This attribute is used only in Accounting-Request packets.

8

≥3

One or more octets containing printable ASCII characters.

Juniper-Configuration-Change

Indicates the interactive command that results in a configuration (database) change. This attribute is used only in Accounting-Request packets.

9

≥3

One or more octets containing printable ASCII characters.

Juniper-User-Permissions

Contains information the server uses to specify user permissions. This attribute is used only in Access-Accept packets.

Note: When the Juniper-User-Permissions attribute is configured to grant the JUNOS maintenance or all permissions on a RADIUS server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships . Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account.

10

≥3

One or more octets containing printable ASCII characters.

The string is a list of permission flags separated by a space. The exact name of each flag must be specified in its entirety. See JUNOS Software Access Privilege Levels Overview.

For more information about the VSAs, see RFC 2138, Remote Authentication Dial In User Service (RADIUS).


Published: 2010-04-26

[an error occurred while processing this directive]