Technical Documentation

Configuring Local User Template Accounts for User Authentication

You use local user template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router and referenced by the TACACS+ and RADIUS authentication servers.

When you configure local user templates and a user logs in, the JUNOS Software issues a request to the authentication server to authenticate the user’s login name. If a user is authenticated, the server returns the local username to the JUNOS Software, which then determines whether a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the JUNOS Software selects the appropriate local user template locally configured on the router. If a local user template does not exist for the authenticated user, the router defaults to the remote template.

To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file.

To configure a local user template, include the user local-username statement at the [edit system login] hierarchy level and specify the privileges you want to grant to the local users to whom the template applies:

[edit system login]user local-username {full-name "Local user account";uid uid-value;class class-name;}

This example configures the sales and engineering local user templates:

[edit]system {login {user sales {uid uid-value;class class-name;}user engineering {uid uid-value;class class-name;}}}
user = simon {...service = junos-exec {local-user-name = salesallow-commands = "configure"deny-commands = "shutdown"}}user = rob {...service = junos-exec {local-user-name = salesallow-commands = "(request system) | (show rip neighbor)"deny-commands = "<^clear"}}user = harold {...service = junos-exec {local-user-name = engineeringallow-commands = "monitor | help | show | ping | traceroute"deny-commands = "configure"}}user = jim {...service = junos-exec {local-user-name = engineeringallow-commands = "show bgp neighbor"deny-commands = "telnet | ssh"}}

When the login users Simon and Rob are authenticated, they use the sales local user template. When login users Harold and Jim are authenticated, they use the engineering local user template.

Published: 2010-04-26